Been looking at rep scores for IPs as part of a triage and came across this situation and was wondering how others approach it. I saw a whole bunch of new outbound activity from a bunch of windows endpoints (all used a common resolver and yes, post patch Tuesday). Based on the passive DNS observation, at one point its windows update. At another, its serving possible malware or even involved in outbound scans. I guess the issue is that a CDN is going to recycle IPs between customers and one day its benign and another, not so much ?

https://www.abuseipdb.com/check/209.197.3.8
https://otx.alienvault.com/indicator/ip/209.197.3.8

Do people bother with looking at IP rep databases as part of an overall score to identify further avenues of investigation, or is it mostly a path not worth looking at because things change so much at CDNs ?

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.