For a number of years, we have used a combination of tools for security on our servers, including CSF, ModSecurity and cpGuard for Malware and IP address reputation management.
We have since moved all of our servers to the absolutely outstanding BitNinja security suite so that you, your clients, and your visitors can benefit from increased performance, reduced false positives on malware scanning and removal, and a drastic reduction in IP address blocks within our network.
IP Address Blacklisting
Until now, we have taken a fairly aggressive approach to malicious IP addresses and traffic, which consisted of a 'whitelist' and 'blacklist' solution powered by 'CSF', the previously implemented firewall of choice.
However, this has limitations, in that should a 'false positive' be triggered, access is then entirely blocked from our servers / network. This can give the false impression of outages and can also be incredibly frustrating.
BitNinja has created a disruptive technology so there are some concepts that are important to understand in order to comprehend the way BitNinja works.
IP reputation is a very effective way of securing a server. It’s a database with information about various IPs in the world. BitNinja clients use IP reputation information automatically on servers to make security decisions and to find out more about an IP address.
Every server with BitNinja can detect and defend a wide range of attacks. The server can send gathered incident information to our central database. Based on the type, timing, and amount of incidents an IP has in the database, it is categorized into one of the following lists:
If there is no information about an IP address, or based on the latest behavior the IP is not listed and the IP address can therefore access all sites and ports as usual.
In traditional IP reputation terminology, we differentiate black and white lists. An IP can be trusted (whitelisted) or absolutely denied (blacklisted). This concept is very inflexible and this is the cause of the bad reputation that IP reputation lists have. If an IP is false-positively blacklisted, its incredibly frustrating that the user of that IP address can’t access the system they want to use and have to undergo an extensive process to whitelist, or remove that IP address reference.
That’s how the concept of greylisting was born.
A greylist is the concept of a list of IPs we think may be malicious but we are not completely sure of it yet.
The greylist contains suspicious IPs that the BitNinja software handles with special care. BitNinja has different CAPTCHA modules for different protocols. The duty of a CAPTCHA module is as follows:
- Decide if the user is human or not
- Inform the user about the fact that his/her IP has been greylisted
- Provide a safe way for the user to delist his/her IP
- Save any requests made by non-human parties, growing the knowledge base about the IP and the sin list.
- Honeypotting by pretending to be a vulnerable system so bots will try to connect
In introducing this disruptive technology to our servers, we are implementing a less disruptive method of IP reputation and management to you and your end-users, allowing them to control their IP address reputation themselves, vastly reducing false positives or 'false blocks'.
If there are suspicious incidents derived from an IP address, the IP can be greylisted by some users. If an IP is user-greylisted, it means it is only greylisted by some users, not all BitNinja users. When we have enough information about an IP that is sending malicious requests, we move it to the global greylist. If an IP is globally greylisted, it is greylisted by all BitNinja servers.
If your IP address is greylisted, you will see something similar to the following...
You are then given the option to 'verify' your identity, as your IP address is deemed a 'grey area' when it comes to the block which has taken place. Once you have carried out the captcha, the IP address is then automatically removed from the greylist so you can again access sites within the network.
If there is enough evidence that an IP is suspicious, the IP address is moved to a global greylist which is then distributed to every BitNinja protected server.
When an IP is globally greylisted and is still sending malicious requests, we identify it as dangerous. Such IPs are moved to the global blacklist maintained by BitNinja. Any traffic derived from this list will drop packets entirely, causing a timeout. The false-positive rate of the global blacklist is very low, as there are many steps before we decide to blacklist an IP. Blacklisted IPs are moved back to the greylist from time-to-time to check if the traffic is still malicious or the system has been disinfected.
The essential list provides protection against the most dangerous IPs. These IPs are often used by the most aggressive hackers all around the world. When an IP generates more than 5000 malicious requests, BitNinja places it on this list. The essential list forms part of the protective layer, defending you and your clients from some of the world's most aggressive cyber attacks.