|
Category |
Description |
Examples |
|
Command and Control |
Command and Control Servers |
CnC servers for botnets such as Conficker, Kelihos, etc. |
|
Botnets |
Known infected bots |
Hosts belonging to botnets such as Conficker, Kelihos, etc. |
|
Spam |
Known spam sources |
Servers sending spam, tunneling spam through proxies, forum spam |
|
Scanners |
Hosts performing scanning or brute force attempts |
Probes, port scans, brute force attempts |
|
Endpoint Exploits |
Hosts distributing malware capable of exploiting endpoint systems |
Shellcode, rootkits, worms, or viruses |
|
Web Exploits |
Hosts attempting to exploit web vulnerabilities |
Cross site scripting, iFrame injection, SQL injection, etc. |
|
Drop Sites |
Drop sites for logs or stolen credentials |
|
|
Proxy/VPN |
Hosts providing proxy or VPN services |
Public anonymous proxy or VPN services |
|
DDOS |
Hosts participating in DDOS attacks |
|
|
Compromised |
Known compromised or hostile hosts |
Hosts that are compromised and usually serving malicious content, such as WebShells, but that aren’t part of any particular botnet |
|
Fraudulent Activity |
Hosts participating in fraudulent activity |
Phishing sires, ad click fraud, gaming fraud, etc. |
|
Illegal Activity |
Hosts participating in illegal activity |
Buying and selling of stolen information, credit cards, credentials, etc. |
|
Undesirable Activity |
Hosts participating in undesirable activities that are not illegal |
Hosting hacking programs or other potentially malicious information |
|
P2P Node |
Hosts participating in a peer to peer network |
|
|
Online Gaming |
Questionable online gaming sites |
Online gaming sites such as MInecraft, Blizzard, etc. |
|
Remote Access Servers |
Servers providing remote access capabilities |
Sites similar to GoToMyPC, LogMeIn, etc. |
|
TOR/Anonymizers |
Hosts participating in a TOR or other anonymizing network |
TOR nodes |
|
Brute Force Password |
IP addresses associated with password brute force activity |
|
|
Advanced Persistent Threats |
IP addresses associated with known advanced persistent threat (APT) actors for command and control, data exfiltration, or targeted exploitation |
|