IP Reputation and IP Location provides you with reputation
and geographic location information for both source and target IP
addresses. For example, if a given source IP address is flagged as
being a source for spam and it is located in a country rated as high
for spam origination, it's likely that the source IP address in question
is a spam source.
IP Reputation categories exist for both source IPs and target IPs:
- Source/Target IP Reputation (Anonymous Proxies) - IP addresses
of web sites that allow users to anonymously view web sites
- Source/Target IP Reputation (Botnet Command and Control Server)
- IP addresses that host a botnet command-and-control server
- Source/Target IP Reputation (Dynamic IPs) - IP addresses of dialup
hosts and DSL lines
- Source/Target IP Reputation (Malware) - IP addresses of malicious
web sites or malware-hosting web sites
- Source/Target IP Reputation (Scanning IPs) - IP addresses that
have been identified as illegally scanning networks for vulnerabilities
- Source/Target IP Reputation (Spam) - IP addresses that have been
observed sending out spam
- Source/Target IP Reputation (n) - indicates an unreleased
category that is mapped to a number (n)
The values for source IP and target IP Reputation categories are
represented as probabilities between 0 and 100. For example, a Source
IP Reputation (Spam) entry of zero (0) indicates that the source IP
traffic is definitely not spam whereas an entry of 100 indicates definite
spam traffic. Consider a value of 50 to be a threshold. Thus, values
less than 50 indicate less likelihood that spam is present and values
greater than 50 indicate more likelihood that spam is present. These
probabilities are based on massive amounts of ongoing Web-based data
that IBM X-Force continuously collects and analyzes.
Tip: Summary-type Analysis views show the most current
reputation scores (probabilities) and are likely to change over time.
Detail-type Analysis views show the reputation scores that were recorded
by the event and do not change over time.
IP Location provides the country of origin of the source IP address
or target IP address.
Here are some other useful facts regarding using IP Reputation
and IP Location:
- You can use specific Analysis views created for IP Reputation.
These include Event Analysis - Attacker Reputation and Event Analysis
- Target Reputation.
- You can filter on any of the IP Reputation categories. For example,
if you go to the Analysis view, load the Event Analysis - Detail view,
and click Filters, you can select any of the
Source IP Reputation or Target IP Reputation categories on which to
filter. To make it easier to navigate, all the Source IP Reputation
categories are listed in an expandable tree format under the Source
IP Reputation heading. There is a similar arrangement
for Target IP Reputation categories.
- When you choose to filter on a Source IP Location or a Target
IP Location, the right pane lists all the countries that you can select.
There are also Select All and Deselect
All links for your convenience. At the bottom of the country
list is an entry labeled unknown. Use this
to filter IP Locations that are not known.
- You can also filter a Source IP Location or Target IP Location
by the Private Network entry.