Here's one way I check for malicious IPs

Years ago, I looked for a resource to check the trustworthiness of Internet Protocol (IP) addresses, similar to how VirusTotal has become the go-to resource for file hashes and other file-based indicators. IPs are a different beast altogether since you have considerations like virtual private networks (VPNs), ever-changing allocations, and, of course, attribution.

AbuseIPDB

About half a decade ago, I took a look at the internet landscape to see what existed to accomplish this check. Some browser extensions handled IP lookups, but there were very few free services that did this at any scale. I stumbled upon a site called AbuseIPDB.

Straight from their website (at time of publishing):

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

Our mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.

I enjoyed their mission and the community aspect they enabled, but the feature that really stood out was free application programming interface (API) access.

API Access

Now they do note on their website that "due to limited resources, free accounts currently have 1,000 requests/day for both IP check and report actions..." That alone isn't bad for the average person to check a couple of IPs they are concerned about. Verified webmasters—or anyone who controls their domain and can apply a DNS TXT record—are allowed 3,000 requests/day. Since I have had a domain name for 10+ years, this was a no-brainer and didn't cost me anything. Lastly, they offer people who support the site even more API requests, and this can also be free. If you place an SVG badge on a website you host, your account will automatically be granted the "supporter" role. This role can boost the check and report limits on the API to 5,000 per day. The badge doesn't need to be on your homepage; it can reside on an internal page or even a post like the one you're reading right now.

Note: The number displayed in the badge is a cached value, and updates every day or so.

Tooling

Once I discovered this site and saw they had an API, I took a look at their documentation, and to my surprise, it was pretty good. To use the API, all you have to do was a basic curl like the following:

curl -G https://api.abuseipdb.com/api/v2/check \
  --data-urlencode "ipAddress=8.8.8.8" \
  -d maxAgeInDays=90 \
  -d verbose \
  -H "Key: $YOUR_API_KEY" \
  -H "Accept: application/json"

I could have accomplished this with Bash, but I had other code that needed to work with it, and I wanted to reuse it in tooling and reports, so I turned to Python. I decided to write a script to scan and check IPs from files and generate a report from the findings. I initially wrote the first iteration of this script in 2015 and decided to publish it on GitHub on Dec 10, 2016. That project became the beginning of AbuseIPDB Scanner.

I am by no means a software development engineer (SDE), but I continued to refine the script over time and added support for other file formats. A few contributors helped make the Python script better and added features as well. Beginning with some pure Python and regex, the script now supports JSON, country blocks, and more as time progresses. To get started, all you have to do is have Python3 and Git installed and then execute the following commands:

git clone https://github.com/mikebanks/AbuseIPdbSCAN.git
pip3 install -r requirements.txt
python3 AbuseIPDB.py -i 1.1.1.1

Conclusion

There are many resources out there. You should always use a defense-in-depth approach when checking for malicious indicators. AbuseIPDB is just one free tool I added to my kit. It solved my problem, scaled with an API, and remained affordable. What resources do you use to accomplish the same thing? Do you look at IP reputation? What other tools do you rely on?