Reputational Lists From the Analytics Service

The MITIGATOR team generates regularly updated reputational lists of IP addresses, autonomous systems and JA3 fingerprints (hereinafter referred to as “feeds”).

Feeds can be imported into MITIGATOR as named lists and used in countermeasures and routing rules. To do this you need to specify Mitigator feeds as a source type. To do this, specify Mitigator feeds as the named list source type and select the required feed.

Feeds cannot be downloaded or viewed, even through the MITIGATOR Web interface.

Info

Access to feeds is provided only with a token and is additionally licensed. To work with feeds, MITIGATOR version v23.06 or later is required. The token must be specified in the “Analytics Server” panel of system settings. Contact your account manager to obtain a token.

Generated Feeds Types

Info

The article contains a brief description of reputation lists. A detailed description of each list is provided in help on the PSG service.

Feed name indicates its source and content. The intersect name prefix indicates that the feed is formed from an intersection of several sources listed after the prefix and separated by underscores (_). For example, intersect_tbl_proxy-common contains IP addresses in the TBL countermeasure list and belongs to the public proxy IP addresses.

Feed Modifiers

The name may contain modifier suffixes that indicate additional filters applied when generating the feed:

By country:

Name Description
_ru the feed contains only IP addresses related to Russia.
_wo-ru the feed contains only non-Russian IP addresses.
_runat the feed contains only IP addresses related to legitimate Russian NAT and proxy.
_wo-runat the feed contains only IP addresses that are not related to legitimate Russian NAT and proxy.

The suffixes _ru, _wo-ru and _runat, _wo-runat can be combined. For example, the _ru_wo-runat feed will contain only Russian IP addresses without legitimate NAT and proxy. If suffixes are not specified, then the feed includes all values.

By time:

Name Description
_1d the feed contains values observed within the last 24 hours. Updated every 5 minutes.
_3d the feed contains values observed within the last 3 days. Updated every 5 minutes.
_5d the feed contains values observed within the last 5 days. Updated every 15 minutes.
_7d the feed contains values observed within the last week. Updated every 15 minutes.
_30d the feed contains values observed within the last month. Updated every 1 hour.

Thus, the proxy-uashield_wo-ru_1d feed will contain non-Russian IP addresses of proxy servers from which DDoS attacks were carried out using the uashield tool over the past 24 hours. For intersect feeds, data is taken for the same period for all sources.

Development Roadmap

We are planning more feeds on:

  • hosting providers’ autonomous systems;
  • autonomous systems seen in attacks;
  • legitimate Russian proxy servers and NAT;
  • results of logs analysis on protected servers;
  • JA3 fingerprints by various criteria;
  • UDP amplifiers.

Please write to support for comments or suggestions.

Exclude Addresses From Feeds

The MITIGATOR team does not guarantee that MITIGATOR feeds usage will not affect the legitimate traffic passage. In case of false positives or in need to exclude specific IP addresses from the feed, please contact us at the Service Desk or Telegram bot.