Reputational Lists From the Analytics Service
The MITIGATOR team generates regularly updated reputational lists of IP addresses, autonomous systems and JA3 fingerprints (hereinafter referred to as “feeds”).
Feeds can be imported into MITIGATOR as named lists and used in countermeasures
and routing rules. To do this you need to specify Mitigator feeds as a source
type.
To do this, specify Mitigator feeds as the named list source type and select
the required feed.
Feeds cannot be downloaded or viewed, even through the MITIGATOR Web interface.
Access to feeds is provided only with a token and is additionally licensed. To work with feeds, MITIGATOR version v23.06 or later is required. The token must be specified in the “Analytics Server” panel of system settings. Contact your account manager to obtain a token.
Generated Feeds Types
The article contains a brief description of reputation lists. A detailed description of each list is provided in help on the PSG service.
Feed name indicates its source and content. The intersect name prefix indicates
that the feed is formed from an intersection of several sources listed after the
prefix and separated by underscores (_).
For example, intersect_tbl_proxy-common contains IP addresses in the TBL
countermeasure list and belongs to the public proxy IP addresses.
Feed Modifiers
The name may contain modifier suffixes that indicate additional filters applied when generating the feed:
By country:
| Name | Description |
|---|---|
_ru |
the feed contains only IP addresses related to Russia. |
_wo-ru |
the feed contains only non-Russian IP addresses. |
_runat |
the feed contains only IP addresses related to legitimate Russian NAT and proxy. |
_wo-runat |
the feed contains only IP addresses that are not related to legitimate Russian NAT and proxy. |
The suffixes _ru, _wo-ru and _runat, _wo-runat can be combined. For example,
the _ru_wo-runat feed will contain only Russian IP addresses without legitimate NAT
and proxy. If suffixes are not specified, then the feed includes all values.
By time:
| Name | Description |
|---|---|
_1d |
the feed contains values observed within the last 24 hours. Updated every 5 minutes. |
_3d |
the feed contains values observed within the last 3 days. Updated every 5 minutes. |
_5d |
the feed contains values observed within the last 5 days. Updated every 15 minutes. |
_7d |
the feed contains values observed within the last week. Updated every 15 minutes. |
_30d |
the feed contains values observed within the last month. Updated every 1 hour. |
Thus, the proxy-uashield_wo-ru_1d feed will contain non-Russian IP addresses
of proxy servers from which DDoS attacks were carried out using the uashield tool
over the past 24 hours. For intersect feeds, data is taken for the same period
for all sources.
Development Roadmap
We are planning more feeds on:
- hosting providers’ autonomous systems;
- autonomous systems seen in attacks;
- legitimate Russian proxy servers and NAT;
- results of logs analysis on protected servers;
- JA3 fingerprints by various criteria;
- UDP amplifiers.
Please write to support for comments or suggestions.
Exclude Addresses From Feeds
The MITIGATOR team does not guarantee that MITIGATOR feeds usage will not affect the legitimate traffic passage. In case of false positives or in need to exclude specific IP addresses from the feed, please contact us at the Service Desk or Telegram bot.