Reputational Lists From the Analytics Service
The MITIGATOR team generates regularly updated reputational lists of IP addresses, autonomous systems and JA3 fingerprints (hereinafter referred to as “feeds”).
Feeds can be imported into MITIGATOR as named lists and used in countermeasures
and routing rules. To do this you need to specify Mitigator feeds as a source
type.
To do this, specify Mitigator feeds as the named list source type and select
the required feed.
Feeds cannot be downloaded or viewed, even through the MITIGATOR Web interface.
Access to feeds is provided only with a token and is additionally licensed. To work with feeds, MITIGATOR version v23.06 or later is required. The token must be specified in the “Analytics Server” panel of system settings. Contact your account manager to obtain a token.
Generated Feeds Types
Feed name indicates its source and content. The intersect name prefix indicates
that the feed is formed from an intersection of several sources listed after the
prefix and separated by underscores (_).
For example, intersect_tbl_proxy-common contains IP addresses in the TBL
countermeasure list and belongs to the public proxy IP addresses.
al in the feed name indicates that the feed was obtained as a result of protected
HTTP resources accesslog processing.
| Name | Description |
|---|---|
proxy-MHDDoS |
IP addresses of proxy servers used by the MHDDoS tool. |
proxy-common |
IP addresses of public proxy servers from various sources. |
proxy-general |
Combined list of all other proxy-* feeds. |
asn_hosting |
Autonomous systems of organizations that provide hosting services. |
asn_prefixes |
IP addresses belonging to autonomous systems of organizations that provide hosting services. |
tbl-unique |
IP addresses that were included in TBL on at least one MITIGATOR installation more than once. |
tbl_hosting_prefixes |
IP addresses from asn_prefixes list that were entered into the TBL manually, using Logan, or ATLS countermeasure. |
intersect_tbl_proxy-MHDDoS |
IP addresses from proxy-MHDDoS that were included in TBL. |
intersect_tbl_proxy-common |
IP addresses from proxy-common that were included in TBL. |
intersect_tbl_proxy-general |
IP addresses from proxy-general that were included in TBL. |
intersect_tbl_firehol |
IP addresses from firehol list that were included in TBL on at least one MITIGATOR installation. |
intersect_tbl_asn_hosting |
IP addresses from hosting providers’ autonomous systems that were included in TBL. |
intersect_tbl_custom_sources |
IP addresses from reputational lists obtained from various sources that were included in TBL. |
intersect_tbl_tbl_2 |
IP addresses that were included in TBL on two or more MITIGATOR installations. |
intersect_tbl_tbl_3 |
IP addresses that were included in TBL on three or more MITIGATOR installations. |
intersect_tbl_tbl_4 |
IP addresses that were included in TBL on four or more MITIGATOR installations. |
intersect_tbl_tbl_5 |
IP addresses that were included in TBL on five or more MITIGATOR installations. |
intersect_tbl_tbl_6 |
IP addresses that were included in TBL on six or more MITIGATOR installations. |
intersect_atls_atls_2 |
IP addresses that were included in TBL by ATLS countermeasure on two or more MITIGATOR installations. |
intersect_atls_atls_3 |
IP addresses that were included in TBL by ATLS countermeasure on three or more MITIGATOR installations. |
intersect_atls_atls_4 |
IP addresses that were included in TBL by ATLS countermeasure on four or more MITIGATOR installations. |
intersect_atls_atls_5 |
IP addresses that were included in TBL by ATLS countermeasure on five or more MITIGATOR installations. |
intersect_atls_atls_6 |
IP addresses that were included in TBL by ATLS countermeasure on six or more MITIGATOR installations. |
intersect_dns_dns_2 |
IP addresses that were included in TBL by DNS countermeasure on two or more MITIGATOR installations. |
intersect_dns_dns_3 |
IP addresses that were included in TBL by DNS countermeasure on three or more MITIGATOR installations. |
intersect_dns_dns_4 |
IP addresses that were included in TBL by DNS countermeasure on four or more MITIGATOR installations. |
intersect_dns_dns_5 |
IP addresses that were included in TBL by DNS countermeasure on five or more MITIGATOR installations. |
intersect_dns_dns_6 |
IP addresses that were included in TBL by DNS countermeasure on six or more MITIGATOR installations. |
intersect_manual_manual_2 |
IP addresses that were included in TBL manually on two or more MITIGATOR installations. |
intersect_manual_manual_3 |
IP addresses that were included in TBL manually on three or more MITIGATOR installations. |
intersect_manual_manual_4 |
IP addresses that were included in TBL manually on four or more MITIGATOR installations. |
intersect_manual_manual_5 |
IP addresses that were included in TBL manually on five or more MITIGATOR installations. |
intersect_manual_manual_6 |
IP addresses that were included in TBL manually on six or more MITIGATOR installations. |
al-root_with_params |
IP addresses that sent HTTP requests with a malformed URI. |
al-referer_patterns |
IP addresses that sent HTTP requests with a suspicious Referer. |
al-path_patterns |
IP addresses that sent HTTP requests with the same path. |
al-method_patterns |
IP addresses that sent HTTP requests specifying an incorrect method. |
al-yandex_bots |
IP addresses of Yandex search bots. |
al-google_bots |
IP addresses of Google search bots. |
al-fake_yandex_bots |
IP addresses of illegitimate bots posing as Yandex search bots. |
al-fake_google_bots |
IP addresses of illegitimate bots posing as Google search bots. |
al-flood |
IP addresses that were generated http flood. |
al-wrong_ways |
IP addresses that sent HTTP paths and requests parameters that were unexpected for the protected resources. |
al-legitime |
IP addresses that successfully passed authorization on protected resources. |
al-background |
IP addresses accessing protected resources that have exhibited unusual behavior, such as regular user-agent substitution. |
al-scan |
IP addresses observed in vulnerability scanning attempts. |
al-general |
Combined list of all other al-* feeds except al-legitime, al-fake_google_bots and al-fake_yandex_bots. |
ja3-black_common |
Alleged JA3 fingerprints of the attack tools. Сan be used for blocking. |
ja3-bots_common |
JA3 bot fingerprints observed in attack traffic, but legitimate users can also have such fingerprints. |
ja3-grey_common |
Suspicious JA3 fingerprints. The feed is used for additional analytics. |
ja3-users_common |
JA3 fingerprints corresponding to legitimate users. |
ja3-white_common |
JA3 fingerprints, which should not be blocked, as they correspond to a large number of legitimate users. |
ja3-top_20 |
20 most common ja3 fingerprints. |
ja3-top_50 |
50 most common ja3 fingerprints. |
ja3-top_100 |
100 most common ja3 fingerprints. |
ja3-top_sorted_ext_20 |
20 most common ja3 fingerprints after sorting extensions in ascending order. |
ja3-top_sorted_ext_50 |
50 most common ja3 fingerprints after sorting extensions in ascending order. |
ja3-top_sorted_ext_100 |
100 most common ja3 fingerprints after sorting extensions in ascending order. |
tor_exits |
IP addresses of TOR exit nodes. |
runat |
IP addresses related to legitimate Russian NAT. |
Feed Modifiers
The name may contain modifier suffixes that indicate additional filters applied when generating the feed:
By country:
| Name | Description |
|---|---|
_ru |
the feed contains only IP addresses related to Russia. |
_wo-ru |
the feed contains only non-Russian IP addresses. |
_runat |
the feed contains only IP addresses related to legitimate Russian NAT and proxy. |
_wo-runat |
the feed contains only IP addresses that are not related to legitimate Russian NAT and proxy. |
The suffixes _ru, _wo-ru and _runat, _wo-runat can be combined. For example,
the _ru_wo-runat feed will contain only Russian IP addresses without legitimate NAT
and proxy. If suffixes are not specified, then the feed includes all values.
By time:
| Name | Description |
|---|---|
_1d |
the feed contains values observed within the last 24 hours. Updated every 5 minutes. |
_3d |
the feed contains values observed within the last 3 days. Updated every 5 minutes. |
_5d |
the feed contains values observed within the last 5 days. Updated every 15 minutes. |
_7d |
the feed contains values observed within the last week. Updated every 15 minutes. |
_30d |
the feed contains values observed within the last month. Updated every 1 hour. |
Thus, the proxy-uashield_wo-ru_1d feed will contain non-Russian IP addresses
of proxy servers from which DDoS attacks were carried out using the uashield tool
over the past 24 hours. For intersect feeds, data is taken for the same period
for all sources.
Development Roadmap
We are planning more feeds on:
- hosting providers’ autonomous systems
- autonomous systems seen in attacks
- legitimate Russian proxy servers and NAT
- results of logs analysis on protected servers
- JA3 fingerprints by various criteria
- UDP amplifiers
Please write to support for comments or suggestions.
Exclude Addresses From Feeds
The MITIGATOR team does not guarantee that MITIGATOR feeds usage will not affect the legitimate traffic passage. In case of false positives or in need to exclude specific IP addresses from the feed, please contact us at the Service Desk or Telegram bot.