IP Reputation

Overview

Malicious IPs are IPs that are reputed to be a source of attacks. This analyzer obtains malicious IPs from external sources, but additionally it is able to detect attack patterns and include those IPs in a rejected IP list. Any IP present on those lists will be banned and the application protected against the attacker.

Hdiv uses IP reputation techniques based on its own information coming from IPs that are making any kind of attack on an Hdiv protected node or coming from external known malicious IP sources. Malicious IPs are integrated within the Hdiv virtual network in a way which improves attack protection by rejecting IPs attacking any node of the network.

Improving IP Reputation with HVN

Actions

Hdiv virtual network is a network of Hdiv protected nodes that are connected to an Hdiv Web Console. Thanks to this virtual network, Hdiv protected nodes are able to actively improve their protection with the aid of real time data sharing, using information on attackers gathered from other nodes. This helps to protect all nodes of the system against that particular attacker, protecting the virtual network of nodes effectively.

The virtual network protection works in this way:

One or more of the nodes detects suspicious activity coming from a source (there might be multiple types of suspicious behaviour such as DoS attacks, SQL Injection or data tampering). In this case, the node that detected the attack attempt activates protection against the attacker by banning its requests.

At the same time, Hdiv Console, which receives all the attack data from the nodes, consolidates its data and based on its protection algorithm, decides whether any source is an attacker. If an attacker is found, the Web Console proactively spreads attack protection against that attacker to all the nodes connected to it, effectively protecting the whole network from the malicious source.