Using IP lookup

Symantec collects a vast amount of intelligence about observed security-related online behavior. Much of this intelligence includes the offender's IP address used as part of the attack.

Offender behavior (also known as attack categories or activity types) falls into the following categories:

  • Attack: Includes observations of attempted vulnerability exploitation, as well as Denial of Service attempts.
  • Botnet: Indicates that the IP address has been seen participating in a bot command and control (C&C) structure or has been seen participating in bot-like activity.
  • CnC: Indicates that the IP address has been seen hosting a botnet C&C channel.
  • Fraud: Indicates that the IP address has been used to defraud or otherwise fool a victim into disclosing sensitive information or spending money via methods that do not rely upon malicious behavior such as phishing, malware, vulnerability exploitation, or outright theft.
  • Malware: Includes observations of attempted propagation, distribution, or seeding of malicious code.
  • Phish: Includes observations of IP addresses that are phishing hosts.
  • Spam: Indicates that the IP address has been observed sending spam.

The IP Lookup tool enables you to discover reputation, activity, ownership, and location information for an IP address if the data is available.

IP addresses must be in IPv4 format.

To look up an IP address

  1. Click the Research tab.
  2. Under Lookup Tools, click the IP tab.
  3. Type an IP address in IPv4 format (for example, 10.1.1.1).
  4. Press Enter or click Go.

If data is available, the IP address detail page shows the following information. The behavior-specific page area populates with different sets of information depending on the behavior observed.

Ownership:

  • Organization: The organization registered as owning the IP address.
  • Industry: The organization's industry, extrapolated from the NAICS or the ISIC.
  • NAICS: The organization's North American Industry Classification System code.
  • ISIC: The organization's International Standard Industrial Classification code.
  • Country: The country where the IP address's owner is registered.
  • ASN: Autonomous System Number
  • Carrier: The company providing the internet service (the ISP).
  • Connection Type: The internet connection method that the IP address uses.

Datafeed:

  • First listed: The date that the threat first appeared in the datafeed.
  • Last listed: The date that the threat last appeared in the datafeed.
  • Reputation: A summary of ratings indicating the threat level that the IP address poses on an increasing scale of 1 to 10.
  • Hostility: The threat's observed activity level on an increasing scale of 1 to 5.
  • Confidence: Symantec's confidence in the information's validity on an increasing scale of 1 to 5.
  • Consecutive days listed: The number of consecutive days that the IP address has remained listed.
  • Days seen in the last 90 days

Behavior-specific details, if any:

  • First observed: The date that the GIN first observed the activity.
  • Last observed: The date that the GIN last observed the activity.
  • Unique events observed over the last 90 days: Depending on the behavior observed, information in this part of the screen also includes attack names, attack categories, activity descriptions, unique domain count, domain name, URL count, and the URL associated with the IP address.

Note: 

You can use the IP Lookup tool to determine if troublesome IP addresses extracted from your logs are also found within the DeepSight Intelligence database. The utility may not find information on your requested IP address. Lack of search results can be attributed to the vastness of the IP address space or the possibility of an attacker focused on a specific IP address, a range of IP addresses, or a specific site.

 

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation