IP reputation scoring system

Estimated reading time: < 1 min
BitNinja will log every request from a greylisted IP address until the IP address is not delisted.Every request from a greylisted IP address will be considered as an incident because a human visitor would have already delisted the IP address via one of the CAPTCHA page.
  1. If BitNinja detects a malicious request from an IP address, then it will be on the account-level greylist ( only on the victim server )
  2. After 100 incidents the IP address will be globally greylisted
  3. If there are more than 50 incident logs about a globally greylisted IP address we will send an abuse-email to the email address associated with the IP address
  4. After 500 incidents the IP address will be blacklisted globally
  5. After 5000 incidents the IP will be listed on the Essential list, which means that the IP address can not be delisted and BitNinja won’t log the requests from this IP address.

Any manual IP delisting gets broadcasted automatically, BitNinja agents do refresh automatically every 10 sec, so this process takes around this amount of time.

Automatical delist processes:

We automatically move IP addresses from the blacklist to the global greylist which generates no incident logs for more than 2 days. So the owner can delist the IP address.

If there are no logs about a greylisted IP address it will be delisted:
– Static IP addresses: 3 months without logs
– Dynamic IP address: 7 days without logs

Views: 56