When you need to detect and block threats so they can’t enter and affect your network, IP and domain intelligence solutions can provide exhaustive lists of IP addresses and domain names that may serve as attack vectors. When used correctly, said solutions can expose insightful details about attackers and their infrastructures and help counter threats such as:
- Denial-of-service (DoS) and distributed DoS (DDoS) attacks: DoS and DDoS attackers hijack tons of IP addresses to send communications to target networks until these can no longer handle them and eventually go offline. An IP netblocks database, for example, can help you identify all the IP addresses that belong to the same organization. Should it get breached, you can block all queries coming from its network to prevent your site from going offline due to a DoS or DDoS attack.
- Phishing: IP and domain intelligence can help you track and block known phishg proxies such as typo version of well-known domain names used for spoofing and cybersquatting attacks. Should a site be tagged as malicious, all related IP addresses and domains can be identified, checked, and blocked using, among other sources, IP netblocks and WHOIS and DNS databases.
- Man-in-the-middle (MitM) attacks: Hackers are known to hijack IP addresses that belong to a target organization so they can intercept private communications to get credentials and compromise its network. Monitoring for unauthorized IP addresses is possible with reverse IP tools.
- Cybercriminal group attacks: Cybercriminals typically use several IP addresses and domains in an attack. That is especially true for campaigns that involve a group of threat actors. Looking for all connected attack perpetrators is doable with IP and domain intelligence databases. These repositories allow you to find connections among IP addresses and domains, thus identifying all potential points of entry that should be plugged.
In short, IP and domain intelligence tools provide in-depth information about an individual or a company.
IP intelligence products can give you the following details about an IP address and its range:
- Internet service provider (ISP)
- Connection type
- Country, Region, City
- Latitude and longitude
- Postal code
- Time zone
Domain intelligence offerings, meanwhile, often provide the following info about domain names:
- Registrar email address
- WHOIS server
- Name servers
- Date created, updated, and of expiration
- Status (regarding renewal, transfer, etc.)
- Registrant name
- Registrant email address
- Registrant organization
- Registrant street address
- Registrant city, state, and country
- Registrant phone and fax numbers
- Administrative, billing, and contact names and details
Domain and IP Intelligence Categories
There are various IP and domain intelligence tools that cybersecurity specialists can use to gather and analyze data, which include:
- WHOIS lookup tools: For some, WHOIS information can be just a bunch of data that registrants need to fill in when registering their domain names. But for those who know how to use it, however, WHOIS lookups that can help track down domains involved in spamming, phishing, domain hijacking, and other nefarious activities. It can also clue you into potential domain name abusers, fraudsters, and brand infringers.
- Domain Name System (DNS) lookup tools: For infosec investigators, the process of digging up all related IP addresses to a particular domain can be time-consuming. That is entirely doable, however, with a comprehensive DNS database. And in times when all they have is an IP address or a domain, they can use a reverse DNS lookup tool to obtain the associated domains or IP addresses to get all the possible details about an attacker.
- IP geolocation search tools: IP geolocation search tools can help track and monitor transactions for fraud. Infosec professionals and fraud investigators can integrate IP geolocation APIs into online forms and payment portals as an additional layer of security. With these, they can easily compare IP addresses used in ongoing transactions with those kept on record to catch fraudsters red-handed. IP geolocation tools can also be integrated into digital rights management (DRM) systems to prevent unauthorized IP addresses from accessing protected content.
- IP netblocks data feeds: An IP netblocks database provides updated information on all of the IP addresses tied to an individual or organization’s domain. It contains the IP range, its owner’s name (individual or organization), domain, and country. It is particularly useful when an entire network has been compromised, and its IP addresses are used in attacks. Infosec professionals can easily block an entire netblock to make sure their organizations would stay protected.
Now that you know how vital IP and domain intelligence can be for cybersecurity investigations, the next logical step is to discern which among existing providers can give you the best IP and WHOIS databases, tools, and resources.
The Best IP Intelligence and WHOIS Service Providers
The success of a cybersecurity investigation relies heavily on the reliability, relevance, and completeness of the tools and data feeds that you use. Here are some of the key players in the IP and domain intelligence industry these days:
WhoisXML API (disclaimer: this is our brand)
WhoisXML API is a provider of numerous IP and domain intelligence tools. It has been crawling the Web for relevant data for more than 10 years now and so has amassed information from or on:
- More than 6.7 billion historical WHOIS records
- Over 1.2 billion domains and subdomains
- 2,864 TLDs and counting (including generic TLDs [gTLDs] and country-code TLDs [ccTLDs])
- More than 9.1 million IP netblocks
- 99.5% of all IP addresses in use
WhoisXML API’s WHOIS API, Reverse WHOIS API, WHOIS Search, Reverse WHOIS Search, WHOIS History API, and WHOIS History Search, all supported by the exhaustive WHOIS Database Download, are all flexible and easy-to-use tools for cyber investigations. Brand Monitor and Brand Alert API, in addition, allow identifying all potential instances of cybersquatting of your and other companies’ online properties by returning lists of misspelled domain names.
All of the data these tools provide users a consistent format, allowing for easy comparisons and analyses. Some of the said products are also available with our a command-line tool bestwhois.
Overall, WhoisXML API’s domain intelligence tools let you enrich threat intelligence to come up with accurate forensic analyses, block known fraudulent domains, conduct thorough background checks on domains of interest and their owners, monitor your virtual assets for infringement and other forms of abuse, and more.
The company’s IP offerings, meanwhile, which include IP Geolocation API, IP Geolocation Lookup, Reverse IP/DNS API, and IP Netblocks API, all obtain data from its comprehensive IP Netblocks WHOIS Database and IP Geolocation Data Feed. You can use all of these to protect your organization against DoS and DDoS attacks, identify IP addresses or IP ranges that may be related to attacks, enhance your DRM systems and solutions, and more.
All domain and IP intelligence APIs are suitable for integration into programmed solutions as they provide data via convenient RESTful API calls. In parallel, our IP and WHOIS databases are parsed and available in various formats (i.e., CSV and JSON) to enable clients to build their own specialized big databases, facilitating extensive specialized queries.
The company also offers customizable domain intelligence suites that include the Domain Research Suite, the Enterprise API Packages, the Enterprise Data Feed Packages, and the Enterprise Tool Packages.
Threat Intelligence Platform
Threat Intelligence Platform is a powerful tool that scrutinizes domains and IP addresses for potential ties to malicious activities and threat actors as well as vulnerabilities and misconfigurations that can undermine an organization’s security. It runs the following checks on a domain or an IP address:
- IP resolution check by analyzing a domain’s host infrastructure, so you get all related IP addresses along with their geographical or Autonomous System (AS) details
- Secure Sockets Layer (SSL) certificate check to alert you to vulnerabilities and misconfigurations
- Website content check for ties to malicious domains and potential host configuration issues
- Malware check to see if the domain or IP address is deemed dangerous in various malware data feeds
- WHOIS record check to let you know if anything is amiss in a domain name’s WHOIS record
- Mail server check to spot DNS mail exchange (MX) record and mail server misconfigurations
- Name server check to identify name server (NS) misconfigurations and other possible issues
Geo.ipify.org offers IP Geolocation API and IP Geolocation Data Feed to users. These are reliable tools that allow you to make even multiple requests at once.
The company’s IP geolocation database contains IP addresses from both the IPv4 and IPv6 spaces. You can choose to display query results in three formats—plain text, JSON, or JSONP. Geo.ipify.org’s database boasts of a 99.5% coverage of all IP addresses in use today and is well-parsed and well-structured to provide consistent results that make for easy comparisons. It contains more than 15 million IP blocks, mostly in the U.S., the U.K., France, Germany, and Canada.
Geo.ipfy.org’s tools are handy if you’re looking for an individual or organization’s email address or domain with only an IP address on hand.
Domains Index is a WHOIS service provider that supplies bulk datasets. It has information on more than 280 million domains that come in customizable sets. You can get country-specific domain databases, depending on your business needs. You can also choose to only download databases for specific gTLDs. These offerings can let those with limited requirements save on costs.
Neustar has two IP intelligence offerings—IP Geopoint and IP Reputation.
IP Geopoint provides industry-leading IP geolocation, ownership, and connection data that helps you manage customers to ensure compliance with content delivery and government regulations, identify fraudulent transactions, and streamline the customer journey. IP Reputation, meanwhile, helps you assess the trustworthiness of IP addresses and identify human versus nonhuman (i.e., bot or server) traffic to prevent malicious online activity.
The tools are interesting in that they have a load balancing feature and provide real-time geolocation information. Neustar’s offerings also come in both free and paid versions that you can use to identify possible fraudulent activities.
NCC Group’s Domain Intelligence can help infosec investigators monitor domain name registrations that have close similarities to their own, including subtle misspellings. It provides detailed daily reports of all the domains tracked, including its owner, contact details, and organization. If a third party registered the domain, the user would receive an alert so he can take the necessary action. The company also offers Domain Threat Assessment services that provide detailed views of potentially malicious domains and any associated activity.
Our scanning revealed that massive IP address and domain intelligence databases and tools are available through different providers. As with all products and services, however, your choice all boils down to which offering can give you excellent value for your money according to your needs.
WhoisXML API has various packages that you can choose from backed by a solid industry track record and exhaustive databases as well as have easy-to-use lookup interfaces and reliable customer service.