Node.js IP Reputation library

3 January 2023 | by Xavier Bellekens

In this article, I’m going to walk you through the best possible way to find the reputation of an IP address using Node.js using the Prowl API.

To identify the reputation of an IP address, we aggregate and analyze traffic in real time on our sensors deployed online. We then correlate and build a database of all IPs, geolocation, indicators of attacks, indicators of compromise and much more, and serve it to you via our Prowl API.

https://github.com/Lupovis/Prowl-API

What is Prowl ?

Prowl is an API that allows you to send IP and in return obtain the reputation of the IP as well as indicators of attacks and indicators of compromise associated with the address. Lupovis monitors the web in real time and identifies malicious IP addresses for you.

Why use Prowl?

Blocking malicious IP addresses can help to mitigate cyberattacks in a number of ways.

First, many cyberattacks are automated, and rely on the attacker being able to repeatedly send malicious traffic from a large number of IP addresses. By blocking known malicious IP addresses, it becomes more difficult for the attacker to carry out these types of attacks.

Second, blocking malicious IP addresses can help to prevent attackers from gaining a foothold on a network or system. If an attacker is able to compromise a device on a network, they will often try to use that device to launch further attacks, or to pivot to other devices on the network. By blocking the IP addresses associated with the initial attack, it can help to prevent the attacker from being able to carry out these follow-on attacks.

Finally, blocking malicious IP addresses can also help to reduce the overall volume of malicious traffic that a network or system is exposed to. This can help to reduce the impact of an attack, and make it easier for network administrators to identify and respond to the attack.

Today, I’ll show you how to use our newly released Prowl-IP-Reputation Node.js library to perform both an IP Geolocation database lookup and return any associated attack vectors associated with the IP.

Obtain an API Key

To obtain an API key you can visit the Amazon AWS Marketplace and subscribe to our API.

https://aws.amazon.com/marketplace/pp/prodview-cr64x4lse5uui

You will be able to make as many request on the API as needed for $0.02 cents per request.

Once subscribed, you will receive an email with the base URL of the API and the API key.

Install Prowl-IP-Reputation Package

Now that you have obtained an API key, the next thing you need to do is install the Node.js IP Reputation package. To do so, run the following command:

npm install -g prowl-ip-reputation

This will download and install the latest release of the prowl-ip-reputation package from NPM.

Get an IP Reputation Lookup Using Prowl

Now that you have your API Key and the prowl-ip-reputation package installed, let’s take a look at some example you can run to obtain the reputation of any IP address you want.

Here’s an example script ip-reputation.js , which will return the reputation of a popular IP address (8.8.8.8, one of Google’s core DNS servers):

import { ProwlClient } from 'prowl-ip-reputation'
const client = new ProwlClient(<prowl-base-url>, <prowl-api-key>)
client
   .getIpReputation("8.8.8.8")
   .then((response) => {
      console.log(response);
   })
   .catch((error) => {
      console.error(error);
   });

The library is simple to use and integrate within projects, and this can be done in 3 steps.

  • Import the library
  • Create a `ProwlClient` object by giving it your API key that was created when you signed up for the API service.
  • Run the `getIPReputation` method, passing in the IP address you want to verify and a callback function. This callback function is what will be running when the IP reputation lookup has completed.

The following information will be returned in the call back

Object {ip: "8.8.8.8", ttps: []}

This JSON data tells you everything you need to know about the indicators of attacks for the `8.8.8.8` IP address.

When an IP is malicious, it will return a full array in the call back as shown here

Object {ip: "143.110.000.000", ttps: ["dir-busting", "web-traversal"]}

Behind the scenes, the Prowl IP Reputation API service is handling all the information and does lookups within our database and data aggregation — getting data from sensors and processing millions of updates per day.

Use Your New IP Reputation Data

As you have seen how easy it is to identify malicious IP addresses using the Prowl-IP-Reputation library, you should now be able to start implementing IP blocking into all of your product and services, eliminating the bulk of cyberattacks, bots, spam and opportunistic attacks.

Some really common use cases include:

  • Fraud and risk mitigation. If you notice a “directory buster” or “SSH Attacks” associated with an IP, you can temporarily block that IP and this can be a quick way to mitigate fraud and other issues.
  • Mitigating Distributed Denial of Service (DDoS) issues, by blocking IPs identified as being part of a botnet, can mitigate the traffic and requests against your product and services.
  • Pro-active blocking can help reduce the probability of suffering a cyberattack or a breach, as you already know this IP address is malicious and shouldn’t access your product and services.

How Long Should an IP Address be blocked?

There is no hard and fast rule for how long you should block an IP address. The appropriate length of time to block an IP address will depend on the specific circumstances of the attack and the needs of your organization.

In some cases, you may only want to block an IP address for a short period of time (Days) , in order to disrupt an ongoing attack. In other cases, you may want to block an IP address for a longer period of time (Months), in order to prevent the attacker from being able to use the same IP address to launch further attacks in the future.

In general, it is a good idea to review your list of blocked IP addresses on a regular basis, and to unblock any IP addresses that are no longer considered to be a threat. This can help to ensure that your network is protected from current threats, while minimizing the impact on legitimate users.

We typically recommend blocking IP addresses for 1 to 3 weeks at a time and then flushing the rules. If the malicious user / bot visit your service again, you are only a request away from blocking them.

Conclusion

To wrap things up: performing IP reputation lookups doesn’t have to be hard or expensive. By using our new Prowl-IP-Reputation Node.js library and the Prowl IP Reputation Service you can easily build and manage and protect even a large web product easily.

3 January 2023 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.