Threats & Risks
Risk Levels and Threat Types are based on the discovery method with which it was obtained as well as the most probable type of threat.
Risk Level is a value based on a scale of 1 to 5, and calculated from a wide range of factors we have developed to simplify the risk assessment process. The scale begins with 1 being the lowest risk level and ends with 5 being the highest risk level. IP addresses that have never been logged or identified as a risk will always have a Risk Level of 1.
While FraudGuard frequently sees multiple risk levels for a single IPs - for example (3) Open Public Proxy and (5) Honeypot, Botnet or DDoS Attack it will always register as the highest attack level in our attack correlation engine. In addition both threat types and risk levels are ordered based off the severity, frequency and number of honeypot nodes attacked in descending order.
1 = No Risk
2 = Spam or Website Abuse (excessive scraping, resource linking or undesired site automation)
3 = Open Public Proxy
4 = Tor Node
5 = Honeypot, Malware, Botnet or DDoS Attack
Our recommendations for our customers in reference to blocking is entirely based off the type of your application. For example:
We typically wouldn't recommend blocking site access or network access for risk levels 2-4 because our data collected for risks levels 2-4 could of course be a dynamic or shared IP or in some rare instances could potentially be stale.
Our best practice recommends would typically be if you are looking at a API integration into FraudGuard to leverage automated blocks of threats, then we recommend blocking all threats with a risk level of 5 and typically limit application access if possible for risks 2-4. If a risk level of 5 attempts to access your network or application, this same IP has previously attempted to attack one or multiple of our honeypot nodes in the recent past and in our opinion should be blocked in order to secure your application.
Threat Types are fairly self explanatory and are used to target a specific type of threat vs. risk. If the IP address being checked has never been logged or been identified as a risk, the value of threat will be 'unknown'.
For all our bulk IP APIs we have a extremely large number of IPs to return to you. We do this via API call with a default limit of 1000 IPs per API request. This limitation is by design as we want each execution to be as fast and reliable as possible.
Each bulk API gives you an offset option to offset the IPs returned to you, you should offset by 1000 for each iteration of requests. When a JSON object is returned to you with less than 1000 IPs that will be the last available page for that specific risk level or threat type.