Abuse Check

If the checked IP address was involved in illegal or fraudulent activities recently, this will most likely result in a bad abuse score shown here. If you trace all IP packages reaching your firewall from the internet you will see a number of interesting things:

First there is legitimate traffic. For example return replies from webservers or email traffic flowing in. This is expected and no surprise.

Then there are unexpected IP packets of all sorts: Ping requests, TCP or UDP packets and even unusual protocol packets or malformed packets with strange payload.

As long as these packages come in at a low rate this is quite normal and usually harmless. But where do these packets come from? Chances are only very few of these packets are actually sent to you from a real person. Some packets may appear because someone has mistyped an IP, made a misconfiguration or from malfunctioning hosts. The majority of the packets come from bots or some sort of automatic tools. Not all of these packets are sent with bad intention: A legitimate source may check for availability or security problems, or someone is simply curious if you are running a webserver or other services.

Bots with bad intent try to find a way to break into your IT environment. They check for open ports until they get an answer packet hat allows conclusions about the type of operating system and the software used. This information can then be used to finetune the attack. Other bots simply try to log into your servers using lists of unsafe credentials.

It doesn't feel good knowing that a burglar is constantly fiddling with your front door lock, so what can you do about it? Setting up your firewall so that it only accepts incoming packets from a few hand picked IP addresses is the most effective way to protect against any attack, but often this is not possible or practical.

Enabling intrusion protection in the firewall is a very effective way to block known attacks and to be notified of unusual activity. Keeping up with the latest security fixes is hopefully your top priority already, but this doesn't help against new attacks or weak passwords. As a last defense you may add geoblocking. Allowing IP traffic only from countries that you do business with may reduce malicious traffic by one or two orders of magnitude, thereby reducing the chance of intrusion even for zero-day-attacks substantially.

When attacks occur repeatedly from a specific IP address, you may send an abuse notification to the email contact shown in IP Checker. Trustworthy ISPs will react to these emails and try to stop these activities. Bad ISPs ignore abuse notifications, either because they don't care or because malicious activity is part of their business. In these cases it makes more sense to report these IP addresses to independent organizations that maintain a database of IP addresses involved in disruptive activities. IP Checker will show you an abuse score from these reports.

Please note: IP addresses with a high abuse score are most likely malicions. An abuse score of zero is no guarantee, however, that the computer behind this address isn't compromised.

Back to IP Checker...