Chapter 4

Reputation and Third-Party Correlation

Knowledge of the enemy’s dispositions can only be obtained from other men.

— Sun Tzu in The Art of War

When a web client first visits our web application, we usually know nothing about him. Wouldn’t it be great if we could have some idea of a client’s disposition when he first accesses our site? Where is he coming from, and what does he want to do on our web site? IP addresses are for computers, not humans. Much in the same way that the Domain Name System (DNS) was created to help map IP addresses to user-friendly names, geolocation services based on a computer’s IP address (GeoIP) address resolution can provide much-needed contextual data about your client’s physical location. GeoIP is the proprietary technology that drives IP geolocation data and services from MaxMind, a provider of IP intelligence and online fraud detection tools. We can create a local threat profile of the client as he interacts with our site or even map him to a known user if he proceeds to log in to the application. This brings us to the concept of reputation systems. If we all share data about known malicious clients with central repositories, we can all query those same repositories to identify known offenders. The recipes in this chapter discuss various methods of using reputation and third-party systems to gather intelligence about clients.

Suspicious Source Identification

Identifying a client’s geographic location may provide clues about the user’s intentions. ...