IP Similarity

What is IP Similarity?

We at GreyNoise have been collecting, analyzing, and labeling internet background noise, and we have come to identify patterns among scanners and background noise traffic. Often we’ll see a group of IPs that have the same User-Agent or are sending payloads to the same web path even though they are coming from different geo locations. Or, we might see a group that uses the same OS and scanned all the same ports, but they have different RDNS lookups. Or any other combination of very similar behaviors with slight differences that show some version of distributed or obfuscated coordination.

3068

IP Similarity UI

Why does IP Similarity exist?

We hope to enable anyone to easily sniff out these groups without having an analyst pore all the raw data to find similar and dissimilar information combinations.

How did we create IP Similarity?

GreyNoise has a very rich dataset with a ton of features. For IP Similarity we are using a combination of relatively static IP centric features, things we can derive just from knowing what IP the traffic is coming from or their connection metadata, and more dynamic behavioral features, things we see inside the traffic from that IP. These features are:

  • IP Centric

    • VPN
    • Tor
    • rDNS
    • OS
    • JA3 Hash
    • HASSH
  • Behavioral

    • Bot
    • Spoofable
    • Web Paths
    • User-Agents
    • Mass scanner
    • Ports

Of note, for this analysis we do not use GreyNoise defined Tags, Actors, or Malicious/Benign/Unknown status, as these would bias our results based on our own derived information.

What is IP Similarity not?

IP Similarity is not a de-facto block list mechanism. This is an investigative tool to help users find other IPs that are behaving like the one they are curious about and pivot to more information about them.

What are some limitations of IP Similarity?

Currently we limit the number of results (100) returned and the variable for the minimum distance for samples (it is currently 0.73). In the future, advanced users could modify these parameters for a more tailored experience.

How do I access IP Similarity in the Visualizer?

The IP Simarility tool can be accessed by navigating to the IP Details page of the IP of interest, then clicking on the "X similar IPs" link that is above the Metadata information.

3068

IP Similarity access via IP Details page

What's included in the IP Similarity UI?

Header

The header section of the IP Similarity UI contains basic information about the IP searched that would be found on the IP Details page for that IP, including its classification, First and Last Seen Dates, and some other metadata.

It also contains a filter to limit the results in the tab to a minimum score so that you can focus on the IPs that meet your criteria. This filter also applies when the data is exported.

Additional Information

The additional information section of the IP Similarity UI contains a count of the total number of similar IPs based on the source IP provided. You can also filter the table based on the classification of the included results and export the results table to a CSV or JSON file.

Results Table

The results table section of the IP Simarility UI contains all the matching IPs based on the filter criteria selected. It provides high-level data on the IP within each row and the IP Similarity score for that IP.

IP Comparison

When clicking on a matching IP in the results table, the row expands to outline a comparison of the source IP submitted to the tool and the IP of the selected row. The comparison display helps to highlight the different components of the IP Simarility tools so that the matches between the IPs can be visually displayed. It also gives the ability to pivot to the IP Details page of the matching IP and to the IP Simalrity results for the matching IP.

IP Similarity Responses in API

You can find the API spec for the IP Similarity API here: IP Sim API Reference

{
	ips: [
		{
			ip: "110.42.175.75",
			score: 0.9041252,
			features: [
				"ja3_fp",
				"os",
				"ports",
				"useragents",
				"web_paths"
			]
		},
		{
			ip: "45.71.3.73",
			score: 0.9041252,
			features: [
				"ja3_fp",
				"os",
				"ports",
				"useragents",
				"web_paths"
			]
		},
		{
			ip: "35.161.23.30",
			score: 0.8695914,
			features: [
				"ja3_fp",
				"os",
				"ports",
				"useragents",
				"web_paths"
			]
		}
	]
}