IP Spotlight is a threat analytics tool that provides detailed information about a specific IP address.It operates on the IP-related information we collect from our network to give you insights about the clients that access your domains. This information helps you make better decisions when creating WAF rules and helps with policy configuration to prevent and mitigate attacks.
InfoThe IP Spotlight feature is available on the Enterprise plan. To enable it for your domain, contact our support team.
IP Spotlight provides IP details as its source, total number of requests, destinations, whois data, and whether it has been involved in any malicious activity against other domains within our network.To check an IP address, follow these steps:
We analyze IP addresses past activities in two areas: activity across the whole Gcore network (global activity) and interactions specific to your domains (domain activity).
The Global activity tab shows generic IP information and insights gathered from other domains on our platform. This data is more aggregate than the domain activity.
In this section, you can find out if we detected any threats to resources in our network in the past.The section includes the following details:
The risk assessment score, which has five levels:
No risk
Low risk
Medium risk
High risk
Extreme risk
Total number of requests
Number of blocked requests
Number of unique sessions
Information if the IP address was used for botnet attacks
The threats and services the IP is known for. The information will be presented as tags associated with the IP addresses, such as SQL injection, injection attacks, or headless browsers.
We query multiple external and internal databases to retrieve and store information about an IP address. This allows IP Spotlight to provide a risk assessment and score related to the IPs’ threat level. This score, ranging from Low to Extreme, allows you to determine what actions to take against any flagged IP that sends requests to your domain.The High and Extreme risk scores are typically assigned to addresses that exist on external block lists, participate in DDoS attacks, or make a higher number of requests than usual.
InfoIf the IP is no longer associated with malicious activity, its score might decrease from extreme to Low or even No risk over time.
This section provides information from the global WHOIS database. It includes details like the name and type of organization that owns the address, its location, related IP ranges, contact information for reporting abuse, and registry details.
This section provides you with a map that shows the targets of past attacks originating from the scanned address. It also includes a list of the top 10 targets of these attacks.
InfoTo view this information, you need to have WAAP enabled for your domain.
The data displayed on the Domain activity tab contains details about IP activity on your domain. Select a domain you want to analyze from the dropdown menu.
This section contains a table displaying information about the top 10 sessions from the specified IP to your domain.You can check the session ID, the date the session took place, the time-to-live (TTL) of the request, if it was blocked, and the session duration.