An IP diversity score is a measure of the number of unique IP addresses associated with a particular domain or set of domains.
The score is calculated by analyzing the A/AAAA records associated with the domain(s) and counting the number of unique IP addresses that are used.
Threat actors often use a small number of IP addresses to host multiple domains, making it easier to set up and manage their infrastructure.
A low IP diversity score may indicate that a domain is part of a larger network of malicious activity.
A high IP diversity score can indicate that a domain is part of a larger, legitimate network, and is less likely to be associated with malicious activities. However, a high IP diversity score can also indicate the use of content delivery networks (CDNs) or other infrastructure that may be more difficult to track and analyze.
-
Navigate to
Advanced Query Builder > PADNS Queries > IP diversity lookup -
Select "A" or "AAAA" as a
query type -
Specify the record's name in
query -
Use the
windowfield to use records with a "last_seen" more recently than the specified number of days -
Select
timelineto include details of IPs, ASNs, first_seen and last_seen for each domain -
Choose a
scopefor exact or near match results by query type.liveis automatically set whentimeline=1- For
Arecords:host- Exact match (default whenqtype=a)domain- Match all hosts in this domain (domain extracted from {query})subdomain- Match all hosts at this subdomain level (i.e. *.{query})live- Calculate values from live data instead of pre-aggregated values (also switches to exact match only)
- For
AAAArecords,liveis the only mode that's supported
- For
Saving queries
Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.
-
Specify the query parameters
-
Click
Save Query -
Give your query a
Name -
Specify a
Descriptionto add more context -
Click
Save