Search for patterns in IP diversity data.

  • Updated on May 16, 2023
  • Published on Apr 12, 2023
  • 5 minute(s) read

An IP diversity score is a measure of the number of unique IP addresses associated with a particular domain or set of domains.

The score is calculated by analyzing the A/AAAA records associated with the domain(s) and counting the number of unique IP addresses that are used.

Threat actors often use a small number of IP addresses to host multiple domains, making it easier to set up and manage their infrastructure.

A low IP diversity score may indicate that a domain is part of a larger network of malicious activity.

A high IP diversity score can indicate that a domain is part of a larger, legitimate network, and is less likely to be associated with malicious activities. However, a high IP diversity score can also indicate the use of content delivery networks (CDNs) or other infrastructure that may be more difficult to track and analyze.

As well as providing a standard IP diversity query, Silent Push also allows you to
search for IP diversity data for recognisable patterns, with optional name server and domain name pattern matching, to help identify malicious infrastructure and pinpoint specific attack vectors.

  1. Navigate to Advanced Query Builder > PADNS Queries > Search IP Diversity Patterns

  2. Specify a nameserver name (or wildcard pattern of nameserver used by domains)

  3. Specify a domain name (or wildcard pattern of domain names to search for)

  4. Specify a regular expression match for a domain (this overrides the domain parameter)

  5. Choose to include metadata in the response

  6. Specify an mx server name (or wildcard pattern of mx server used by domains)

  7. Choose to search for data with a specific asn_diversity, and set its minimum and maximum levels

  8. Specify a value in ip_diversity_all and choose its minimum and maximum levels

  9. Specify a value in ip_diversity_groups and choose its minimum and maximum levels

  10. Specify a date in first_seen_min (yyyy/mm/dd) to show only domains that have A records seen for the first time after the given date

  11. Specify a date in first_seen_max (yyyy/mm/dd) to show only domains that have A records seen for the first time before the given date

  12. Select a first_seen_min_mode:

    1. Strict: Select A records that do not have any timestamps before first_seen_min
    2. Any: Select A records that have at least one timestamp after first_seen_min

  13. Select a first_seen_max_mode:

    1. Strict: Select A records that do not have any timestamps after first_seen_max
    2. Any: Select A records that have at least one timestamp before first_seen_max

  14. Specify a date in last_seen_min (yyyy/mm/dd) to show only domains that have A records last seen more recently than the given date

  15. Specify a date in last_seen_max (yyyy/mm/dd) to show only domains that have A records last seen earlier than the given date

  16. Select a last_seen_min_mode:

    1. Strict: Select A records that do not have any timestamps before last_seen_min
    2. Any: Select A records that have at least one timestamp after last_seen_min

  17. Select a last_seen_max_mode:

    1. Strict: Select A records that do not have any timestamps after last_seen_max
    2. Any: Select A records that have at least one timestamp before last_seen_max

  18. Specify an as_num to search for (may be repeated multiple times for additional AS numbers. Separate multiple values with semi-colon)

  19. Choose to search for IPs in or not in the given AS numbers

  20. Use asname to search all AS numbers where the AS Name begins with the specificed value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)

  21. Use as_name_starts_with to search all AS numbers where the AS Name begins with the specificed value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)

  22. Use asname_contains to search all AS numbers where the AS Name contains a specified value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)

  23. Use the asn_match options to match AS numbers to the following criteria:

    1. Any: Any asnum given or derived from asname
    2. All: Timeline must contain all asnums given or derived from asname
    3. Limit: Apply min and/or max limits as specified by optional asn_match_min and asn_match_max

  24. Specify a value in asn_match_max to display the maximum of the asnums given or derived from asname must appear in timeline

  25. Specify a value in asn_match_min to display the minimum of the asnums given or derived from asname must appear in timeline

  26. Specify an additional network and netmask (may be repeated multiple times for additional networks. Separate multiple values with semicolon)

  27. Select timeline to include details of IPs, ASNs, "first_seen" and "last_seen" for each domain

  28. Specify a date in first_seen_after to return only domains that have been seen using the NS server in the "nsname" parameter for the first time after the given date

  29. Specify a date in first_seen_before to return only domains that have been seen using the NS server in the "nsname" parameter for the first time before the given date

  30. Specify a registrar

  31. Specify an email used to register domains

  32. Specify a date in whois_date_after to return only domains that have a created date in WHOIS after this date

  33. Specify a nameserver in nschange_from_ns to return results that have changed nameserver from this server (exact match, wildcards and 'self' options supported)

  34. Specify a nameserver in nschange_to_ns to return results that have changed nameserver to this server (exact match, wildcards and 'self' options supported)

  35. Specify a date in ns_change_date_after to return only domains with name server changes that occurred after this date

  36. Specify a date in ns_change_date_before to return only domains with name server changes that occurred before this date

  37. Specify a date in cert_date_min to return only domains that have had SSL certificates issued on or after the given date

  38. Specify a date in cert_date_max to return only domains that have had SSL certificates issued on or before the given date

  39. Specify a cert_issuer to return only domains that have had SSL certificates issued using the named certificate issuer

  40. limit the number of results to return

  41. skip a specified number of results

  42. Click Search

Saving queries

Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

  1. Specify the query parameters

  2. Click Save Query

  3. Give your query a Name

  4. Specify a Description to add more context

  5. Click Save