- 16 May 2023
- 5 Minutes to read
- Print
- DarkLight
Search for patterns in IP diversity data.
- Updated on 16 May 2023
- 5 Minutes to read
- Print
- DarkLight
An IP diversity score is a measure of the number of unique IP addresses associated with a particular domain or set of domains.
The score is calculated by analyzing the A/AAAA records associated with the domain(s) and counting the number of unique IP addresses that are used.
Threat actors often use a small number of IP addresses to host multiple domains, making it easier to set up and manage their infrastructure.
A low IP diversity score may indicate that a domain is part of a larger network of malicious activity.
A high IP diversity score can indicate that a domain is part of a larger, legitimate network, and is less likely to be associated with malicious activities. However, a high IP diversity score can also indicate the use of content delivery networks (CDNs) or other infrastructure that may be more difficult to track and analyze.
As well as providing a standard IP diversity query, Silent Push also allows you to
search for IP diversity data for recognisable patterns, with optional name server and domain name pattern matching, to help identify malicious infrastructure and pinpoint specific attack vectors.
Navigate to
Advanced Query Builder > PADNS Queries > Search IP Diversity Patterns
Specify a
nameserver name
(or wildcard pattern of nameserver used by domains)Specify a
domain name
(or wildcard pattern of domain names to search for)Specify a
regular expression
match for a domain (this overrides the domain parameter)Choose to
include metadata
in the responseSpecify an
mx server name
(or wildcard pattern of mx server used by domains)Choose to search for data with a specific
asn_diversity
, and set itsminimum
andmaximum
levelsSpecify a value in
ip_diversity_all
and choose itsminimum
andmaximum
levelsSpecify a value in
ip_diversity_groups
and choose itsminimum
andmaximum
levelsSpecify a date in
first_seen_min
(yyyy/mm/dd) to show only domains that have A records seen for the first time after the given dateSpecify a date in
first_seen_max
(yyyy/mm/dd) to show only domains that have A records seen for the first time before the given dateSelect a
first_seen_min_mode
:- Strict: Select A records that do not have any timestamps before
first_seen_min
- Any: Select A records that have at least one timestamp after
first_seen_min
- Strict: Select A records that do not have any timestamps before
Select a
first_seen_max_mode
:- Strict: Select A records that do not have any timestamps after
first_seen_max
- Any: Select A records that have at least one timestamp before
first_seen_max
- Strict: Select A records that do not have any timestamps after
Specify a date in
last_seen_min
(yyyy/mm/dd) to show only domains that have A records last seen more recently than the given dateSpecify a date in
last_seen_max
(yyyy/mm/dd) to show only domains that have A records last seen earlier than the given dateSelect a
last_seen_min_mode
:- Strict: Select A records that do not have any timestamps before
last_seen_min
- Any: Select A records that have at least one timestamp after
last_seen_min
- Strict: Select A records that do not have any timestamps before
Select a
last_seen_max_mode
:- Strict: Select A records that do not have any timestamps after
last_seen_max
- Any: Select A records that have at least one timestamp before
last_seen_max
- Strict: Select A records that do not have any timestamps after
Specify an
as_num
to search for (may be repeated multiple times for additional AS numbers. Separate multiple values with semi-colon)Choose to search for IPs
in or not in
the given AS numbersUse
asname
to search all AS numbers where the AS Name begins with the specificed value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)Use
as_name_starts_with
to search all AS numbers where the AS Name begins with the specificed value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)Use
asname_contains
to search all AS numbers where the AS Name contains a specified value (may be repeated multiple time for additional AS names. Separate multiple values with semi-colon)Use the
asn_match
options to match AS numbers to the following criteria:- Any: Any
asnum
given or derived from asname - All:
Timeline
must contain all asnums given or derived from asname - Limit: Apply min and/or max limits as specified by optional
asn_match_min
andasn_match_max
- Any: Any
Specify a value in
asn_match_max
to display the maximum of the asnums given or derived from asname must appear in timelineSpecify a value in
asn_match_min
to display the minimum of the asnums given or derived from asname must appear in timelineSpecify an additional
network
and netmask (may be repeated multiple times for additional networks. Separate multiple values with semicolon)Select
timeline
to include details of IPs, ASNs, "first_seen" and "last_seen" for each domainSpecify a date in
first_seen_after
to return only domains that have been seen using the NS server in the "nsname" parameter for the first time after the given dateSpecify a date in
first_seen_before
to return only domains that have been seen using the NS server in the "nsname" parameter for the first time before the given dateSpecify a
registrar
Specify an email used to register
domains
Specify a date in
whois_date_after
to return only domains that have a created date in WHOIS after this dateSpecify a nameserver in
nschange_from_ns
to return results that have changed nameserver from this server (exact match, wildcards and 'self' options supported)Specify a nameserver in
nschange_to_ns
to return results that have changed nameserver to this server (exact match, wildcards and 'self' options supported)Specify a date in
ns_change_date_after
to return only domains with name server changes that occurred after this dateSpecify a date in
ns_change_date_before
to return only domains with name server changes that occurred before this dateSpecify a date in
cert_date_min
to return only domains that have had SSL certificates issued on or after the given dateSpecify a date in
cert_date_max
to return only domains that have had SSL certificates issued on or before the given dateSpecify a
cert_issuer
to return only domains that have had SSL certificates issued using the named certificate issuerlimit
the number of results to returnskip
a specified number of resultsClick
Search
Saving queries
Organizational users are able to save individual queries ran from Advanced Query Builder
, and store them in the Private Queries
menu for future analysis, or to share with their organization.
Specify the query parameters
Click
Save Query
Give your query a
Name
Specify a
Description
to add more contextClick
Save