overview

b


a

zFeed is a realtime datafeed with information about worldwide datacenter and online infrastructure attacks.

Features:

  • qualified IP-dataset (see below), allowing our customers to get valuable information for each IP, like:
    • probability of a botnet-member
    • badness-factor
    • member of a malicious cidr/asn
  • design protection-strategies, based on the data
  • High Coverage on global Botnet-Activity
  • Search-API
  • Statistics based on CIDR and ASN available
  • ML-based automated Exploit-Campaign-Detection

  • REST-API for retrieving datasets in JSON-Format

  • PUSH-Solutions for realtime available
  • capable of being easily integrable into SIEMS and Firewalls

  • Malware-Domains (stream and search)

Protection-Strategies based on zFeed-Dataset

  • conservative:

    • usefull for browser-based Webapps with an anonymous userbase
    • block only the very bad guys
    • protect from botnet-attacks
  • progressive:

    • usefull for public APIs
    • block any identified bad guy on a certain threshold
  • aggressive:

    • usefull for anything that must be on the internet but is not available to everyone
    • block any bad activity

Contact:

  • zfeed@zero.bs

Sample-API-Resonse (stream)

"stats":{
  "timestamp":1520123456,
  "more_data":false,
  "resultset":16787,
  "last_event":1520223456
  },
"results":{
    "31.162.0.126":{
      "cidr":"31.162.0.0/18",
      "last_seen":1520223456,
      "asn_name":"PJSC Rostelecom",
      "asn":12389,
      "scores":{
        "XXXscore":3,
        "YYYscore":0,
        "ZZZscore":4,
        "AAAscore":0,
        "BBBscore":100
      }
    },
  "144.48.9.147":{
    "cidr":"144.48.8.0/22",
    "last_seen":1520223456,
    "asn_name":"Cloudie Limited",
    "asn":55933,
    "scores":{
      "XXXscore":14,
      "YYYscore":2,
      "ZZZscore":4792,
      "AAAscore":0,
      "BBBscore":100
      }
    },
  "58.218.200.29":{
    "cidr":"58.208.0.0/12",
    "last_seen":1520223456,
    "asn_name":"No.31,Jin-rong Street",
    "asn":4134,
    "scores":{
      "XXXscore":36,
      "YYYscore":2,
      "ZZZscore":48,
      "AAAscore":100,
      "BBBscore":0
      }
    },
  ...


}

Malware-Domains (Search and Stream)

we provide a list of known Malware-Domains, grouped into different categories:

  • phishlink - identified and confirmed phishlink
  • malware - generic malware-link
  • malware:SPECIFIC (like emotet, lokibot, ryuk)
[
  {
    "domain": "zen.yandex.ru",
    "url": "https://zen.yandex.ru/media/i...",
    "threat": "phishing",
    "timestamp": "2018-10-23T17:08:26.020079+02:00"
  },
  {
    "domain": "dropbox.com",
    "url": "https://www.dropbox.com/s/XX...",
    "threat": "malware:lokibot",
    "timestamp": "2018-10-17T02:14:26+00:00"
  },
  {
    "domain": "429days.com",
    "url": "http://429days.com/Dec2018/EN...",
    "threat": "malware:emotet",
    "timestamp": "2018-11-05T08:22:17+00:00"
  },
  { ... }
]

Search-API

zFeed provides an endpoint to search for events and statistics for a given IP. The result includes statistics for contamination of the CIDR and ASN the IP belongs to as well.

{
  "scores": {
    "XXXscore": 30,
    "YYYscore": 2,
    "ZZZscore": 1287,
    "AAAscore": 0,
    "BBBscore": 80
  },
  "ip": {
    "network_size": 1,
    "bad_ip_count": 0,
    "event_count": 0,
    "bad_ip_ratio": 0,
    "overall_ranking": 1
  },
  "cidr": {
    "network_size": 255,
    "bad_ip_count": 7,
    "event_count": 65,
    "bad_ip_ratio": 0,
    "overall_ranking": 0.9579139981701739
  },
  "asn": {
    "network_size": 2048,
    "bad_ip_count": 54,
    "event_count": 62377,
    "bad_ip_ratio": 0.002828125,
    "overall_ranking": 0.8172371638141809
  }
}