Today we've released an update to the v2 API which brings our vast attack history to the API so that you can finely tune your custom security model using our attack data.
We thought about introducing this with a new flag but we felt it fit best with our risk flag. So instead of supplying &risk=1 and only receiving a risk score you can now supply &risk=2 and receive both a risk score and detailed attack information. Below is an example of how this data looks in the API.
{
"status": "ok",
"node": "RHEA",
"51.38.22.253": {
"asn": "AS16276",
"provider": "OVH SAS",
"country": "France",
"latitude": 48.8582,
"longitude": 2.3387,
"isocode": "FR",
"proxy": "yes",
"type": "Compromised Server",
"risk": 100,
"attack history": {
"Total": 28594,
"Vulnerability Probing": 28594
},
"last seen human": "1 hour, 19 minutes, 17 seconds ago",
"last seen unix": "1560942310"
},
"query time": "0.02s"
}
As you can see there is a new section directly under the risk score which shows attack history. At the very top we're listing the total amount of attacks we've seen from this IP Address and then directly below we categorise each type of attack and display those counts. In this section you may encounter Login Attempt, Registration Attempt, Comment Spam or like in the example above Vulnerability Probing. We've detailed these and other response types on the API Documentation page under the risk score section.
These attack histories do not only display for detected proxies and VPN's. You could for example receive some attack history for an IP that we believe to be clean although if the attacks accumulate it will likely be displayed as a compromised server like the entry above which is a real reply from our API.
We've had a lot of requests from users over the past few months to add this data to the API and it was important to us that we did it in a way that won't impact service performance. This kind of data retrieval requires us to load information from our slowest storage medium where as most of our other data lives in fast server memory.
But we think we've come up with a good starting point. For an IP Address with a lot of attack history (such as the one above showing 28,594 attacks) we're seeing around a 0.02s query time. But for the vast majority of the IP Addresses out there you won't see any increase because the IP's either haven't generated any attack data or the attack volume is very small.
We hope you will take good advantage of the new attack data, we know some of you have gone to great lengths to try and obtain it, even going so far as to crawl our threat pages. Thankfully you won't have to do that anymore and the API version of this feature will provide a much wider range of data as it's not limited to 10 unique entries like our threat page attack history display is currently.
Thanks for reading and we hope everyone has a great week.