I have a client that is having several alerts indicating connections attempts to the IP 22.214.171.124, that as far as I have investigated, is a CloudFlare IP that was used by Ransomware group Darkside.
The IP is not blacklisted because of it is malicious by itself, but because of it is the “entry point” to a malicious domain/IP that is hosted behind the IP.
The problem we are facing is that we are unable to found what is the exact URL or IP, as this IP (126.96.36.199) may have a huge amount of URLs and IPs hosted behind. We face the same problem with AWS IPs.
It will be possible to have a list of the domains (or at least, the suspicious domains) hosted behind this IP? Having the IP in the blacklist stops all the requests. This include legit requests that are performed against a legit URL/IP hosted behind this IP.
We want to avoid having this IP in the blacklist as blocked legit connections are affecting our users. But we don’t want to unblock the IP until we are 100% sure that no one of the hosted domains are unsafe.
Can you please help us with this case?
Thanks in advance.