A few months ago INCIBE deployed a service that allows users to verify whether their connection is being used by any of the multiple botnets that our intelligence sources detect. Identification of IP to botnet links is carried out through connection fingerprinting through the probes that INCIBE and other companies in the sector have deployed on the Internet.
The operating architecture of the service is as illustrated in the following figure. The idea is to verify whether the public IP address through which the user browses is currently linked to a botnet and, if this is the case, a warning is sent to the user.
In an attempt to bring this service to more corporate settings, we have designed an API that allows integration of the enquiry about the IP address into internet monitoring mechanisms, such as a Nagios, which parses the response document and will send an alarm if the IP is compromised. This simple API has a single method for enquiring whether or not the IP assigned to us (if dynamic) is compromised.
This method, which can be requested through the URL https://antibotnet.osi.es/api/wscheckip/es (if we want the information in Spanish, or wscheckip/en if we wish for a response in English), returns the information available in our database in relation to the public IP that makes the enquiry, or an error message in the event that the request is not able to be completed or the IP from which the request is made is not geolocated in Spain.
To download the API user instructions, you must accept its conditions of use on the website that INCIBE has introduced for this service. As you can read in the conditions of use, INCIBE provides this service for free to anyone who wishes to integrate it into their security platforms. So what are you waiting for?