- June 21, 2022: More IP-based DNS attribution information and linked misattribution instructions.
- January 7, 2021: Published.
We have developed a proprietary set of heuristics to determine the IP footprint of a company that doesn’t require us asking the company for their IP map or any intrusive scanning of their network. However, some of our customers help us to improve our maps by providing their own IP maps or IP maps of their partners.IP addresses and CIDR blocks are discovered through the following methods:
- Public Databases
- Autonomous System Numbers (ASN)/BGP Routing
- Passive DNS (pDNS) and Cloud
- TLS/SSL Certificates
Once our system has completed this preliminary work, Bitsight Technical Researchers then manually verifies that the collected information is correct and complete.
Quickly view the source or reason why an IP or CIDR has been attributed to your organization from the Attribution tab. If this is in error, please refer to infrastructure management.
Methods
Public Databases
The majority of IP addresses and CIDR blocks are automatically aggregated to companies through publicly available data sources, such as Regional Internet Registries. The point of contact information attached to each relevant CIDR block is verified on the following criteria for inclusion:
- Direct correlation to an associated domain.
- Physical address location match.
- Unique name advertisement.
Autonomous System Numbers (ASN)/BGP Routing
Autonomous System Numbers (ASN) that are assigned to a company can also be used as a source for identifying CIDR blocks. ASN are identified through publicly available BGP data. Similar to an individual CIDR block, an ASN point of contact information is verified through the following criteria:
- Direct correlation to an associated domain.
- Physical address location match.
- Unique name advertisement.
Learn more about IP assets from ASN attributions…
Passive DNS (pDNS) and Cloud
In addition to using externally collected network footprint data, passive DNS (pDNS) feeds are used to identify IP addresses. The pDNS feeds identify subdomains and their associated CIDR block allocation.
- A CIDR block is only assigned to a company when it is solely or primarily used by the company in question. IP addresses are not assigned to a company when they are shared and/or change ownership frequently.
- Observed domains pointing to that IP through DNS must belong to that company and must be included in their infrastructure. This allows us to properly identify and exclude shared hosting environments where more than one tenant may be responsible for configuring the underlying IP.
If an IP is misattributed to your organization, please reach out to Bitsight Support. If your DNS record still includes the IP in question, please remove any stale DNS records.
TLS/SSL Certificates
An IP address is attributed to a company when a TLS/SSL certificate is found on that IP exclusively containing the company’s domains. The presence of an active and correctly signed certificate strongly associates the hosting IP address to the domains within the certificate because the successful negotiation of a secure connection indicates the server has access to the private key. However, only certificates retrieved without specifying a server name indication (SNI) value are used to avoid common shared hosting scenarios. Additionally, the Domain Name System (DNS) pointer (PTR) record for each IP is checked to eliminate content delivery networks (CDNs) and further support direct control of the IP address by the attributed company.