Background
Attribution is one of the steps during an incident response activity following a cyber-attack or malicious activity. One aspect of this step is IP address attribution, namely identifying the source IP address(es) that was responsible for the attack.
IP blacklisting is a process where we maintain a list of IP addresses that are repeatedly involved in malicious activity. Individual organizations can maintain their own IP blacklists and share this information with other organizations in order to create a more comprehensive and reliable IP blacklist.
These lists are then used on firewalls, routers, intrusion prevention systems, and/or individual machines in order to block any traffic to and from any IP address that is present in it.
The IP blacklisting process typically involves comparing the source and destination IP address of every packet against the list of IP addresses on the blacklist. When the blacklist contains several thousands of IP addresses, this comparison...
