This section describes categories that Kaspersky Threat Intelligence Portal returns for IP addresses.
IP address categories
Category name |
Category code (used in API and exporting) |
Description |
|---|---|---|
APT |
CATEGORY_APT |
The host with this IP address is related to an APT attack and/or mentioned in a report. |
APT C&C Tracking |
CATEGORY_APT_CNC_TRACKING |
IP addresses involved in Advanced Persistent Threat (APT) infrastructure as Command and Control (C&C) server. |
Botnet C&C |
CATEGORY_BOTNET_CNC |
Command and control (C&C) servers that remotely send malicious commands to a botnet, or other resources, access to which indicates a possible infection. |
Compromised |
CATEGORY_COMPROMISED |
The host with this IP address is usually legitimate but is infected or compromised at the moment of the analysis. |
Crimeware |
CATEGORY_CRIMEWARE |
The host with this IP address is used in attacks on any organization for the purpose of stealing/extorting funds. |
Denial of service attacks |
CATEGORY_NETATTACK_DDOS |
The host with this IP address performs DDoS attacks. |
Industrial Threat |
CATEGORY_ICS_THREAT |
The host with this IP address is used in malicious campaigns targeting industrial organizations, as well as in vulnerabilities found in the most popular industrial control systems and underlying technologies. |
Intrusion attacks |
CATEGORY_NETATTACK_INTRUSION |
Represents external IP addresses attempting exploitation, potentially leading to remote code execution. |
Malware |
CATEGORY_MALWARE |
The host with this IP address hosts malware. |
Multi-User IP |
CATEGORY_NAT_GATEWAY |
Identifies IP addresses related to Network Address Translation (NAT) gateways. |
Network port scanning |
CATEGORY_NETATTACK_SCAN |
Indicates systematic scanning activities, often as a precursor to more targeted attacks (searching for network vulnerabilities). |
Password brute-force attempts |
CATEGORY_NETATTACK_BRUTEFORCE |
Identifies repeated and aggressive attempts to gain unauthorized access by systematically trying different user name and password combinations. |
Phishing |
CATEGORY_PHISHING |
The host with this IP address hosts phishing web pages. |
Proxy |
CATEGORY_PROXY |
Indicates a public proxy server. |
Sinkhole |
CATEGORY_SINKHOLE |
Identifies traffic directed towards a sinkhole—a network component strategically employed by anti-malware researchers to redirect and isolate malicious traffic away from its intended targets. |
Spam |
CATEGORY_SPAM |
IP address sends spam. |
Tor Exit Node |
CATEGORY_TOR_EXIT_NODE |
Indicates a Tor exit node. |
Tor Node |
CATEGORY_TOR_NODE |
Indicates a Tor node. |
VPN |
CATEGORY_VPN |
The host with this IP address is used by public VPN providers to host VPN servers. |