The Wrong Attention Score: 655 Blocked IPs and a 4/100 Concern Rating

--- title: "The Wrong Attention Score: 655 Blocked IPs and a 4/100 Concern Rating" date: 2025-11-15 author: Patrick Duggan category: Security Intelligence tags: [threat-analysis, apt-attribution, security-metrics, threat-intelligence] slug: wrong-attention-score-threat-analysis summary: We analyzed 655 blocked IPs to answer one question - are we attracting targeted attacks or just experiencing internet background radiation? The answer: 4/100 on the "Wrong Attention Score." Here's what that means. ---

TL;DR: We built a threat intelligence platform that publicly documents how we detect and block attackers. After 655 blocked IPs, we asked: are we attracting the *wrong kind of attention*? Our new "Wrong Attention Score" says no - 4/100 (LOW CONCERN). Here's the data.

The Question Nobody Asks

When you run a security analytics platform that publicly blogs about every IP you block, eventually someone asks: "Are you attracting targeted attacks by advertising your defenses?"

It's the cybersecurity equivalent of the home security paradox - does the "Protected by ADT" sign invite burglars who want to prove they can beat the system, or deter them because they want easy wins?

After 655 blocked IPs over 180+ days, we finally have enough data to answer the question.

Spoiler: We're fine. Score: 4/100. Mostly bots.

Methodology: The "Wrong Attention Score"

We created a threat analysis scoring system that measures targeted vs opportunistic activity on a 0-100 scale:

0-20: Expected noise (automated scanning, background radiation) 21-50: Moderate concern (some targeting, monitor for escalation) 51-75: High concern (APT-level indicators, sophisticated threats) 76-100: Critical concern (active targeting by nation-state actors)

• APT Attribution (30 points): Known threat groups (APT28, Lazarus, etc.)

• Malware Families (20 points): Sophisticated payloads, C2 infrastructure

• C2 Frameworks (20 points): Cobalt Strike, Metasploit, Sliver

• Sophisticated Threats (15 points): Malware + MITRE techniques + high confidence

• Repeat Offender ASNs (10 points): Same networks attacking repeatedly (coordination)

• Clustering/Campaigns (5 points): Spike days indicating targeted campaigns

We queried 655 IPs from our BlockedAssholes Azure Table Storage and ran the numbers.

The Findings: 4/100 (LOW CONCERN)

Final Score Breakdown: ``` APT Groups: 0 points (0 detected) Malware Families: 0 points (0 detected) C2 Frameworks: 0 points (0 detected) Sophisticated Threats: 0 points (0 detected) Repeat Offender ASNs: 0 points (normal distribution) Clustering Days: +4 points (4 campaign-like days) ───────────────────────────────────────── TOTAL: 4/100 ```

Interpretation: 🟡 LOW CONCERN - Minimal targeted indicators, mostly background radiation.

The +4 points came from temporal clustering (days with >10 blocks), which turned out to be our auto-blocker catching up after we deployed the Known Threat Groups feature. Not a campaign - just backlog processing.

What We're Actually Seeing

Geographic Distribution (Top 5): 1. **United States** - 416 IPs (63.5%) 2. **Belgium** - 32 IPs (4.9%) 3. **Netherlands** - 31 IPs (4.7%) 4. **Taiwan** - 30 IPs (4.6%) 5. **Brazil** - 27 IPs (4.1%)

32 countries total - consistent with global automated scanning, not targeted campaigns.

Infrastructure Breakdown: - **Microsoft Azure** - 207 IPs (31.6%) - **AWS** - 45 IPs (6.9%) - **Google Cloud** - 33 IPs (5.0%) - **DigitalOcean** - 32 IPs (4.9%) - **Other** - 338 IPs (51.6%)

Pattern: Cloud infrastructure abuse (cheap VPS rentals running port scanners), not sophisticated APT infrastructure.

Threat Severity (AbuseIPDB Scores): - **Critical (91-100):** 119 IPs - known bad actors, repeat offenders - **High (71-90):** 8 IPs - **Medium (41-70):** 24 IPs - **Low (0-40):** 504 IPs - opportunistic scanners, bots

77% of traffic is low-severity - exactly what you'd expect from internet background radiation.

MITRE ATT&CK Coverage: - **99.8%** mapped to **TA0011 (Command & Control)** - This is *predictive attribution* - what attackers *would* do if successful - We're blocking at Initial Access (perimeter), so we never see later-stage tactics

Top 10 High-Value Targets (VT Detections)

These are the only IPs worth investigating:

1. 138.68.86.32 (Germany, DigitalOcean) - 11 VirusTotal detections 2. 139.59.231.238 (Singapore, DigitalOcean) - 10 VT detections 3. 139.59.136.184 (Germany, DigitalOcean) - 8 VT detections 4. 139.59.132.8 (Germany, DigitalOcean) - 7 VT detections 5. 103.250.186.160 (India) - 7 VT detections

The pattern: DigitalOcean droplets in Germany and Singapore with high VirusTotal detections.

What this means: Cheap VPS botnets ($5/month droplets), not nation-state infrastructure. Think "Script Kiddie Monthly Subscription," not "APT28 C2 Network."

The Temporal Anomaly: Nov 15 Spike

• Nov 15, 2025: 457 blocks (69.8% of all blocks)

• Oct 31, 2025: 132 blocks (Halloween spike)

• Nov 11, 2025: 23 blocks

• Nov 10, 2025: 18 blocks

Is this a coordinated attack?

No. It's our auto-blocker catching up after we deployed the Known Threat Groups feature (Issue #200). The spike is *us* working better, not *them* attacking harder.

• 493 auto-blocked vs 162 manual blocks (75.3% automation success)

• Avg 65.5 blocks/day over 10 days

• No APT attribution, no malware families, no C2 frameworks

What "Wrong Attention" Would Look Like

If we were attracting targeted attacks, we'd see:

❌ APT Groups: APT28, APT29, Lazarus showing up in attribution ❌ Malware Families: Known payloads (BLINDINGCAN, TEARDROP, Cobalt Strike) ❌ C2 Frameworks: Metasploit, Empire, Sliver beacons ❌ Repeat ASNs: Same /16 networks hitting repeatedly (coordination) ❌ Sophisticated TTPs: Malware + MITRE techniques + high confidence ❌ Exponential Growth: 655 → 6,500 in one week

What we're actually seeing:

✅ Cloud VPS abuse (DigitalOcean, Azure, AWS) ✅ Automated scanners (Shodan, Censys, masscan-style probes) ✅ Opportunistic targeting (scanning entire IPv4 space, not us specifically) ✅ Low-severity scores (77% below AbuseIPDB 40) ✅ Geographic diversity (32 countries - global baseline)

The Irony of Public Defense

• Publicly blogs about every IP we block

• Publishes Hall of Shame posts with full technical details

• Documents our detection methodology (ThreatFox, AbuseIPDB, VirusTotal)

• Advertises "180+ days Cloudflare bypass protection"

Conventional wisdom: This invites sophisticated attackers who want to test your defenses.

Reality: Sophisticated attackers want easy wins, not public blog posts documenting their failure.

The Crown Jewel IP test: 180+ days of continuous Cloudflare bypass attempts. 100% blocked. Zero breaches. They gave up.

Publishing your defensive posture doesn't attract better attackers - it repels them. They move to easier targets.

The Cost of Paranoia

Scenario: What if we assumed all 655 IPs were targeted attacks?

• Overspend on threat hunting ($50K+ annual SOC budget)

• Deploy unnecessary EDR/XDR ($20K+ annual licenses)

• Hire a dedicated security analyst ($120K+ salary)

• Implement zero-trust microsegmentation (6-12 months engineering time)

Total cost: $190K+ per year to defend against... DigitalOcean droplets running `masscan`.

Our actual spend: ~$75/month Azure infrastructure + automation.

ROI of data-driven threat analysis: Not freaking out saves $189,100/year.

Threat Intelligence Coverage Gaps

Our analysis revealed gaps in threat enrichment:

• VirusTotal: 58.3% coverage (382/655 IPs)

• ThreatFox: 0% coverage (need to run auto-blocker with new enrichment)

• GreyNoise: 0% coverage (not yet integrated)

• Malware families: 0 detected (awaiting ThreatFox enrichment)

• APT groups: 0 detected (Issue #200 just deployed)

Next steps: 1. Wait for auto-blocker to run (every 30 minutes) 2. Populate malware families from ThreatFox API 3. Enable APT attribution engine (75%+ confidence threshold) 4. Integrate GreyNoise for scanner classification

The Security Paradox

Q: If you're not attracting sophisticated attackers, why build sophisticated defenses?

A: Because measuring "nothing happening" is how you prove defenses work.

• 0 APT groups - nation-states aren't interested

• 0 malware families - no sophisticated payloads

• 0 C2 frameworks - no command-and-control infrastructure

• 4/100 score - quantifiable proof of "expected noise"

We can now say with data-driven confidence: "We're fine. Score: 4/100. Mostly bots."

That's not luck. That's defensive posture working as designed.

Conclusion: The Home Security Analogy

Does the "Protected by ADT" sign invite burglars or deter them?

Our data says: It deters them. Burglars want easy wins.

• "Protected by Cloudflare + Public Hall of Shame" = visible defenses

• 180+ days bypass attempts, 0 successes = hard target reputation

• 4/100 Wrong Attention Score = proof of deterrence

The punchline: We're attracting the *right* kind of attention - none at all.

Try It Yourself

Full threat analysis script: `/scripts/analyze-blocked-assholes-patterns.js`

Usage: ```bash node scripts/analyze-blocked-assholes-patterns.js --json --csv ```

• Console report (executive summary)

• JSON export (full data, machine-readable)

• CSV export (spreadsheet analysis)

Azure Table Storage schema: 655 IPs tracked with 40+ enrichment fields (AbuseIPDB, VirusTotal, ThreatFox, MITRE ATT&CK, geographic, infrastructure, temporal)

Wrong Attention Score calculation: Open source, reproducible, data-driven. Not vibes.

Appendix: What We're NOT Seeing

Let's be explicit about what's absent from our threat landscape:

❌ Zero-day exploits targeting our infrastructure ❌ Spear-phishing campaigns against our users ❌ Supply chain attacks via compromised dependencies ❌ Insider threats or credential stuffing ❌ DDoS attacks (Cloudflare absorbs layer 3/4, we handle layer 7) ❌ Ransomware deployment attempts ❌ Cryptojacking or resource hijacking ❌ Data exfiltration indicators

What this means: We're not on anyone's target list. We're just in the way of automated scanners sweeping the internet.

And that's exactly where we want to be.

Wrong Attention Score: 4/100 Interpretation: 🟡 LOW CONCERN Recommendation: Keep doing what we're doing

*Data source: 655 IPs from BlockedAssholes Azure Table Storage, analyzed Nov 15, 2025. Full JSON report available at `/compliance/evidence/threat-analysis-report.json`*

*Defensive posture: 180+ days uptime, zero compromises, $75/month infrastructure cost.*

*If you can measure "nothing happening," you're doing security right.*