{"id":29974,"date":"2025-09-24T14:34:11","date_gmt":"2025-09-24T14:34:11","guid":{"rendered":"https:\/\/blog.lacnic.net\/?p=29974"},"modified":"2025-09-24T14:34:31","modified_gmt":"2025-09-24T14:34:31","slug":"analyzing-malicious-websites-with-ripe-atlas","status":"publish","type":"post","link":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/","title":{"rendered":"Analyzing Malicious Websites with RIPE Atlas"},"content":{"rendered":"\n<p>By <a href=\"https:\/\/blog.lacnic.net\/en\/author\/guillermo-pereyra\/\">Guillermo Pereyra<\/a>, Security Analyst<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><strong>Introduction: Why Analyze Malicious Websites?<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>To take down a malicious website (one that distributes malware or impersonates another), an analysis of the website must first be conducted to properly inform the competent authority for its removal.<\/p>\n\n\n\n<p>This article explores the use of RIPE Atlas, which uses globally distributed probes to assess the persistence and geographic reach of a malicious site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>Key Information for Investigating a Malicious Site<\/strong><strong><\/strong><\/h2>\n\n\n\n<p>An investigation into a malicious site should collect, at a minimum, the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Relevant dates<\/strong>: discovery, creation of the domain, takedown, etc.<\/li>\n\n\n\n<li><strong>Domain name(s)<\/strong><\/li>\n\n\n\n<li><strong>URL<\/strong><\/li>\n\n\n\n<li><strong>IP addresses<\/strong><\/li>\n\n\n\n<li><strong>Source code<\/strong><\/li>\n\n\n\n<li><strong>Screenshots or videos of the behavior<\/strong><\/li>\n\n\n\n<li><strong>Contact details: <\/strong>domain registrant, holder of the IP address, CSIRTs\/CERTs, etc.<\/li>\n<\/ul>\n\n\n\n<p>Sometimes, phishing or malicious websites adopt mechanisms that complicate their takedown, such as the use of CDNs or hosting providers with identity protection for the site owner or geo-blocking, where the site is only accessible from specific geographic locations.<\/p>\n\n\n\n<p>When reporting a malicious site, it&#8217;s important to include the geographic location from which the malicious content is accessible. This allows those receiving the report to replicate the malicious behavior that is being reported.<\/p>\n\n\n\n<p>There are different methods for determining which locations can access the malicious content. One option would be to use VPN services or proxies, which provide an IP address corresponding to the country where we want to verify the malicious behavior. In this article, however, we&#8217;ll explain how to achieve this using RIPE Atlas.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><strong>What Is Ripe Atlas and How It Can Help<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>RIPE Atlas is a network of globally distributed probes that continuously measure Internet connectivity and performance, providing technical information about its operation. This sensor network allows performing user-defined measurements toward specific destinations. Different kinds of measurements can be performed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PING<\/li>\n\n\n\n<li>Traceroute<\/li>\n\n\n\n<li>DNS<\/li>\n\n\n\n<li>TLS<\/li>\n\n\n\n<li>HTTP (only for anchors)<\/li>\n\n\n\n<li>NTP<\/li>\n<\/ul>\n\n\n\n<p>Below we&#8217;ll discuss an interesting feature of this project: geographic access of the different probes to the desired target. In other words, by knowing the location from which a measurement was taken, we can determine whether the site is accessible from that part of the world. This feature allows us to determine if a phishing attack is geographically targeted.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>Using RIPE Atlas to Analyze Malicious Sites<\/strong><strong><\/strong><\/h2>\n\n\n\n<p>Malicious websites can be analyzed using four different methods: PING, Traceroute, DNS, and TLS. Each method has advantages and disadvantages.<\/p>\n\n\n\n<p>Let&#8217;s consider a basic malicious website, identified by a domain name and, optionally, a basic path. For example: http[s]:\/\/<a href=\"https:\/\/example.com\/recurso_malicioso\">example.com\/recurso_malicioso<\/a>.<\/p>\n\n\n\n<p>To perform these tasks, you&#8217;ll need an account at<a href=\"https:\/\/atlas.ripe.net\/\"> <\/a><a href=\"https:\/\/atlas.ripe.net\/\">https:\/\/atlas.ripe.net\/<\/a>. Once logged in, go to \u201cMeasurements\u201d and then \u201cCreate Measurement.\u201d The following screen will appear:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"572\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas-1024x572.png\" alt=\"\" class=\"wp-image-29947\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas-1024x572.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas-300x168.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas-591x330.png 591w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas-768x429.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig1-analisis-ripe-atlas.png 1318w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Select the desired tool: PING, Traceroute, DNS, or TLS. The specifics of each method will be explained below.<\/p>\n\n\n\n<p>Select the probes that will participate in the measurements, aiming for a uniform geographic distribution. Probes can be selected manually on a map or randomly. By default, a single measurement is configured, and the corresponding cost (in credits) is displayed below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"713\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas-1024x713.png\" alt=\"\" class=\"wp-image-29950\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas-1024x713.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas-300x209.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas-474x330.png 474w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas-768x535.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig2-analisis-ripe-atlas.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Once the telemetry is created, the probes will start taking measurements. Keep in mind that the time it takes to obtain results depends on how quickly all the probes complete the requested task. Before reviewing the results, we will first describe the differences between the different methods.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a>PING<\/h3>\n\n\n\n<p>This method uses ICMP messages distributed across the probes. It&#8217;s useful for identifying which probes can reach the suspicious IP address. Keep in mind that this option is effective when the malicious content is hosted on a single IP address that doesn&#8217;t share content.<\/p>\n\n\n\n<p>Periodic scans can be scheduled to check whether the IP address remains active. It should be noted that not all servers respond to ICMP requests, so local tests must be run before using Atlas to measure the malicious site.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"195\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-1024x195.png\" alt=\"\" class=\"wp-image-29953\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-1024x195.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-300x57.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-680x129.png 680w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-768x146.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas-1536x292.png 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig3-analisis-ripe-atlas.png 1544w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><strong>DNS<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>This is an interesting option, as it allows for highly customized DNS measurements. It&#8217;s useful for analyzing how DNS responses vary depending on the geographic area where the probes are located. Periodic measurements can be scheduled to follow the evolution of the IP addresses used by attackers and monitor the lifetime of the malicious domain.<\/p>\n\n\n\n<p>This option is valuable for conducting highly customized DNS measurements and allows analyzing how responses vary based on the geographic location of the probes. Additionally, by scheduling these measurements periodically, it&#8217;s possible to track the evolution of the IP addresses used by attackers and monitor the lifetime of malicious domains.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"193\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-1024x193.png\" alt=\"\" class=\"wp-image-29956\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-1024x193.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-300x57.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-680x128.png 680w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-768x145.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-1536x289.png 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig4-analisis-ripe-atlas-2048x386.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><strong>Traceroute<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>If this method is selected, the probes will perform a traditional traceroute test, which consists of sending a sequence of ICMP, UDP, or TCP packets with increasing TTL (Time To Live) values \u200b\u200buntil the destination is reached. For our purposes, we will select the TCP protocol and use port 80 or 443, depending on whether the malicious site uses HTTP or HTTPS, respectively. We must also select either IPv4 or IPv6, as appropriate. It&#8217;s possible to include multiple measurements in a single telemetry session. For example, we can double-click the Traceroute button and configure a measurement for IPv4 and another one for IPv6.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"770\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas-1024x770.png\" alt=\"\" class=\"wp-image-29959\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas-1024x770.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas-300x226.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas-439x330.png 439w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas-768x577.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig5-analisis-ripe-atlas.png 1386w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><a><\/a><strong>TLS<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>This feature allows us to analyze certificates from malicious sites to determine their status, activity, and geographic location. It also identifies related domains and extracts the certificate&#8217;s fingerprint for further analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"594\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas-1024x594.png\" alt=\"\" class=\"wp-image-29962\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas-1024x594.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas-300x174.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas-569x330.png 569w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas-768x446.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig6-analisis-ripe-atlas.png 1410w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><a><\/a><strong>Interpretation of the Data and Real-World Analyses<\/strong><strong><\/strong><\/h3>\n\n\n\n<p><a><\/a>Once RIPE Atlas measurements have been performed, it\u2019s essential to interpret the results accurately to identify patterns of suspicious behavior or confirm signs of malicious activity.<\/p>\n\n\n\n<p>In this section, we will analyze the data collected using <strong>TLS<\/strong>, <strong>Traceroute<\/strong>, and <strong>DNS<\/strong> measurements. To illustrate these analyses, we selected <strong>a real-world phishing site<\/strong> and performed measurements from multiple globally distributed probes. These measurements allow:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detecting whether the domain is still active or has been deactivated<\/li>\n\n\n\n<li>Verifying whether it is accessible from all regions or applies geo-blocking<\/li>\n\n\n\n<li>Analyzing the network infrastructure used by the attackers<\/li>\n\n\n\n<li>Examining the digital certificates to identify potential patterns or links to other malicious campaigns<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><a><\/a><strong>Analysis of a Real-World Phishing Attack<\/strong><strong><\/strong><\/h4>\n\n\n\n<p>We will now illustrate how periodic RIPE Atlas measurements can be used. Let&#8217;s consider a phishing case targeting users in Uruguay.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig7-analisis-ripe-atlas.png\" alt=\"\" class=\"wp-image-29965\"\/><\/figure>\n\n\n\n<p>This phishing scam impersonates the Uruguayan national post office with the aim of stealing personal data and credit card numbers.<\/p>\n\n\n\n<p>Once the necessary information about the attack is collected, several reports are prepared and submitted to the proper entities for the removal of the malicious site, including CERTs and Whois abuse contacts.<\/p>\n\n\n\n<p>A DNS measurement is performed with RIPE Atlas every ten minutes for four days to analyze the validity of the domains, including their IP assignments and any potential changes. Two measurements are performed: one for A records (IPv4), another for AAAA records (IPv6).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"206\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-1024x206.png\" alt=\"\" class=\"wp-image-29968\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-1024x206.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-300x60.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-680x137.png 680w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-768x154.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-1536x309.png 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/fig8-analisis-ripe-atlas-2048x412.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The results are shown in the graph below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/Texto-del-parrafo.gif\" alt=\"\"\/><\/figure>\n\n\n\n<p>At approximately 5:38 PM UTC, the phishing incident was reported to the entities it involved. The selected probes showed DNS response times below 300 ms.<\/p>\n\n\n\n<p>One hour after the report was submitted, 11 probes had stopped resolving the domain&#8217;s IP address. Some began returning blackhole IP addresses, suggesting that DNS protection was being used and had blocked access to the phishing site.<\/p>\n\n\n\n<p>After 90 minutes of measurements, half of the probes had stopped resolving the domain. Shortly after, all probes stopped resolving it, marking the end of malicious activity on that domain.<\/p>\n\n\n\n<p>Measurements stopped when the absence of an IP response was confirmed. However, they might be extended to monitor a potential reactivation of the domain under a new IP address.<\/p>\n\n\n\n<p>It&#8217;s important to note that no IPv6 addresses were resolved by the probe during the period of activity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>Use Cases <\/strong><strong><\/strong><\/h2>\n\n\n\n<p>The use of RIPE Atlas in this type of research provides a new and practical approach thanks to its geographically distributed sensors. Its main applications, limitations, and possible extensions are detailed below.<\/p>\n\n\n\n<p><strong>Analysis of Malicious Domains and IP Addresses<\/strong><\/p>\n\n\n\n<p>RIPE Atlas allows observing how domains used in phishing or malware distribution campaigns are resolved and responded to from various regions around the world. This is useful for identifying geographically targeted attacks or documenting targeted detection evasion.<\/p>\n\n\n\n<p><strong>Detecting Geoblocking<\/strong><\/p>\n\n\n\n<p>By running measurements from probes located in different countries, it&#8217;s possible to detect whether a malicious website is applying regional restrictions, making its content visible only to users in certain locations.<\/p>\n\n\n\n<p><strong>Tracking Infrastructure Changes<\/strong><\/p>\n\n\n\n<p>Scheduled measurements (such as DNS queries or Traceroutes) help monitor changes to the attackers&#8217; infrastructure, including changes to IP addresses, network routes, or DNS servers.<\/p>\n\n\n\n<p><strong>Collecting Information to Support Incident Reports<\/strong><\/p>\n\n\n\n<p>Data obtained via RIPE Atlas supplements technical security reports, facilitating analyses by CSIRTs, CERTs, hosting providers, or domain registrars.<\/p>\n\n\n\n<p><strong>Supplementing Other Tools<\/strong><\/p>\n\n\n\n<p>RIPE Atlas can be integrated with other platforms to correlate TLS certificate data with other open sources and enrich the analysis.<\/p>\n\n\n\n<p><strong>Monitoring Potential Threat Domains:<\/strong><\/p>\n\n\n\n<p>RIPE Atlas allows measuring domains that could be used to launch attacks against our organizations. This includes IDN homograph attacks, where domains visually similar to ours are used to deceive users and conduct spoofing campaigns.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a><strong>Limitations<\/strong><strong><\/strong><\/h3>\n\n\n\n<p>It&#8217;s important to keep in mind that most website activity occurs in the upper layers of the TCP\/IP model, particularly in the application layer. Although RIPE Atlas probes allow measurements that reach certain protocols in this layer (e.g., DNS and TLS), their focus is primarily connectivity and resolution testing, not interacting with the website content itself.<\/p>\n\n\n\n<p>This represents a major limitation: it&#8217;s not possible to analyze the entirety of a website&#8217;s behavior directly at the application level, so aspects such as forms, redirects, geolocation-based access restrictions, or authentication mechanisms cannot be assessed. So, if a phishing site implements restrictions or dynamic behaviors in its web development, these cannot be evaluated using RIPE Atlas alone.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>Conclusions and Call to Action<\/strong><strong><\/strong><\/h2>\n\n\n\n<p>RIPE Atlas offers a powerful, geographically distributed tool for the technical analysis of malicious websites. It allows the detection of targeted campaigns, infrastructure changes, and evasive behavior. Although it does not replace other tools that focus on the application layer, it is a valuable complement that enhances incident reporting by incorporating distributed and objective evidence.<\/p>\n\n\n\n<p>Researchers, threat analysts, and CSIRTs are encouraged to include RIPE Atlas in their analysis and incident reporting workflows. Its potential to provide technical evidence from multiple locations makes it a valuable tool against increasingly sophisticated malware and phishing campaigns. We also encourage automating measurements and combining results with other sources, such as certificate analysis engines or domain reputation systems, for a more comprehensive and effective monitoring.<\/p>\n\n\n\n<p>Don&#8217;t miss the presentation on the topic at LACNIC44. Register <a href=\"https:\/\/lacnic44.lacnic.net\/en\/registration\">here<\/a> to participate in person or remotely.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>Additional Resources<\/strong><strong><\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Official Documentation:<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/atlas.ripe.net\/docs\">https:\/\/atlas.ripe.net\/docs<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform:<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/atlas.ripe.net\">https:\/\/atlas.ripe.net<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Guillermo Pereyra, Security Analyst Introduction: Why Analyze Malicious Websites? To take down a malicious website (one that distributes malware or impersonates another), an analysis of the website must first be conducted to properly inform the competent authority for its removal. This article explores the use of RIPE Atlas, which uses globally distributed probes to [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":29944,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[499],"tags":[1271],"archivo":[1345,1451],"taxonomy-authors":[1245],"tipo_autor":[],"class_list":["post-29974","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cibersecurity","archivo-editions","archivo-highlights-2023","taxonomy-authors-guillermo-pereyra-en"],"acf":{"author":"","related_notes":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas\" \/>\n<meta property=\"og:description\" content=\"By Guillermo Pereyra, Security Analyst Introduction: Why Analyze Malicious Websites? To take down a malicious website (one that distributes malware or impersonates another), an analysis of the website must first be conducted to properly inform the competent authority for its removal. This article explores the use of RIPE Atlas, which uses globally distributed probes to [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\" \/>\n<meta property=\"og:site_name\" content=\"LACNIC Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/lacnic\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-24T14:34:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-24T14:34:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"680\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Gianni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@lacnic\" \/>\n<meta name=\"twitter:site\" content=\"@lacnic\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\"},\"author\":{\"name\":\"Gianni\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\"},\"headline\":\"Analyzing Malicious Websites with RIPE Atlas\",\"datePublished\":\"2025-09-24T14:34:11+00:00\",\"dateModified\":\"2025-09-24T14:34:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\"},\"wordCount\":1758,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp\",\"keywords\":[\"Cibersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\",\"url\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\",\"name\":\"LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp\",\"datePublished\":\"2025-09-24T14:34:11+00:00\",\"dateModified\":\"2025-09-24T14:34:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp\",\"width\":680,\"height\":330},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/blog.lacnic.net\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analyzing Malicious Websites with RIPE Atlas\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.lacnic.net\/#website\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"name\":\"LACNIC Blog\",\"description\":\"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.\",\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.lacnic.net\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/blog.lacnic.net\/#organization\",\"name\":\"LACNIC Blog\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"caption\":\"LACNIC Blog\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/facebook.com\/lacnic\",\"https:\/\/x.com\/lacnic\",\"https:\/\/www.instagram.com\/lacnic\/?hl=es-la\",\"https:\/\/uy.linkedin.com\/company\/lacnic\",\"https:\/\/www.youtube.com\/user\/lacnicstaff\",\"https:\/\/www.lacnic.net\/podcast\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\",\"name\":\"Gianni\",\"url\":\"https:\/\/blog.lacnic.net\/en\/author\/gianni\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/","og_locale":"en_US","og_type":"article","og_title":"LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas","og_description":"By Guillermo Pereyra, Security Analyst Introduction: Why Analyze Malicious Websites? To take down a malicious website (one that distributes malware or impersonates another), an analysis of the website must first be conducted to properly inform the competent authority for its removal. This article explores the use of RIPE Atlas, which uses globally distributed probes to [&hellip;]","og_url":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/","og_site_name":"LACNIC Blog","article_publisher":"https:\/\/facebook.com\/lacnic","article_published_time":"2025-09-24T14:34:11+00:00","article_modified_time":"2025-09-24T14:34:31+00:00","og_image":[{"width":680,"height":330,"url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","type":"image\/webp"}],"author":"Gianni","twitter_card":"summary_large_image","twitter_creator":"@lacnic","twitter_site":"@lacnic","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#article","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/"},"author":{"name":"Gianni","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab"},"headline":"Analyzing Malicious Websites with RIPE Atlas","datePublished":"2025-09-24T14:34:11+00:00","dateModified":"2025-09-24T14:34:31+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/"},"wordCount":1758,"commentCount":0,"publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","keywords":["Cibersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/","url":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/","name":"LACNIC Blog | Analyzing Malicious Websites with RIPE Atlas","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","datePublished":"2025-09-24T14:34:11+00:00","dateModified":"2025-09-24T14:34:31+00:00","breadcrumb":{"@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#primaryimage","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","width":680,"height":330},{"@type":"BreadcrumbList","@id":"https:\/\/blog.lacnic.net\/en\/analyzing-malicious-websites-with-ripe-atlas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/blog.lacnic.net\/en\/"},{"@type":"ListItem","position":2,"name":"Analyzing Malicious Websites with RIPE Atlas"}]},{"@type":"WebSite","@id":"https:\/\/blog.lacnic.net\/#website","url":"https:\/\/blog.lacnic.net\/","name":"LACNIC Blog","description":"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.","publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.lacnic.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/blog.lacnic.net\/#organization","name":"LACNIC Blog","url":"https:\/\/blog.lacnic.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","caption":"LACNIC Blog"},"image":{"@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/lacnic","https:\/\/x.com\/lacnic","https:\/\/www.instagram.com\/lacnic\/?hl=es-la","https:\/\/uy.linkedin.com\/company\/lacnic","https:\/\/www.youtube.com\/user\/lacnicstaff","https:\/\/www.lacnic.net\/podcast"]},{"@type":"Person","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab","name":"Gianni","url":"https:\/\/blog.lacnic.net\/en\/author\/gianni\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/06\/sitios-maliciosos-ripeatlas.webp","jetpack_sharing_enabled":true,"wpml_current_locale":"en_US","wpml_translations":[{"locale":"es_ES","id":29941,"post_title":"An\u00e1lisis de sitios maliciosos con RIPE Atlas","slug":"sitios-maliciosos","href":"https:\/\/blog.lacnic.net\/sitios-maliciosos\/"},{"locale":"pt_BR","id":29978,"post_title":"Analisando sites maliciosos com RIPE Atlas","slug":"sites-maliciosos-com-ripe-atlas","href":"https:\/\/blog.lacnic.net\/pt-br\/sites-maliciosos-com-ripe-atlas\/"}],"_links":{"self":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/29974","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/comments?post=29974"}],"version-history":[{"count":5,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/29974\/revisions"}],"predecessor-version":[{"id":31137,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/29974\/revisions\/31137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media\/29944"}],"wp:attachment":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media?parent=29974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/categories?post=29974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tags?post=29974"},{"taxonomy":"archivo","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/archivo?post=29974"},{"taxonomy":"taxonomy-authors","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/taxonomy-authors?post=29974"},{"taxonomy":"tipo_autor","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tipo_autor?post=29974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}