Malicious IP Protection

Overview

The Malicious IP Protection service continuously detects network access attempts originating from IP addresses maintained on a curated list. The service protects the Snowflake instance by blocking network access attempts that originate from those IP addresses. The service hardens both Snowflake’s and the customer’s security posture by reducing the risk of unauthorized access, data breaches, and malicious activity.

How Malicious IP Protection works

Snowflake maintains and curates a list of IP addresses, based on data obtained from third-party cybersecurity data sources that provide external threat intelligence (IP addresses from known bad actors). Snowflake categorizes the IP addresses on the list as the following:

  • ANONYMOUS_VPN

  • ANONYMOUS_PROXIES

  • MALICIOUS_BEHAVIOR (IP addresses associated with known malware and behavior such as automated brute force login attempts.)

  • TOR_EXITS (IP addresses used as exit nodes for the Tor network.)

Risk categorization of IP addresses

Snowflake further categorizes the IP address list by assigning high-risk and low-risk labels to each IP address, based on impact analysis. Snowflake blocks network access attempts originating from high-risk IP addresses. We will start blocking low-risk IP addresses soon.

Visibility

To see network access attempts that have been blocked by the Malicious IP Protection service, use the Account Usage LOGIN_HISTORY view. “NO” appears in the IS_SUCCESS column of blocked network access attempts.

Example

+---------------------+----------------+---------------------------+
|   A IS_SUCCESS      | # ERROR_CODE   |      A ERROR_MESSAGE      |
|   -                 |                |      -                    |
+---------------------+----------------+---------------------------+
+   NO                |         390422 | INCOMING_REQUEST_BLOCKED  |
+---------------------+----------------+---------------------------+
+   NO                |         390422 | INCOMING_REQUEST_BLOCKED  |
+---------------------+----------------+---------------------------+
+   NO                |         390422 | INCOMING_REQUEST_BLOCKED  |
+---------------------+----------------+---------------------------+
+   NO                |         390422 | INCOMING_REQUEST_BLOCKED  |
+---------------------+----------------+---------------------------+
+   NO                |         390422 | INCOMING_REQUEST_BLOCKED  |
+---------------------+----------------+---------------------------+
Copy
Language: English