恶意 IP 防护¶

概述

Malicious IP Protection 服务会持续检测来自精选列表中保留的 IP 地址的网络访问尝试。该服务通过阻止来自这些 IP 地址的网络访问尝试来保护 Snowflake 实例。该服务通过降低未经授权的访问、数据泄露和恶意活动的风险，强化了 Snowflake 和客户的安全状况。

Snowflake 根据从提供外部威胁情报的第三方网络安全数据源获得的数据，维护并整理一份 IP 地址列表。这些 IP 地址来自已知的不良行为者。下表列出并描述了 Snowflake 如何根据影响分析对 IP 地址进行分类：

IP Category	Description
ANONYMOUS_VPN	IP addresses associated with anonymous VPN services.
ANONYMOUS_PROXIES	IP addresses associated with anonymous proxy servers.
MALICIOUS_BEHAVIOR	IP addresses associated with known malware and behavior such as automated brute force login attempts.
TOR_EXITS	IP addresses used as exit nodes for the Tor network.

The Malicious IP Protection service blocks network access attempts that originate from IP addresses in all categories on this curated list by default. The curated list includes both IPv4 and IPv6 addresses.

查看网络登录详细信息

You can use the Account Usage LOGIN_HISTORY view to see details of network access attempts that the Malicious IP Protection service has blocked. For example, to view login events for your account, run the following query:

SELECT *
  FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
  WHERE NOT is_success AND login_details IS NOT NULL
  ORDER BY event_timestamp DESC;

Next, examine the is_success and login_details columns of the LOGIN_HISTORY view output for your account.

NO appears in the is_success column for blocked network access attempts.

The following examples show output that appears in the login_details column for blocked IP addresses:

Example — blocked IP categorized as “LOW” risk:

{
  "malicious_ip_protection_info":"{\"result\":\"BLOCKED\",\"riskClassification\":\"LOW\",\"categories\":[\"MALICIOUS_BEHAVIOR\"]}"
}

Example — blocked IP categorized as “HIGH” risk:

{
  "malicious_ip_protection_info":"{\"result\":\"BLOCKED\",\"riskClassification\":\"HIGH\",\"categories\":[\"ANONYMOUS_VPN\",\"ANONYMOUS_PROXIES\"]}"
}

The IP address that corresponds to each result appears in the ip_address column.

如果您注意到被归类为低风险的 IP 地址被阻止，您可以选择退出阻止该类别。

管理低风险类别的 Malicious IP Protection¶

您可以通过选择退出阻止被归类为低风险的 IP 地址来管理 Malicious IP Protection。您无法选择退出阻止被归类为高风险的 IP 地址。

To opt out of blocking a category, run the SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY function and provide a low-risk category name as an argument. For example:

USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY('MALICIOUS_BEHAVIOR');

To opt out of blocking for a another category, run the SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY function again and provide both low-risk category names as arguments. For example:

USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY('ANONYMOUS_VPN,MALICIOUS_BEHAVIOR');

To re-enable blocking IP addresses, run the SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY function and provide '' as an argument. For example:

USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY('');

Optionally, run the function and provide a user name as the second argument to either opt out of, or re-enable, blocking of IP addresses for only the user that you specify. For example, to disable Malicious IP Protection for IP addresses in the ANONYMOUS_VPN category for the specific user JSMITH, run the following commands:

USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY('ANONYMOUS_VPN', 'JSMITH');

The following example shows Account Usage LOGIN_HISTORY view output in the login_details column. The IP address for this result was opted out of blocking the MALICIOUS_BEHAVIOR category by running the SYSTEM$OPT_OUT_MALICIOUS_IP_PROTECTION_BY_CATEGORY function:

Example — unblocked IP categorized as “LOW” risk:

{
  "malicious_ip_protection_info":"{\"result\":\"OPTED_OUT\",\"riskClassification\":\"LOW\",\"categories\":[\"MALICIOUS_BEHAVIOR\"]}"
}