IP reputation filtering blocks or alerts on connections to/from known-malicious IP addresses — Tor exit nodes, botnet C2 infrastructure, scanner IPs, malware distribution servers.
IP reputation feeds (commercial and free: Spamhaus, Talos, Emerging Threats) integrate with firewalls, proxies, and SIEM. Automated blocking of low-reputation IPs reduces attack surface. False positive risk: legitimate services sharing IPs with malicious actors — review before auto-block.