The use of IP Blocklist can be an integral part of the overall Network Security Program. There are several good sources of known and suspicious IPs and networks that are associated with malicious content or in other ways pose a threat to your network. If your firewall or IPS (Intrusion Prevention System) have the means to make use of IP blocklist, I highly encourage you to do so. As with any other element of a Network Security Program, the IP blocklist is not designed to be the magic bullet that will make you 100% secure. It is just one small part of a good overlapping security deployment that, when combined with all the other elements, will greatly improve your chances of keeping your company out of the newspapers as a victim of a cyber-attack.
For the Boiler Room’s IP Blocklist I have aggregated several blocklists together into a single list to protect from emerging threats, malware & ransomware command-and-controls systems, cybercriminals, spammers from hell, and noisy research scanners. The list is updated every six hours and I also provide Threat Indicator (IOC) files for the Check Point Firewall.
Here is a description of each of the sources that go into the Boiler Room IP Blocklist:
- DShield.org Recommended Block List – http://feeds.dshield.org/block.txt
Provided by the SANS Internet Storm Center, this list summarizes the top 20 attacking class C (/24) subnets over the previous 72 hour period.
- AutoShun.org Block List – https://www.autoshun.org
Provided by RiskAnalytics, this list contains up to 2000 IPs of the most recent detections as sources of Exploits, Spam Bots, Brute Force attacks, Reconnaissance Bots, and Organized Cybercrime.
- TalosIntelligence.com IP Blocklist – https://www.talosintelligence.com/documents/ip-blacklist
Provided by Cisco’s Talos Intelligence Group, this list is updated every 15 minutes and contains a list of known malicious network threats that are flagged on all Cisco Security Products.
- Feodo Tracker Block List – https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
Provided by the Abuse.ch Security Researcher, this list contains IP addresses used as C&C communication channel by the Feodo Trojan. Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims’ computer, such as credit card details or credentials.
- ZeuS Tracker Block List – https://zeustracker.abuse.ch/blocklist.php?download=badips
Provided by the Abuse.ch Security Researcher, this list contains IP addresses used as C&C servers and malicious hosts which are hosting ZeuS files. ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, FTP accounts, email accounts and other (phishing).
- Ransomware Tracker Block List – https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
Provided by the Abuse.ch Security Researcher, this list contains IP addresses used by Ransomware botnet C&C servers, Payment Sites, and Distribution Sites. Currently, the following Ransomware families are tracked are TeslaCrypt, CryptoWall, TorrentLocker, PadCrypt, Locky, CTB-Locker, FAKBEN. and PayCrypt.
- Spamhaus IP Drop List – https://www.spamhaus.org/drop/drop.txt
Provided by the Spamhaus Project, this list consists of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).
- Spamhaus Extended IP Drop List – https://www.spamhaus.org/drop/edrop.txt
Provided by the Spamhaus Project, this list is an extension of the DROP list that includes sub-allocated netblocks controlled by spammers or cybercriminals. EDROP is meant to be used in addition to the direct allocations on the DROP list.
- Observed Scanners & Malicious Crawlers – https://www.neblink.net/blocklist/KnownScanners.txt
This is my own list of known research scanners and web crawlers commonly seen hitting my managed networks. While some of the research scanners on this list may not necessarily be malicious, they can create an excessive amount of “noise” on your firewall and server logs and some of them publicly publish information about your servers that may highlight potential vulnerabilities.
The aggregated list can be downloaded from https://www.neblink.net/blocklist/IP-Blocklist-clean.txt