For the Boiler Room’s IP Blocklist I have aggregated several blocklists together into a single list to protect from emerging threats, malware & ransomware command-and-controls systems, cyber-criminals, spammers from hell, and noisy research scanners. The list is updated every hour and I also provide Threat Indicator (IOC) files for the Check Point Firewall.
The use of a blocklist can be an integral part of the overall Network Security Program. There are several good sources of known and suspicious IPs and networks that are associated with malicious content or in other ways pose a threat to your network. If your firewall or IPS (Intrusion Prevention System) have the means to make use of IP blocklist, I highly encourage you to do so. As with any other element of a Network Security Program, the IP blocklist is not designed to be the magic bullet that will make you 100% secure. It is just one small part of a good overlapping security deployment that, when combined with all the other elements, will greatly improve your chances of keeping your company out of the newspapers as a victim of a cyber-attack.
Here is a description of each of the sources that go into the Boiler Room IP Blocklist:
- DShield.org Recommended Block List – http://feeds.dshield.org/block.txt
Provided by the SANS Internet Storm Center, this list summarizes the top 20 attacking class C (/24) subnets over the previous 72 hour period. - TalosIntelligence.com IP Blocklist – https://www.talosintelligence.com/documents/ip-blacklist
Provided by Cisco’s Talos Intelligence Group, this list is updated every 15 minutes and contains a list of known malicious network threats that are flagged on all Cisco Security Products. - Abuse.ch Feodo Tracker Block List – https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
Provided by the Abuse.ch Security Researcher, this list contains IP addresses used as C&C communication channel by the Feodo Trojan. Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims’ computer, such as credit card details or credentials. - Abuse.ch Ransomware Tracker Block List – https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
Provided by the Abuse.ch Security Researcher, this list contains IP addresses used by Ransomware botnet C&C servers, Payment Sites, and Distribution Sites. Currently, the following Ransomware families are tracked are TeslaCrypt, CryptoWall, TorrentLocker, PadCrypt, Locky, CTB-Locker, FAKBEN. and PayCrypt. - Spamhaus IP Drop List – https://www.spamhaus.org/drop/drop.txt
Provided by the Spamhaus Project, this list consists of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). - Spamhaus Extended IP Drop List – https://www.spamhaus.org/drop/edrop.txt
Provided by the Spamhaus Project, this list is an extension of the DROP list that includes sub-allocated netblocks controlled by spammers or cybercriminals. - TOR Exit Nodes – https://check.torproject.org/exit-addresses
Provide by Tor Project, this list contains all the exit nodes for the tor network. The tor nodelist is updated every hour automatically from the live tor network and contains all Tor exit nodes for the past 72 hours. - Observed Scanners & Malicious Crawlers – https://www.neblink.net/blocklist/KnownScanners.txt
This is my own list of known research scanners and web crawlers commonly seen hitting my managed networks. While some of the research scanners on this list may not necessarily be malicious, they can create an excessive amount of “noise” on your firewall and server logs and some of them publicly publish information about your servers that may highlight potential vulnerabilities.
The aggregated list can be downloaded from https://www.neblink.net/blocklist/IP-Blocklist-clean.txt
- DShield.org Recommended Block List – http://feeds.dshield.org/block.txt