Due to the amount of data and the frequency of the updates on this repo, github has requested to limit the number of updates. The site https://iplists.firehol.org has direct links to all the files in this repo. This repo is now updated once per day.
This repository includes a list of ipsets dynamically updated with
FireHOL's update-ipsets.sh
documented in this wiki.
This repo is self maintained. It it updated automatically from the script via a cron job.
This repo has a site: http://iplists.firehol.org.
As time passes and the internet matures in our life, cybercrime is becoming increasingly sophisticated. Although there are many tools (detection of malware, viruses, intrusion detection and prevention systems, etc) to help us isolate the bad guys, there are now a lot more than just such attacks.
What is more interesting is that the fraudsters or attackers in many cases are not going to do a direct damage to you or your systems. They will use you and your systems to gain something else, possibly not related or indirectly related to your business. Nowadays the attacks cannot be identified easily. They are distributed and come to our systems from a vast amount of IPs around the world.
To get an idea, check for example the XRumer software. This thing mimics human behavior to post ads, it creates email accounts, responds to emails it receives, bypasses captchas, it goes gently to stay unnoticed, etc.
To increase our effectiveness we need to complement our security solutions with our shared knowledge, our shared experience in this fight.
Hopefully, there are many teams out there that do their best to identify the attacks and pinpoint the attackers. These teams release blocklists. Blocklists of IPs (for use in firewalls), domains & URLs (for use in proxies), etc.
What we are interested here is IPs.
Using IP blocklists at the internet side of your firewall is a key component of internet security. These lists share key knowledge between us, allowing us to learn from each other and effectively isolate fraudsters and attackers from our services.
I decided to upload these lists to a github repo because:
-
They are freely available on the internet. The intention of their creators is to help internet security. Keep in mind though that a few of these lists may have special licences attached. Before using them, please check their source site for any information regarding proper use.
-
Github provides (via
git pull
) a unified way of updating all the lists together. Pulling this repo regularly on your machines, you will update all the IP lists at once. -
Github also provides a unified version control. Using it we can have a history of what each list has done, which IPs or subnets were added and which were removed.
Check also another tool included in FireHOL v3+, called dnsbl-ipset.sh
.
This tool is capable of creating an ipset based on your traffic by looking up information on DNSBLs and scoring it according to your preferences.
More information here.
Please be very careful what you choose to use and how you use it. If you blacklist traffic using these lists you may end up blocking your users, your customers, even yourself (!) from accessing your services.
-
Go to to the site of each list and read how each list is maintained. You are going to trust these guys for doing their job right.
-
Most sites have either a donation system or commercial lists of higher quality. Try to support them.
-
I have included the TOR network in these lists (
bm_tor
,dm_tor
,et_tor
). The TOR network is not necessarily bad and you should not block it if you want to allow your users be anonymous. I have included it because for certain cases, allowing an anonymity network might be a risky thing (such as eCommerce). -
Apply any blacklist at the internet side of your firewall. Be very careful. The
bogons
andfullbogons
lists contain private, unrouteable IPs that should not be routed on the internet. If you apply such a blocklist on your DMZ or LAN side, you will be blocked out of your firewall. -
Always have a whitelist too, containing the IP addresses or subnets you trust. Try to build the rules in such a way that if an IP is in the whitelist, it should not be blocked by these blocklists.
These are the ones I trust. Level 1 provides basic security against the most well-known attackers, with the minimum of false positives.
-
Abuse.ch lists
feodo
,palevo
,sslbl
,zeus
,zeus_badips
These folks are doing a great job tracking crime ware. Their blocklists are very focused. Keep in mind
zeus
may include some false positives. You can usezeus_badips
instead. -
DShield.org list
dshield
It contains the top 20 attacking class C (/24) subnets, over the last three days.
-
Spamhaus.org lists
spamhaus_drop
,spamhaus_edrop
DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). According to Spamhaus.org:
When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.
Spamhaus strongly encourages the use of DROP and EDROP by tier-1s and backbones.
Spamhaus is very responsive to adapt these lists when a network owner updates them that the issue has been solved (I had one such incident with one of my users).
-
Team-Cymru.org list
bogons
orfullbogons
These are lists of IPs that should not be routed on the internet. No one should be using them. Be very careful to apply either of the two on the internet side of your network.
Level 2 provide protection against current brute force attacks. This level may have a small percentage of false positives, mainly due to dynamic IPs being re-used by other users.
-
OpenBL.org lists
openbl*
The team of OpenBL tracks brute force attacks on their hosts. They have a very short list for hosts, under their own control, collecting this information, to eliminate false positives. They suggest to use the default blacklist which has a retention policy of 90 days (
openbl
), but they also provide lists with different retention policies (from 1 day to 1 year). Their goal is to report abuse to the responsible provider so that the infection is disabled. -
Blocklist.de lists
blocklist_de*
Is a network of users reporting abuse mainly using
fail2ban
. They eliminate false positives using other lists available. Since they collect information from their users, their lists may be subject to poisoning, or false positives. I asked them about poisoning. Here you can find their answer. In short, they track it down so that they have an ignorable rate of false positives. Also, they only include individual IPs (no subnets) which have attacked their users the last 48 hours and their list contains 20.000 to 40.000 IPs (which is small enough considering the size of the internet). Likeopenbl
, their goal is to report abuse back, so that the infection is disabled. They also provide their blocklist per type of attack (mail, web, etc).
Of course, there are more lists included. You can check them and decide if they fit for your needs.
Of course, I haven't included them for you to use the open proxies. The port the proxy is listening, or the type of proxy, are not included (although most of them use the standard proxy ports and do serve web requests).
If you check the comparisons for the open proxy lists (ri_connect_proxies
, ri_web_proxies
, xroxy
, proxz
, proxyrss
, etc)
you will find that they overlap to a great degree with other blocklists, like blocklist_de
, stopforumspam
, etc.
This means the attackers also use open proxies to execute attacks.
So, if you are under attack, blocking the open proxies may help isolate a large part of the attack.
I don't suggest to permanently block IPs using the proxy lists. Their purpose of existence is questionable. Their quality though may be acceptable, since lot of these sites advertise that they test open proxies before including them in their lists, so that there are no false positives, at least at the time they tested them.
update-ipsets.sh
itself does not alter your firewall. It can be used to update ipsets both on disk and in the kernel for any firewall solution you use.
The information below, shows you how to configure FireHOL to use the provides ipsets.
I use something like this:
# our wan interface
wan="dsl0"
# our whitelist
ipset4 create whitelist hash:net
ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted
# subnets - netsets
for x in fullbogons dshield spamhaus_drop spamhaus_edrop
do
ipset4 create ${x} hash:net
ipset4 addfile ${x} ipsets/${x}.netset
blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
# individual IPs - ipsets
for x in feodo palevo sslbl zeus openbl blocklist_de
do
ipset4 create ${x} hash:ip
ipset4 addfile ${x} ipsets/${x}.ipset
blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
except src ipset:whitelist
done
... rest of firehol.conf ...
If you are concerned about iptables performance, change the blacklist4
keyword full
to input
.
This will block only inbound NEW connections, i.e. only the first packet for every NEW inbound connection will be checked.
All other traffic passes through unchecked.
Before adding these rules to your
firehol.conf
you should runupdate-ipsets.sh
to enable them.
Just use the update-ipsets.sh
script from the firehol distribution.
This script will update each ipset and call firehol to update the ipset while the firewall is running.
You can add
update-ipsets.sh
to cron, to run every 10 mins.update-ipsets.sh
is smart enough to download a list only when it needs to.
The following list was automatically generated on Mon Nov 18 11:22:51 UTC 2024.
The update frequency is the maximum allowed by internal configuration. A list will never be downloaded sooner than the update frequency stated. A list may also not be downloaded, after this frequency expired, if it has not been modified on the server (as reported by HTTP IF_MODIFIED_SINCE
method).
name | info | type | entries | update |
---|---|---|---|---|
alienvault_reputation | AlienVault.com IP reputation database | ipv4 hash:ip | 609 unique IPs | updated every 6 hours from this link |
asprox_c2 | h3x.eu ASPROX Tracker - Asprox C&C Sites | ipv4 hash:ip | 0 unique IPs | updated every 1 day from this link |
bambenek_banjori | Bambenek Consulting feed of current IPs of banjori C&Cs with 90 minute lookback | ipv4 hash:ip | 136 unique IPs | updated every 30 mins from this link |
bambenek_bebloh | Bambenek Consulting feed of current IPs of bebloh C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_c2 | Bambenek Consulting master feed of known, active and non-sinkholed C&Cs IP addresses | ipv4 hash:ip | 1 unique IPs | updated every 30 mins from this link |
bambenek_cl | Bambenek Consulting feed of current IPs of cl C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_cryptowall | Bambenek Consulting feed of current IPs of cryptowall C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_dircrypt | Bambenek Consulting feed of current IPs of dircrypt C&Cs with 90 minute lookback | ipv4 hash:ip | 2 unique IPs | updated every 30 mins from this link |
bambenek_dyre | Bambenek Consulting feed of current IPs of dyre C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_geodo | Bambenek Consulting feed of current IPs of geodo C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_hesperbot | Bambenek Consulting feed of current IPs of hesperbot C&Cs with 90 minute lookback | ipv4 hash:ip | 2 unique IPs | updated every 30 mins from this link |
bambenek_matsnu | Bambenek Consulting feed of current IPs of matsnu C&Cs with 90 minute lookback | ipv4 hash:ip | 1 unique IPs | updated every 30 mins from this link |
bambenek_necurs | Bambenek Consulting feed of current IPs of necurs C&Cs with 90 minute lookback | ipv4 hash:ip | 13 unique IPs | updated every 30 mins from this link |
bambenek_p2pgoz | Bambenek Consulting feed of current IPs of p2pgoz C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_pushdo | Bambenek Consulting feed of current IPs of pushdo C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_pykspa | Bambenek Consulting feed of current IPs of pykspa C&Cs with 90 minute lookback | ipv4 hash:ip | 5 unique IPs | updated every 30 mins from this link |
bambenek_qakbot | Bambenek Consulting feed of current IPs of qakbot C&Cs with 90 minute lookback | ipv4 hash:ip | 2 unique IPs | updated every 30 mins from this link |
bambenek_ramnit | Bambenek Consulting feed of current IPs of ramnit C&Cs with 90 minute lookback | ipv4 hash:ip | 98 unique IPs | updated every 30 mins from this link |
bambenek_ranbyus | Bambenek Consulting feed of current IPs of ranbyus C&Cs with 90 minute lookback | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
bambenek_simda | Bambenek Consulting feed of current IPs of simda C&Cs with 90 minute lookback | ipv4 hash:ip | 131 unique IPs | updated every 30 mins from this link |
bambenek_suppobox | Bambenek Consulting feed of current IPs of suppobox C&Cs with 90 minute lookback | ipv4 hash:ip | 108 unique IPs | updated every 30 mins from this link |
bambenek_symmi | Bambenek Consulting feed of current IPs of symmi C&Cs with 90 minute lookback | ipv4 hash:ip | 1 unique IPs | updated every 30 mins from this link |
bambenek_tinba | Bambenek Consulting feed of current IPs of tinba C&Cs with 90 minute lookback | ipv4 hash:ip | 4 unique IPs | updated every 30 mins from this link |
bambenek_volatile | Bambenek Consulting feed of current IPs of volatile C&Cs with 90 minute lookback | ipv4 hash:ip | 1 unique IPs | updated every 30 mins from this link |
bbcan177_ms1 | pfBlockerNG Malicious Threats | ipv4 hash:net | 2688 subnets, 5269973 unique IPs | updated every 1 day from this link |
bbcan177_ms3 | pfBlockerNG Malicious Threats | ipv4 hash:net | 1145 subnets, 30151693 unique IPs | updated every 1 day from this link |
bds_atif | Artillery Threat Intelligence Feed and Banlist Feed | ipv4 hash:ip | 4123 unique IPs | updated every 1 day from this link |
bitcoin_blockchain_info_1d | Blockchain.info Bitcoin nodes connected to Blockchain.info. | ipv4 hash:ip | 988 unique IPs | updated every 10 mins from this link |
bitcoin_blockchain_info_30d | Blockchain.info Bitcoin nodes connected to Blockchain.info. | ipv4 hash:ip | 8196 unique IPs | updated every 10 mins from this link |
bitcoin_blockchain_info_7d | Blockchain.info Bitcoin nodes connected to Blockchain.info. | ipv4 hash:ip | 2636 unique IPs | updated every 10 mins from this link |
bitcoin_nodes | BitNodes Bitcoin connected nodes, globally. | ipv4 hash:ip | 5319 unique IPs | updated every 10 mins from this link |
bitcoin_nodes_1d | BitNodes Bitcoin connected nodes, globally. | ipv4 hash:ip | 6460 unique IPs | updated every 10 mins from this link |
bitcoin_nodes_30d | BitNodes Bitcoin connected nodes, globally. | ipv4 hash:ip | 12555 unique IPs | updated every 10 mins from this link |
bitcoin_nodes_7d | BitNodes Bitcoin connected nodes, globally. | ipv4 hash:ip | 8041 unique IPs | updated every 10 mins from this link |
blocklist_de | Blocklist.de IPs that have been detected by fail2ban in the last 48 hours | ipv4 hash:ip | 21354 unique IPs | updated every 15 mins from this link |
blocklist_de_apache | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. | ipv4 hash:ip | 8353 unique IPs | updated every 15 mins from this link |
blocklist_de_bots | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = it has posted a Spam-Comment on a open Forum or Wiki). | ipv4 hash:ip | 902 unique IPs | updated every 15 mins from this link |
blocklist_de_bruteforce | Blocklist.de All IPs which attacks Joomla, Wordpress and other Web-Logins with Brute-Force Logins. | ipv4 hash:ip | 273 unique IPs | updated every 15 mins from this link |
blocklist_de_ftp | Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. | ipv4 hash:ip | 48 unique IPs | updated every 15 mins from this link |
blocklist_de_imap | Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc. | ipv4 hash:ip | 2384 unique IPs | updated every 15 mins from this link |
blocklist_de_mail | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. | ipv4 hash:ip | 13360 unique IPs | updated every 15 mins from this link |
blocklist_de_sip | Blocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net | ipv4 hash:ip | 23 unique IPs | updated every 15 mins from this link |
blocklist_de_ssh | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. | ipv4 hash:ip | 6630 unique IPs | updated every 15 mins from this link |
blocklist_de_strongips | Blocklist.de All IPs which are older then 2 month and have more then 5.000 attacks. | ipv4 hash:ip | 323 unique IPs | updated every 15 mins from this link |
blocklist_net_ua | blocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment. | ipv4 hash:ip | 94615 unique IPs | updated every 10 mins from this link |
blueliv_crimeserver_last | blueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 24381 unique IPs | updated every 6 hours |
blueliv_crimeserver_last_1d | blueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 58312 unique IPs | updated every 6 hours |
blueliv_crimeserver_last_2d | blueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 71293 unique IPs | updated every 6 hours |
blueliv_crimeserver_last_30d | blueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 87551 unique IPs | updated every 6 hours |
blueliv_crimeserver_last_7d | blueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 77098 unique IPs | updated every 6 hours |
blueliv_crimeserver_online | blueliv.com Online Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 15628 unique IPs | updated every 1 day |
blueliv_crimeserver_recent | blueliv.com Recent Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com) | ipv4 hash:ip | 64076 unique IPs | updated every 1 day |
bm_tor | torstatus.blutmagie.de list of all TOR network servers | ipv4 hash:ip | disabled | updated every 30 mins from this link |
bogons | Team-Cymru.org private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry | ipv4 hash:net | 13 subnets, 592708608 unique IPs | updated every 1 day |
botscout | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 49 unique IPs | updated every 30 mins from this link |
botscout_1d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 632 unique IPs | updated every 30 mins from this link |
botscout_30d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 11700 unique IPs | updated every 30 mins from this link |
botscout_7d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 3191 unique IPs | updated every 30 mins from this link |
botvrij_dst | botvrij.eu Indicators of Compromise (IOCS) about malicious destination IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. | ipv4 hash:ip | 192 unique IPs | updated every 1 day from this link |
botvrij_src | botvrij.eu Indicators of Compromise (IOCS) about malicious source IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. | ipv4 hash:ip | 36 unique IPs | updated every 1 day from this link |
bruteforceblocker | danger.rulez.sk bruteforceblocker (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days. | ipv4 hash:ip | 858 unique IPs | updated every 3 hours from this link |
ciarmy | CIArmy.com IPs with poor Rogue Packet score that have not yet been identified as malicious by the community | ipv4 hash:ip | 15000 unique IPs | updated every 3 hours from this link |
cidr_report_bogons | Unallocated (Free) Address Space, generated on a daily basis using the IANA registry files, the Regional Internet Registry stats files and the Regional Internet Registry whois data. | ipv4 hash:net | 18 subnets, 588514808 unique IPs | updated every 1 day from this link |
cleanmx_phishing | Clean-MX.de IPs sending phishing messages | ipv4 hash:ip | 4519 unique IPs | updated every 30 mins from this link |
cleanmx_viruses | Clean-MX.de IPs with viruses | ipv4 hash:ip | 12190 unique IPs | updated every 30 mins from this link |
cleantalk | CleanTalk Today's HTTP Spammers (includes: cleantalk_new cleantalk_updated) | ipv4 hash:ip | 241 unique IPs | updated every 1 min |
cleantalk_1d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d) | ipv4 hash:ip | 849 unique IPs | updated every 1 min |
cleantalk_30d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d) | ipv4 hash:ip | 28154 unique IPs | updated every 1 min |
cleantalk_7d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d) | ipv4 hash:ip | 6815 unique IPs | updated every 1 min |
cleantalk_new | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 0 unique IPs | updated every 15 mins from this link |
cleantalk_new_1d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 420 unique IPs | updated every 15 mins from this link |
cleantalk_new_30d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 12708 unique IPs | updated every 15 mins from this link |
cleantalk_new_7d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 2983 unique IPs | updated every 15 mins from this link |
cleantalk_top20 | CleanTalk Top 20 HTTP Spammers | ipv4 hash:ip | 0 unique IPs | updated every 1 day from this link |
cleantalk_updated | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 0 unique IPs | updated every 15 mins from this link |
cleantalk_updated_1d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 472 unique IPs | updated every 15 mins from this link |
cleantalk_updated_30d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 18531 unique IPs | updated every 15 mins from this link |
cleantalk_updated_7d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 4461 unique IPs | updated every 15 mins from this link |
coinbl_hosts | CoinBlockerLists Simple lists that can help prevent cryptomining in the browser or other applications. This list contains all domains - A list for administrators to prevent mining in networks. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 10429 unique IPs | updated every 1 day from this link |
coinbl_hosts_browser | CoinBlockerLists Simple lists that can help prevent cryptomining in the browser or other applications. A hosts list to prevent browser mining only. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 627 unique IPs | updated every 1 day from this link |
coinbl_hosts_optional | CoinBlockerLists Simple lists that can help prevent cryptomining in the browser or other applications. This list contains additional domains, for administrators to prevent mining in networks. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 471 unique IPs | updated every 1 day from this link |
coinbl_ips | CoinBlockerLists Simple lists that can help prevent cryptomining in the browser or other applications. This list contains all IPs - An additional list for administrators to prevent mining in networks. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 1390 unique IPs | updated every 1 day from this link |
cruzit_web_attacks | CruzIt.com IPs of compromised machines scanning for vulnerabilities and DDOS attacks | ipv4 hash:ip | 13878 unique IPs | updated every 12 hours from this link |
cta_cryptowall | Cyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide. | ipv4 hash:ip | 1360 unique IPs | updated every 1 day from this link |
cybercrime | CyberCrime A project tracking Command and Control. | ipv4 hash:ip | 2561 unique IPs | updated every 12 hours from this link |
darklist_de | darklist.de ssh fail2ban reporting | ipv4 hash:net | 6008 subnets, 274857 unique IPs | updated every 1 day from this link |
datacenters | Nick Galbreath This is a list of IPv4 address that correspond to datacenters, co-location centers, shared and virtual webhosting providers. In other words, ip addresses that end web consumers should not be using. | ipv4 hash:net | 4224 subnets, 95959476 unique IPs | updated every 1 day from this link |
dataplane_dnsrd | DataPlane.org IP addresses that have been identified as sending recursive DNS queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers or evaluating cache entries. | ipv4 hash:ip | 5269 unique IPs | updated every 1 hour |
dataplane_dnsrdany | DataPlane.org IP addresses that have been identified as sending recursive DNS IN ANY queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers for the purpose of later using them to facilitate DNS amplification and reflection attacks. | ipv4 hash:ip | 509 unique IPs | updated every 1 hour |
dataplane_dnsversion | DataPlane.org IP addresses that have been identified as sending DNS CH TXT VERSION.BIND queries to a remote host. This report lists addresses that may be cataloging DNS software. | ipv4 hash:ip | 4205 unique IPs | updated every 1 hour |
dataplane_sipinvitation | DataPlane.org IP addresses that have been seen initiating a SIP INVITE operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 30 unique IPs | updated every 1 hour |
dataplane_sipquery | DataPlane.org IP addresses that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP server cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 3251 unique IPs | updated every 1 hour |
dataplane_sipregistration | DataPlane.org IP addresses that have been seen initiating a SIP REGISTER operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 469 unique IPs | updated every 1 hour |
dataplane_sshclient | DataPlane.org IP addresses that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SSH server cataloging or conducting authentication attack attempts. | ipv4 hash:ip | 23301 unique IPs | updated every 1 hour |
dataplane_sshpwauth | DataPlane.org IP addresses that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. | ipv4 hash:ip | 17147 unique IPs | updated every 1 hour |
dataplane_vncrfb | DataPlane.org IP addresses that have been seen initiating a VNC remote frame buffer (RFB) session to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be VNC server cataloging or conducting various forms of remote access abuse. | ipv4 hash:ip | 2588 unique IPs | updated every 1 hour |
dm_tor | dan.me.uk dynamic list of TOR nodes | ipv4 hash:ip | 5928 unique IPs | updated every 30 mins from this link |
dronebl_anonymizers | DroneBL.org List of open proxies. It includes IPs which DroneBL categorizes as SOCKS proxies (8), HTTP proxies (9), web page proxies (11), WinGate proxies (14), proxy chains (10). | ipv4 hash:net | 1134167 subnets, 1226064 unique IPs | updated every 1 min |
dronebl_auto_botnets | DroneBL.org IPs of automatically detected botnets. It includes IPs for which DroneBL responds with 17. | ipv4 hash:net | 4013 subnets, 4028 unique IPs | updated every 1 min |
dronebl_autorooting_worms | DroneBL.org IPs of autorooting worms. It includes IPs for which DroneBL responds with 16. These are usually SSH bruteforce attacks. | ipv4 hash:net | 35 subnets, 35 unique IPs | updated every 1 min |
dronebl_compromised | DroneBL.org IPs of compromised routers / gateways. It includes IPs for which DroneBL responds with 15 (BOPM detected). | ipv4 hash:net | 45684 subnets, 47135 unique IPs | updated every 1 min |
dronebl_ddos_drones | DroneBL.org IPs of DDoS drones. It includes IPs for which DroneBL responds with 7. | ipv4 hash:net | 7681 subnets, 7840 unique IPs | updated every 1 min |
dronebl_dns_mx_on_irc | DroneBL.org List of IPs of DNS / MX hostname detected on IRC. It includes IPs for which DroneBL responds with 18. | ipv4 hash:net | 18 subnets, 18 unique IPs | updated every 1 min |
dronebl_irc_drones | DroneBL.org List of IRC spam drones (litmus/sdbot/fyle). It includes IPs for which DroneBL responds with 3. | ipv4 hash:net | 814927 subnets, 984470 unique IPs | updated every 1 min |
dronebl_unknown | DroneBL.org List of IPs of uncategorized threats. It includes IPs for which DroneBL responds with 255. | ipv4 hash:net | 152 subnets, 152 unique IPs | updated every 1 min |
dronebl_worms_bots | DroneBL.org IPs of unknown worms or spambots. It includes IPs for which DroneBL responds with 6 | ipv4 hash:net | 107972 subnets, 115047 unique IPs | updated every 1 min |
dshield | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 19 subnets, 5120 unique IPs | updated every 10 mins from this link |
dshield_1d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 21 subnets, 5632 unique IPs | updated every 10 mins from this link |
dshield_30d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 42 subnets, 11776 unique IPs | updated every 10 mins from this link |
dshield_7d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 29 subnets, 7936 unique IPs | updated every 10 mins from this link |
dshield_top_1000 | DShield.org top 1000 attacking hosts in the last 30 days | ipv4 hash:ip | 1000 unique IPs | updated every 1 hour from this link |
dyndns_ponmocup | DynDNS.org Ponmocup. The malware powering the botnet has been around since 2006 and it’s known under various names, including Ponmocup, Vundo, Virtumonde, Milicenso and Swisyn. It has been used for ad fraud, data theft and downloading additional threats to infected systems. Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running, but it is rarely noticed as the operators take care to keep it operating under the radar. | ipv4 hash:ip | 35 unique IPs | updated every 1 day from this link |
esentire_14072015_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 579 unique IPs | updated every 1 day from this link |
esentire_14072015q_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 575 unique IPs | updated every 1 day from this link |
esentire_22072014a_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 1290 unique IPs | updated every 1 day from this link |
esentire_22072014b_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 1288 unique IPs | updated every 1 day from this link |
esentire_22072014c_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 1289 unique IPs | updated every 1 day from this link |
esentire_atomictrivia_ru | Andromeda/Gamarue Checkin | ipv4 hash:ip | 7 unique IPs | updated every 1 day from this link |
esentire_auth_update_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 1306 unique IPs | updated every 1 day from this link |
esentire_burmundisoul_ru | Ursnif Variant CnC | ipv4 hash:ip | 2551 unique IPs | updated every 1 day from this link |
esentire_crazyerror_su | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 18613 unique IPs | updated every 1 day from this link |
esentire_dagestanskiiviskis_ru | Ursnif Variant CnC | ipv4 hash:ip | 517 unique IPs | updated every 1 day from this link |
esentire_differentia_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 12 unique IPs | updated every 1 day from this link |
esentire_disorderstatus_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 7 unique IPs | updated every 1 day from this link |
esentire_dorttlokolrt_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 23664 unique IPs | updated every 1 day from this link |
esentire_downs1_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 7231 unique IPs | updated every 1 day from this link |
esentire_ebankoalalusys_ru | Ursnif Variant CnC | ipv4 hash:ip | 898 unique IPs | updated every 1 day from this link |
esentire_emptyarray_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 20139 unique IPs | updated every 1 day from this link |
esentire_fioartd_com | Andromeda/Gamarue Checkin | ipv4 hash:ip | 601 unique IPs | updated every 1 day from this link |
esentire_getarohirodrons_com | Andromeda/Gamarue Checkin | ipv4 hash:ip | 2156 unique IPs | updated every 1 day from this link |
esentire_hasanhashsde_ru | Ursnif Variant CnC | ipv4 hash:ip | 1184 unique IPs | updated every 1 day from this link |
esentire_inleet_ru | Ursnif Variant CnC | ipv4 hash:ip | 4219 unique IPs | updated every 1 day from this link |
esentire_islamislamdi_ru | Ursnif Variant CnC | ipv4 hash:ip | 673 unique IPs | updated every 1 day from this link |
esentire_krnqlwlplttc_com | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 2 unique IPs | updated every 1 day from this link |
esentire_maddox1_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 11345 unique IPs | updated every 1 day from this link |
esentire_manning1_ru | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 6824 unique IPs | updated every 1 day from this link |
esentire_misteryherson_ru | Ursnif Variant CnC | ipv4 hash:ip | 176 unique IPs | updated every 1 day from this link |
esentire_mysebstarion_ru | Ursnif Variant CnC | ipv4 hash:ip | 1058 unique IPs | updated every 1 day from this link |
esentire_smartfoodsglutenfree_kz | Malicious Botnet Serving Various Malware Families | ipv4 hash:ip | 2674 unique IPs | updated every 1 day from this link |
esentire_venerologvasan93_ru | Ursnif Variant CnC | ipv4 hash:ip | 1263 unique IPs | updated every 1 day from this link |
esentire_volaya_ru | Win32/PSW.Papras.CK CnC | ipv4 hash:ip | 5080 unique IPs | updated every 1 day from this link |
et_block | EmergingThreats.net default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates) | ipv4 hash:net | 1323 subnets, 15911938 unique IPs | updated every 12 hours from this link |
et_botcc | EmergingThreats.net Command and Control IPs These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server - (although they say this includes abuse.ch trackers, it does not - check its overlaps) | ipv4 hash:ip | 67 unique IPs | updated every 12 hours from this link |
et_compromised | EmergingThreats.net compromised hosts | ipv4 hash:ip | 846 unique IPs | updated every 12 hours from this link |
et_dshield | EmergingThreats.net dshield blocklist | ipv4 hash:net | 18 subnets, 5120 unique IPs | updated every 12 hours from this link |
et_spamhaus | EmergingThreats.net spamhaus blocklist | ipv4 hash:net | 1308 subnets, 15908096 unique IPs | updated every 12 hours from this link |
et_tor | EmergingThreats.net TOR list of TOR network IPs | ipv4 hash:ip | 6004 unique IPs | updated every 12 hours from this link |
feodo | Abuse.ch Feodo tracker trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
feodo_badips | Abuse.ch Feodo tracker BadIPs The Feodo Tracker Feodo BadIP Blocklist only contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan version B. These IP addresses are usually servers rented by cybercriminals directly and used for the exclusive purpose of hosting a Feodo C&C server. Hence you should expect no legit traffic to those IP addresses. The site highly recommends you to block/drop any traffic towards any Feodo C&C using the Feodo BadIP Blocklist. Please consider that this blocklist only contains IP addresses used by version B of the Feodo Trojan. C&C communication channels used by version A, version C and version D are not covered by this blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
firehol_abusers_1d | An ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d) | ipv4 hash:net | 5568 subnets, 5708 unique IPs | updated every 1 min |
firehol_abusers_30d | An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam) | ipv4 hash:net | 164220 subnets, 175232 unique IPs | updated every 1 min |
firehol_anonymous | An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits) | ipv4 hash:net | 1101161 subnets, 1244103 unique IPs | updated every 1 min |
firehol_level1 | A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl ransomware_rw) | ipv4 hash:net | 4150 subnets, 613396992 unique IPs | updated every 1 min |
firehol_level2 | An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow) | ipv4 hash:net | 14218 subnets, 28149 unique IPs | updated every 1 min |
firehol_level3 | An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter vxvault) | ipv4 hash:net | 16931 subnets, 31878 unique IPs | updated every 1 min |
firehol_level4 | An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist) | ipv4 hash:net | 162715 subnets, 9256455 unique IPs | updated every 1 min |
firehol_proxies | An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: iblocklist_proxies maxmind_proxy_fraud ip2proxy_px1lite proxylists_30d proxz_30d socks_proxy_30d sslproxies_30d xroxy_30d) | ipv4 hash:net | 1095886 subnets, 1232434 unique IPs | updated every 1 min |
firehol_webclient | An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud) | ipv4 hash:net | 2995 subnets, 3175 unique IPs | updated every 1 min |
firehol_webserver | A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous). (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic) | ipv4 hash:net | 2681 subnets, 60489110 unique IPs | updated every 1 min |
fullbogons | Team-Cymru.org IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user | ipv4 hash:net | 2725 subnets, 597364992 unique IPs | updated every 1 day |
geolite2_asn | MaxMind GeoLite2 ASN | ipv4 hash:net | disabled | updated every 7 days from this link |
geolite2_country | MaxMind GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers. | ipv4 hash:net | All the world | updated every 7 days from this link |
gofferje_sip | Stefan Gofferje A personal blacklist of networks and IPs of SIP attackers. To end up here, the IP or network must have been the origin of considerable and repeated attacks on my PBX and additionally, the ISP didn't react to any complaint. Note from the author: I don't give any guarantees of accuracy, completeness or even usability! USE AT YOUR OWN RISK! Also note that I block complete countries, namely China, Korea and Palestine with blocklists from ipdeny.com, so some attackers will never even get the chance to get noticed by me to be put on this blacklist. I also don't accept any liabilities related to this blocklist. If you're an ISP and don't like your IPs being listed here, too bad! You should have done something about your customers' behavior and reacted to my complaints. This blocklist is nothing but an expression of my personal opinion and exercising my right of free speech. | ipv4 hash:net | disabled | updated every 6 hours from this link |
gpf_comics | The GPF DNS Block List is a list of IP addresses on the Internet that have attacked the GPF Comics family of Web sites. IPs on this block list have been banned from accessing all of our servers because they were caught in the act of spamming, attempting to exploit our scripts, scanning for vulnerabilities, or consuming resources to the detriment of our human visitors. | ipv4 hash:ip | 2464 unique IPs | updated every 1 day from this link |
graphiclineweb | GraphiclineWeb The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organizations spying on websites for commercial reasons. | ipv4 hash:net | 2579 subnets, 330527 unique IPs | updated every 1 day from this link |
greensnow | GreenSnow is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc. | ipv4 hash:ip | 3750 unique IPs | updated every 30 mins from this link |
haley_ssh | Charles Haley IPs launching SSH dictionary attacks. | ipv4 hash:ip | 48657 unique IPs | updated every 4 hours from this link |
hphosts_ats | hpHosts ad/tracking servers listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 13037 unique IPs | updated every 1 day from this link |
hphosts_emd | hpHosts malware sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 59204 unique IPs | updated every 1 day from this link |
hphosts_exp | hpHosts exploit sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 196 unique IPs | updated every 1 day from this link |
hphosts_fsa | hpHosts fraud sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 24764 unique IPs | updated every 1 day from this link |
hphosts_grm | hpHosts sites involved in spam (that do not otherwise meet any other classification criteria) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 293 unique IPs | updated every 1 day from this link |
hphosts_hfs | hpHosts sites spamming the hpHosts forums (and not meeting any other classification criteria) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 245 unique IPs | updated every 1 day from this link |
hphosts_hjk | hpHosts hijack sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 152 unique IPs | updated every 1 day from this link |
hphosts_mmt | hpHosts sites involved in misleading marketing (e.g. fake Flash update adverts) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 960 unique IPs | updated every 1 day from this link |
hphosts_pha | hpHosts illegal pharmacy sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 2474 unique IPs | updated every 1 day from this link |
hphosts_psh | hpHosts phishing sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 44781 unique IPs | updated every 1 day from this link |
hphosts_wrz | hpHosts warez/piracy sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses. | ipv4 hash:ip | 905 unique IPs | updated every 1 day from this link |
iblocklist_abuse_palevo | palevotracker.abuse.ch IP blocklist. | ipv4 hash:net | 12 subnets, 12 unique IPs | updated every 12 hours from this link |
iblocklist_abuse_spyeye | spyeyetracker.abuse.ch IP blocklist. | ipv4 hash:net | 83 subnets, 84 unique IPs | updated every 12 hours from this link |
iblocklist_abuse_zeus | zeustracker.abuse.ch IP blocklist that contains IP addresses which are currently beeing tracked on the abuse.ch ZeuS Tracker. | ipv4 hash:net | 209 subnets, 212 unique IPs | updated every 12 hours from this link |
iblocklist_ads | Advertising trackers and a short list of bad/intrusive porn sites. | ipv4 hash:net | 3390 subnets, 888640 unique IPs | updated every 12 hours |
iblocklist_badpeers | IPs that have been reported for bad deeds in p2p. | ipv4 hash:net | 48578 subnets, 1569289 unique IPs | updated every 12 hours |
iblocklist_bogons | Unallocated address space. | ipv4 hash:net | 2692 subnets, 645673639 unique IPs | updated every 12 hours |
iblocklist_ciarmy_malicious | ciarmy.com IP blocklist. Based on information from a network of Sentinel devices deployed around the world, they compile a list of known bad IP addresses. Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, the IP is malicious and should be blocked. | ipv4 hash:net | 12081 subnets, 15000 unique IPs | updated every 12 hours from this link |
iblocklist_cidr_report_bogons | cidr-report.org IP list of Unallocated address space. | ipv4 hash:net | 18 subnets, 588514808 unique IPs | updated every 12 hours from this link |
iblocklist_cruzit_web_attacks | CruzIT IP list with individual IP addresses of compromised machines scanning for vulnerabilities and DDOS attacks. | ipv4 hash:net | 14096 subnets, 14397 unique IPs | updated every 12 hours from this link |
iblocklist_dshield | known Hackers and such people. | ipv4 hash:net | 16 subnets, 2566 unique IPs | updated every 12 hours |
iblocklist_edu | IPs used by Educational Institutions. | ipv4 hash:net | 43899 subnets, 227856164 unique IPs | updated every 12 hours |
iblocklist_exclusions | Exclusions. | ipv4 hash:net | 313 subnets, 7488 unique IPs | updated every 12 hours |
iblocklist_fornonlancomputers | IP blocklist for non-LAN computers. | ipv4 hash:net | 4 subnets, 302055424 unique IPs | updated every 12 hours |
iblocklist_forumspam | Forum spam. | ipv4 hash:net | 455 subnets, 479 unique IPs | updated every 12 hours |
iblocklist_hijacked | Hijacked IP-Blocks. Contains hijacked IP-Blocks and known IP-Blocks that are used to deliver Spam. This list is a combination of lists with hijacked IP-Blocks. Hijacked IP space are IP blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the IP block. In essence it's stealing of somebody else's IP resources. | ipv4 hash:net | 512 subnets, 8736512 unique IPs | updated every 12 hours |
iblocklist_iana_multicast | IANA Multicast IPs. | ipv4 hash:net | 1 subnets, 268435456 unique IPs | updated every 12 hours |
iblocklist_iana_private | IANA Private IPs. | ipv4 hash:net | 58 subnets, 51643646 unique IPs | updated every 12 hours |
iblocklist_iana_reserved | IANA Reserved IPs. | ipv4 hash:net | 1 subnets, 536870912 unique IPs | updated every 12 hours |
iblocklist_isp_aol | AOL IPs. | ipv4 hash:net | 16 subnets, 6627584 unique IPs | updated every 1 day from this link |
iblocklist_isp_att | AT&T IPs. | ipv4 hash:net | 35 subnets, 55845128 unique IPs | updated every 1 day from this link |
iblocklist_isp_cablevision | Cablevision IPs. | ipv4 hash:net | 11 subnets, 1787136 unique IPs | updated every 1 day from this link |
iblocklist_isp_charter | Charter IPs. | ipv4 hash:net | 21 subnets, 6138112 unique IPs | updated every 1 day from this link |
iblocklist_isp_comcast | Comcast IPs. | ipv4 hash:net | 33 subnets, 45121536 unique IPs | updated every 1 day from this link |
iblocklist_isp_embarq | Embarq IPs. | ipv4 hash:net | 14 subnets, 2703360 unique IPs | updated every 1 day from this link |
iblocklist_isp_qwest | Qwest IPs. | ipv4 hash:net | 73 subnets, 15777552 unique IPs | updated every 1 day from this link |
iblocklist_isp_sprint | Sprint IPs. | ipv4 hash:net | 73 subnets, 6310570 unique IPs | updated every 1 day from this link |
iblocklist_isp_suddenlink | Suddenlink IPs. | ipv4 hash:net | 3 subnets, 458752 unique IPs | updated every 1 day from this link |
iblocklist_isp_twc | Time Warner Cable IPs. | ipv4 hash:net | 56 subnets, 15015936 unique IPs | updated every 1 day from this link |
iblocklist_isp_verizon | Verizon IPs. | ipv4 hash:net | 22 subnets, 18087936 unique IPs | updated every 1 day from this link |
iblocklist_level1 | Level 1 (for use in p2p): Companies or organizations who are clearly involved with trying to stop filesharing (e.g. Baytsp, MediaDefender, Mediasentry). Companies which anti-p2p activity has been seen from. Companies that produce or have a strong financial interest in copyrighted material (e.g. music, movie, software industries a.o.). Government ranges or companies that have a strong financial interest in doing work for governments. Legal industry ranges. IPs or ranges of ISPs from which anti-p2p activity has been observed. Basically this list will block all kinds of internet connections that most people would rather not have during their internet travels. | ipv4 hash:net | 235637 subnets, 725210421 unique IPs | updated every 12 hours |
iblocklist_level2 | Level 2 (for use in p2p). General corporate ranges. Ranges used by labs or researchers. Proxies. | ipv4 hash:net | 78365 subnets, 337784731 unique IPs | updated every 12 hours |
iblocklist_level3 | Level 3 (for use in p2p). Many portal-type websites. ISP ranges that may be dodgy for some reason. Ranges that belong to an individual, but which have not been determined to be used by a particular company. Ranges for things that are unusual in some way. The L3 list is aka the paranoid list. | ipv4 hash:net | 18869 subnets, 137015803 unique IPs | updated every 12 hours |
iblocklist_malc0de | malc0de.com IP blocklist. Addresses that have been identified distributing malware during the past 30 days. | ipv4 hash:net | 21 subnets, 21 unique IPs | updated every 12 hours from this link |
iblocklist_onion_router | The Onion Router IP addresses. | ipv4 hash:net | 856 subnets, 1153 unique IPs | updated every 12 hours from this link |
iblocklist_org_activision | Activision IPs. | ipv4 hash:net | 49 subnets, 4902 unique IPs | updated every 1 day from this link |
iblocklist_org_apple | Apple IPs. | ipv4 hash:net | 1 subnets, 16777216 unique IPs | updated every 1 day from this link |
iblocklist_org_blizzard | Blizzard IPs. | ipv4 hash:net | 8 subnets, 16795139 unique IPs | updated every 1 day from this link |
iblocklist_org_crowd_control | Crowd Control Productions IPs. | ipv4 hash:net | 2 subnets, 768 unique IPs | updated every 1 day from this link |
iblocklist_org_electronic_arts | Electronic Arts IPs. | ipv4 hash:net | 42 subnets, 69720 unique IPs | updated every 1 day from this link |
iblocklist_org_joost | Joost IPs. | ipv4 hash:net | 4 subnets, 16779456 unique IPs | updated every 1 day from this link |
iblocklist_org_linden_lab | Linden Lab IPs. | ipv4 hash:net | 11 subnets, 23600 unique IPs | updated every 1 day from this link |
iblocklist_org_logmein | LogMeIn IPs. | ipv4 hash:net | 13 subnets, 16781568 unique IPs | updated every 1 day from this link |
iblocklist_org_microsoft | Microsoft IP ranges. | ipv4 hash:net | 901 subnets, 1848599 unique IPs | updated every 12 hours |
iblocklist_org_ncsoft | NCsoft IPs. | ipv4 hash:net | 5 subnets, 12560 unique IPs | updated every 1 day from this link |
iblocklist_org_nintendo | Nintendo IPs. | ipv4 hash:net | 45 subnets, 3927 unique IPs | updated every 1 day from this link |
iblocklist_org_pandora | Pandora IPs. | ipv4 hash:net | 1 subnets, 2048 unique IPs | updated every 1 day from this link |
iblocklist_org_pirate_bay | The Pirate Bay IPs. | ipv4 hash:net | 5 subnets, 323 unique IPs | updated every 1 day from this link |
iblocklist_org_punkbuster | Punkbuster IPs. | ipv4 hash:net | 1 subnets, 1 unique IPs | updated every 1 day from this link |
iblocklist_org_riot_games | Riot Games IPs. | ipv4 hash:net | 6 subnets, 1792 unique IPs | updated every 1 day from this link |
iblocklist_org_sony_online | Sony Online Entertainment IPs. | ipv4 hash:net | 7 subnets, 24616 unique IPs | updated every 1 day from this link |
iblocklist_org_square_enix | Square Enix IPs. | ipv4 hash:net | 2 subnets, 4112 unique IPs | updated every 1 day from this link |
iblocklist_org_steam | Steam IPs. | ipv4 hash:net | 53 subnets, 596448 unique IPs | updated every 1 day from this link |
iblocklist_org_ubisoft | Ubisoft IPs. | ipv4 hash:net | 10 subnets, 5308 unique IPs | updated every 1 day from this link |
iblocklist_org_xfire | XFire IPs. | ipv4 hash:net | 3 subnets, 3328 unique IPs | updated every 1 day from this link |
iblocklist_pedophiles | IP ranges of people who we have found to be sharing child pornography in the p2p community. | ipv4 hash:net | 29188 subnets, 847889 unique IPs | updated every 12 hours from this link |
iblocklist_proxies | Open Proxies IPs list (without TOR) | ipv4 hash:ip | 672 unique IPs | updated every 12 hours |
iblocklist_rangetest | Suspicious IPs that are under investigation. | ipv4 hash:net | 576 subnets, 4280758 unique IPs | updated every 12 hours |
iblocklist_spamhaus_drop | Spamhaus.org DROP (Don't Route Or Peer) list. | ipv4 hash:net | 900 subnets, 17338368 unique IPs | updated every 12 hours from this link |
iblocklist_spider | IP list intended to be used by webmasters to block hostile spiders from their web sites. | ipv4 hash:net | 773 subnets, 846788 unique IPs | updated every 12 hours |
iblocklist_spyware | Known malicious SPYWARE and ADWARE IP Address ranges. It is compiled from various sources, including other available spyware blacklists, HOSTS files, from research found at many of the top anti-spyware forums, logs of spyware victims, etc. | ipv4 hash:net | 3361 subnets, 339307 unique IPs | updated every 12 hours |
iblocklist_webexploit | Web server hack and exploit attempts. IP addresses related to current web server hack and exploit attempts that have been logged or can be found in and cross referenced with other related IP databases. Malicious and other non search engine bots will also be listed here, along with anything found that can have a negative impact on a website or webserver such as proxies being used for negative SEO hijacks, unauthorised site mirroring, harvesting, scraping, snooping and data mining / spy bot / security & copyright enforcement companies that target and continuosly scan webservers. | ipv4 hash:ip | 15382 unique IPs | updated every 12 hours |
iblocklist_yoyo_adservers | pgl.yoyo.org ad servers | ipv4 hash:net | 7742 subnets, 9134 unique IPs | updated every 12 hours from this link |
ip2location_country | IP2Location.com geolocation database | ipv4 hash:net | All the world | updated every 1 day from this link |
ip2location_country_eh | Western Sahara (EH) -- IP2Location.com | ipv4 hash:net | 1 subnets, 256 unique IPs | updated every 1 day from this link |
ip2proxy_px1lite | IP2Location.com IP2Proxy LITE IP-COUNTRY Database contains IP addresses which are used as public proxies. The LITE edition is a free version of database that is limited to public proxies IP address. | ipv4 hash:net | 1085837 subnets, 1221955 unique IPs | updated every 1 day |
ipblacklistcloud_recent | IP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin! | ipv4 hash:ip | 32 unique IPs | updated every 4 hours from this link |
ipblacklistcloud_recent_1d | IP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin! | ipv4 hash:ip | 32 unique IPs | updated every 4 hours from this link |
ipblacklistcloud_recent_30d | IP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin! | ipv4 hash:ip | 196 unique IPs | updated every 4 hours from this link |
ipblacklistcloud_recent_7d | IP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin! | ipv4 hash:ip | 64 unique IPs | updated every 4 hours from this link |
ipblacklistcloud_top | IP Blacklist Cloud These are the top IP addresses that have been blacklisted by many websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin! | ipv4 hash:ip | 200 unique IPs | updated every 1 day from this link |
ipdeny_country | IPDeny.com geolocation database | ipv4 hash:net | All the world | updated every 1 day from this link |
iw_spamlist | ImproWare Antispam IPs sending spam, in the last 3 days | ipv4 hash:ip | 0 unique IPs | updated every 1 hour from this link |
iw_wormlist | ImproWare Antispam IPs sending emails with viruses or worms, in the last 3 days | ipv4 hash:ip | 0 unique IPs | updated every 1 hour from this link |
lashback_ubl | The LashBack UBL The Unsubscribe Blacklist (UBL) is a real-time blacklist of IP addresses which are sending email to names harvested from suppression files (this is a big list, more than 500.000 IPs) | ipv4 hash:ip | 37994 unique IPs | updated every 1 day from this link |
malc0de | Malc0de.com malicious IPs of the last 30 days | ipv4 hash:ip | 21 unique IPs | updated every 1 day from this link |
malwaredomainlist | malwaredomainlist.com list of malware active ip addresses | ipv4 hash:ip | 996 unique IPs | updated every 12 hours from this link |
maxmind_proxy_fraud | MaxMind.com sample list of high-risk IP addresses. | ipv4 hash:ip | 583 unique IPs | updated every 4 hours from this link |
myip | myip.ms IPs identified as web bots in the last 10 days, using several sites that require human action | ipv4 hash:ip | 1390 unique IPs | updated every 1 day from this link |
nixspam | NiX Spam IP addresses that sent spam in the last hour - automatically generated entries without distinguishing open proxies from relays, dialup gateways, and so on. All IPs are removed after 12 hours if there is no spam from there. | ipv4 hash:ip | 17135 unique IPs | updated every 15 mins from this link |
normshield_all_attack | NormShield.com IPs in category attack with severity all | ipv4 hash:ip | 0 unique IPs | updated every 12 hours |
normshield_all_bruteforce | NormShield.com IPs in category bruteforce with severity all | ipv4 hash:ip | 196 unique IPs | updated every 12 hours |
normshield_all_ddosbot | NormShield.com IPs in category ddosbot with severity all | ipv4 hash:ip | 1 unique IPs | updated every 12 hours |
normshield_all_dnsscan | NormShield.com IPs in category dnsscan with severity all | ipv4 hash:ip | 1 unique IPs | updated every 12 hours |
normshield_all_spam | NormShield.com IPs in category spam with severity all | ipv4 hash:ip | 17 unique IPs | updated every 12 hours |
normshield_all_suspicious | NormShield.com IPs in category suspicious with severity all | ipv4 hash:ip | 11 unique IPs | updated every 12 hours |
normshield_all_wannacry | NormShield.com IPs in category wannacry with severity all | ipv4 hash:ip | 1165 unique IPs | updated every 12 hours |
normshield_all_webscan | NormShield.com IPs in category webscan with severity all | ipv4 hash:ip | 46 unique IPs | updated every 12 hours |
normshield_all_wormscan | NormShield.com IPs in category wormscan with severity all | ipv4 hash:ip | 28 unique IPs | updated every 12 hours |
normshield_high_attack | NormShield.com IPs in category attack with severity high | ipv4 hash:ip | 0 unique IPs | updated every 12 hours |
normshield_high_bruteforce | NormShield.com IPs in category bruteforce with severity high | ipv4 hash:ip | 196 unique IPs | updated every 12 hours |
normshield_high_ddosbot | NormShield.com IPs in category ddosbot with severity high | ipv4 hash:ip | 1 unique IPs | updated every 12 hours |
normshield_high_dnsscan | NormShield.com IPs in category dnsscan with severity high | ipv4 hash:ip | 1 unique IPs | updated every 12 hours |
normshield_high_spam | NormShield.com IPs in category spam with severity high | ipv4 hash:ip | 17 unique IPs | updated every 12 hours |
normshield_high_suspicious | NormShield.com IPs in category suspicious with severity high | ipv4 hash:ip | 11 unique IPs | updated every 12 hours |
normshield_high_wannacry | NormShield.com IPs in category wannacry with severity high | ipv4 hash:ip | 1165 unique IPs | updated every 12 hours |
normshield_high_webscan | NormShield.com IPs in category webscan with severity high | ipv4 hash:ip | 46 unique IPs | updated every 12 hours |
normshield_high_wormscan | NormShield.com IPs in category wormscan with severity high | ipv4 hash:ip | 28 unique IPs | updated every 12 hours |
nt_malware_dns | No Think Malware DNS (the original list includes hostnames and domains, which are ignored) | ipv4 hash:ip | 235 unique IPs | updated every 1 hour from this link |
nt_malware_http | No Think Malware HTTP | ipv4 hash:ip | 69 unique IPs | updated every 1 hour from this link |
nt_malware_irc | No Think Malware IRC | ipv4 hash:ip | 42 unique IPs | updated every 1 hour from this link |
nt_ssh_7d | NoThink Last 7 days SSH attacks | ipv4 hash:ip | 169 unique IPs | updated every 1 hour from this link |
nullsecure | nullsecure.org This is a free threat feed provided for use in any acceptable manner. This feed was aggregated using the Tango Honeypot Intelligence Splunk App by Brian Warehime, a Senior Security Analyst at Defense Point Security. | ipv4 hash:ip | 1 unique IPs | updated every 8 hours from this link |
packetmail | PacketMail.net IP addresses that have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk. | ipv4 hash:ip | 3986 unique IPs | updated every 4 hours from this link |
packetmail_emerging_ips | PacketMail.net IP addresses that have been detected as potentially of interest based on the number of unique users of the packetmail IP Reputation system. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk. | ipv4 hash:ip | 26 unique IPs | updated every 4 hours from this link |
packetmail_mail | PacketMail.net IP addresses that have been detected performing behavior not in compliance with the requirements this system enforces for email acceptance. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk. | ipv4 hash:ip | 73 unique IPs | updated every 4 hours from this link |
packetmail_ramnode | PacketMail.net IP addresses that have been detected performing TCP SYN to 81.4.103.251 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk. | ipv4 hash:ip | 2502 unique IPs | updated every 4 hours from this link |
php_bad | projecthoneypot.org bad web hosts (this list is composed using an RSS feed) | ipv4 hash:ip | disabled | updated every 1 hour from this link |
php_commenters | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
php_commenters_1d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 94 unique IPs | updated every 1 hour from this link |
php_commenters_30d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 1140 unique IPs | updated every 1 hour from this link |
php_commenters_7d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 324 unique IPs | updated every 1 hour from this link |
php_dictionary | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
php_dictionary_1d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
php_dictionary_30d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 918 unique IPs | updated every 1 hour from this link |
php_dictionary_7d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 271 unique IPs | updated every 1 hour from this link |
php_harvesters | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
php_harvesters_1d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
php_harvesters_30d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 401 unique IPs | updated every 1 hour from this link |
php_harvesters_7d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 132 unique IPs | updated every 1 hour from this link |
php_spammers | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 48 unique IPs | updated every 1 hour from this link |
php_spammers_1d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 48 unique IPs | updated every 1 hour from this link |
php_spammers_30d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 1022 unique IPs | updated every 1 hour from this link |
php_spammers_7d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 307 unique IPs | updated every 1 hour from this link |
proxylists | proxylists.net open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 2668 unique IPs | updated every 1 hour from this link |
proxylists_1d | proxylists.net open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 5094 unique IPs | updated every 1 hour from this link |
proxylists_30d | proxylists.net open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 10138 unique IPs | updated every 1 hour from this link |
proxylists_7d | proxylists.net open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 8263 unique IPs | updated every 1 hour from this link |
proxyrss | proxyrss.com open proxies syndicated from multiple sources. | ipv4 hash:ip | disabled | updated every 4 hours from this link |
proxyspy_1d | ProxySpy open proxies (updated hourly) | ipv4 hash:ip | 300 unique IPs | updated every 1 hour from this link |
proxyspy_30d | ProxySpy open proxies (updated hourly) | ipv4 hash:ip | 6720 unique IPs | updated every 1 hour from this link |
proxyspy_7d | ProxySpy open proxies (updated hourly) | ipv4 hash:ip | 2828 unique IPs | updated every 1 hour from this link |
proxz | proxz.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 26 unique IPs | updated every 1 hour from this link |
proxz_1d | proxz.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 266 unique IPs | updated every 1 hour from this link |
proxz_30d | proxz.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 3338 unique IPs | updated every 1 hour from this link |
proxz_7d | proxz.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 1201 unique IPs | updated every 1 hour from this link |
pushing_inertia_blocklist | Pushing Inertia IPs of hosting providers that are known to host various bots, spiders, scrapers, etc. to block access from these providers to web servers. | ipv4 hash:net | 1309 subnets, 60462830 unique IPs | updated every 1 day from this link |
ransomware_cryptowall_ps | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is CW_PS_IPBL: CryptoWall Ransomware Payment Sites IP blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_feed | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. The IPs in this list have been extracted from the tracker data feed. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_locky_c2 | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is LY_C2_IPBL: Locky Ransomware C2 URL blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_locky_ps | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is LY_PS_IPBL: Locky Ransomware Payment Sites IP blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_online | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_rw | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list includes TC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL and it is the recommended blocklist. It might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearance. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_teslacrypt_ps | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TC_PS_IPBL: TeslaCrypt Ransomware Payment Sites IP blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_torrentlocker_c2 | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TL_C2_IPBL: TorrentLocker Ransomware C2 IP blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ransomware_torrentlocker_ps | Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TL_PS_IPBL: TorrentLocker Ransomware Payment Sites IP blocklist. | ipv4 hash:ip | 0 unique IPs | updated every 5 mins from this link |
ri_connect_proxies | rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed) | ipv4 hash:ip | disabled | updated every 1 hour from this link |
ri_web_proxies | rosinstrument.com open HTTP proxies (this list is composed using an RSS feed) | ipv4 hash:ip | disabled | updated every 1 hour from this link |
sblam | sblam.com IPs used by web form spammers, during the last month | ipv4 hash:ip | 2472 unique IPs | updated every 1 day from this link |
shunlist | AutoShun.org IPs identified as hostile by correlating logs from distributed snort installations running the autoshun plugin | ipv4 hash:ip | 500 unique IPs | updated every 4 hours |
snort_ipfilter | labs.snort.org supplied IP blacklist (this list seems to be updated frequently, but we found no information about it) | ipv4 hash:ip | 836 unique IPs | updated every 12 hours from this link |
socks_proxy | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 302 unique IPs | updated every 10 mins from this link |
socks_proxy_1d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 2555 unique IPs | updated every 10 mins from this link |
socks_proxy_30d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 4837 unique IPs | updated every 10 mins from this link |
socks_proxy_7d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 3381 unique IPs | updated every 10 mins from this link |
sorbs_anonymizers | Sorbs.net List of open HTTP and SOCKS proxies. | ipv4 hash:net | 597391 subnets, 610263 unique IPs | updated every 1 min |
sorbs_block | Sorbs.net List of hosts demanding that they never be tested by SORBS. | ipv4 hash:net | disabled | |
sorbs_dul | Sorbs.net Dynamic IP Addresses. | ipv4 hash:net | 607718 subnets, 375474210 unique IPs | updated every 1 min |
sorbs_escalations | Sorbs.net Netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list. | ipv4 hash:net | 8 subnets, 2304 unique IPs | updated every 1 min |
sorbs_new_spam | Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 48 hours | ipv4 hash:net | 33977 subnets, 35967 unique IPs | updated every 1 min |
sorbs_noserver | Sorbs.net IP addresses and netblocks of where system administrators and ISPs owning the network have indicated that servers should not be present. | ipv4 hash:net | 15066 subnets, 22951270 unique IPs | updated every 1 min |
sorbs_recent_spam | Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 28 days (includes sorbs_new_spam) | ipv4 hash:net | 522240 subnets, 555438 unique IPs | updated every 1 min |
sorbs_smtp | Sorbs.net List of SMTP Open Relays. | ipv4 hash:net | 1968 subnets, 1976 unique IPs | updated every 1 min |
sorbs_web | Sorbs.net List of IPs which have spammer abusable vulnerabilities (e.g. FormMail scripts) | ipv4 hash:net | 5895259 subnets, 6375029 unique IPs | updated every 1 min |
sorbs_zombie | Sorbs.net List of networks hijacked from their original owners, some of which have already used for spamming. | ipv4 hash:net | 78 subnets, 1903876 unique IPs | updated every 1 min |
spamhaus_drop | Spamhaus.org DROP list (according to their site this list should be dropped at tier-1 ISPs globally) | ipv4 hash:net | 1307 subnets, 15906048 unique IPs | updated every 12 hours from this link |
spamhaus_edrop | Spamhaus.org EDROP (extended matches that should be used with DROP) | ipv4 hash:net | 336 subnets, 731392 unique IPs | updated every 12 hours from this link |
sslbl | Abuse.ch SSL Blacklist bad SSL traffic related to malware or botnet activities | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
sslbl_aggressive | Abuse.ch SSL Blacklist The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one. | ipv4 hash:ip | 0 unique IPs | updated every 30 mins from this link |
sslproxies | SSLProxies.org open SSL proxies | ipv4 hash:ip | 102 unique IPs | updated every 10 mins from this link |
sslproxies_1d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 238 unique IPs | updated every 10 mins from this link |
sslproxies_30d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 1844 unique IPs | updated every 10 mins from this link |
sslproxies_7d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 708 unique IPs | updated every 10 mins from this link |
stopforumspam | StopForumSpam.com Banned IPs used by forum spammers | ipv4 hash:ip | 147282 unique IPs | updated every 1 day from this link |
stopforumspam_180d | StopForumSpam.com IPs used by forum spammers (last 180 days) | ipv4 hash:ip | 265885 unique IPs | updated every 1 day from this link |
stopforumspam_1d | StopForumSpam.com IPs used by forum spammers in the last 24 hours | ipv4 hash:ip | 4244 unique IPs | updated every 1 hour from this link |
stopforumspam_30d | StopForumSpam.com IPs used by forum spammers (last 30 days) | ipv4 hash:ip | 60336 unique IPs | updated every 1 day from this link |
stopforumspam_365d | StopForumSpam.com IPs used by forum spammers (last 365 days) | ipv4 hash:ip | 492370 unique IPs | updated every 1 day from this link |
stopforumspam_7d | StopForumSpam.com IPs used by forum spammers (last 7 days) | ipv4 hash:ip | 19467 unique IPs | updated every 1 day from this link |
stopforumspam_90d | StopForumSpam.com IPs used by forum spammers (last 90 days) | ipv4 hash:ip | 147556 unique IPs | updated every 1 day from this link |
stopforumspam_toxic | StopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed. | ipv4 hash:net | 51 subnets, 121708 unique IPs | updated every 1 day from this link |
taichung | Taichung Education Center Blocked IP Addresses (attacks and bots). | ipv4 hash:ip | 2658 unique IPs | updated every 1 day from this link |
talosintel_ipfilter | TalosIntel.com List of known malicious network threats | ipv4 hash:ip | 732 unique IPs | updated every 15 mins from this link |
threatcrowd | Crowdsourced IP feed from ThreatCrowd. These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community. | ipv4 hash:ip | 977 unique IPs | updated every 1 hour from this link |
tor_exits | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1157 unique IPs | updated every 5 mins from this link |
tor_exits_1d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1163 unique IPs | updated every 5 mins from this link |
tor_exits_30d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1501 unique IPs | updated every 5 mins from this link |
tor_exits_7d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1229 unique IPs | updated every 5 mins from this link |
turris_greylist | Turris Greylist IPs that are blocked on the firewalls of Turris routers. The data is processed and clasified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. We do not recommend to use these data as a list of addresses that should be blocked but it can be used for example in analysis of the traffic in other networks. | ipv4 hash:ip | 9614 unique IPs | updated every 7 days from this link |
urandomusto_dns | IP Feed about dns, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 67 unique IPs | updated every 1 hour from this link |
urandomusto_ftp | IP Feed about ftp, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 152 unique IPs | updated every 1 hour from this link |
urandomusto_http | IP Feed about http, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 289 unique IPs | updated every 1 hour from this link |
urandomusto_mailer | IP Feed about mailer, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 259 unique IPs | updated every 1 hour from this link |
urandomusto_malware | IP Feed about malware, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 1 unique IPs | updated every 1 hour from this link |
urandomusto_ntp | IP Feed about ntp, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 72 unique IPs | updated every 1 hour from this link |
urandomusto_rdp | IP Feed about rdp, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 133 unique IPs | updated every 1 hour from this link |
urandomusto_smb | IP Feed about smb, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 45 unique IPs | updated every 1 hour from this link |
urandomusto_spam | IP Feed about spam, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 4 unique IPs | updated every 1 hour from this link |
urandomusto_ssh | IP Feed about ssh, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 126 unique IPs | updated every 1 hour from this link |
urandomusto_telnet | IP Feed about telnet, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 299 unique IPs | updated every 1 hour from this link |
urandomusto_unspecified | IP Feed about unspecified, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 178 unique IPs | updated every 1 hour from this link |
urandomusto_vnc | IP Feed about vnc, crawled from several sources, including several twitter accounts. | ipv4 hash:ip | 27 unique IPs | updated every 1 hour from this link |
urlvir | URLVir.com Active Malicious IP Addresses Hosting Malware. URLVir is an online security service developed by NoVirusThanks Company Srl that automatically monitors changes of malicious URLs (executable files). | ipv4 hash:ip | 171 unique IPs | updated every 1 day from this link |
uscert_hidden_cobra | Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer and Hangman. | ipv4 hash:ip | 627 unique IPs | updated every 1 day from this link |
voipbl | VoIPBL.org a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's. Several algorithms, external sources and manual confirmation are used before they categorize something as an attack and determine the threat level. | ipv4 hash:net | 57978 subnets, 76250 unique IPs | updated every 4 hours from this link |
vxvault | VxVault The latest 100 additions of VxVault. | ipv4 hash:ip | 67 unique IPs | updated every 12 hours from this link |
xforce_bccs | IBM X-Force Exchange Botnet Command and Control Servers | ipv4 hash:ip | 416 unique IPs | updated every 1 day from this link |
xroxy | xroxy.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 17 unique IPs | updated every 1 hour from this link |
xroxy_1d | xroxy.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 17 unique IPs | updated every 1 hour from this link |
xroxy_30d | xroxy.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 76 unique IPs | updated every 1 hour from this link |
xroxy_7d | xroxy.com open proxies (this list is composed using an RSS feed) | ipv4 hash:ip | 45 unique IPs | updated every 1 hour from this link |
yoyo_adservers | Yoyo.org IPs of ad servers | ipv4 hash:ip | 9134 unique IPs | updated every 12 hours from this link |
zeus | Abuse.ch Zeus tracker standard, contains the same data as the ZeuS IP blocklist (zeus_badips) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives. | ipv4 hash:ip | disabled | updated every 30 mins from this link |
zeus_badips | Abuse.ch Zeus tracker badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist. | ipv4 hash:ip | disabled | updated every 30 mins from this link |