Updated DShield Blocklist

Published: 2016-09-07
Last Updated: 2016-09-07 18:52:22 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Earlier today, I updated how our "block list" is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is "as is" and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of "false positives" may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for "maliciousness". But if you know you are listed, and you ask us to remove you, we will do so as soon as possible. 

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include "research scans" in our data, and even in our blocklists. Some may consider this a false positive.

"Top 10" blocklist do block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist: https://isc.sans.edu/feeds/block.txt

For more detailed data, use our API: https://isc.sans.edu/api

Johannes B. Ullrich, Ph.D.

4 comment(s)
Diary Archives