Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Updated DShield Blocklist - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated DShield Blocklist

Earlier today, I updated how our "block list" is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is "as is" and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of "false positives" may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for "maliciousness". But if you know you are listed, and you ask us to remove you, we will do so as soon as possible. 

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include "research scans" in our data, and even in our blocklists. Some may consider this a false positive.

"Top 10" blocklist do block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist:

For more detailed data, use our API:

Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4514 Posts
ISC Handler
Sep 7th 2016
Is the Palo Alto block list the same or is there a correlation between the lists? From this diary; "Subscribing to the DShield Top 20 on a Palo Alto Networks Firewall". Also, ss it possible to know why these ranges are on your list?


1 Posts
The list in the Palo Alto diary is the same list. This is the only blocklist we publish. At this point, there isn't an easy way to retrieve all the records from a /24, but I am working on that.

4514 Posts
ISC Handler
Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.
Quoting Anonymous:Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.

A research-oriented distributed intrusion detection system named "dshield" sounds sensible.

Sign Up for Free or Log In to start participating in the conversation!