My next class:

Updated DShield Blocklist

Published: 2016-09-07. Last Updated: 2016-09-07 18:52:22 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Earlier today, I updated how our "block list" is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is "as is" and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of "false positives" may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for "maliciousness". But if you know you are listed, and you ask us to remove you, we will do so as soon as possible. 

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include "research scans" in our data, and even in our blocklists. Some may consider this a false positive.

"Top 10" blocklist do block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist: https://isc.sans.edu/feeds/block.txt

For more detailed data, use our API: https://isc.sans.edu/api

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
My next class:

Comments

Is the Palo Alto block list the same or is there a correlation between the lists? From this diary; "Subscribing to the DShield Top 20 on a Palo Alto Networks Firewall". Also, ss it possible to know why these ranges are on your list?

Thanks!
Jason
The list in the Palo Alto diary is the same list. This is the only blocklist we publish. At this point, there isn't an easy way to retrieve all the records from a /24, but I am working on that.
Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.
[quote=comment#37723]Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.[/quote]

A research-oriented distributed intrusion detection system named "dshield" sounds sensible.

Diary Archives