About

FireHOL database of abusive IPs.

Databases

nameinfotypeentriesupdate
alienvault_reputationAlienVault.com IP reputation databaseipv4 hash:ip69032 unique IPsupdated every 6 hours from this link
asprox_c2h3x.eu ASPROX Tracker - Asprox C&C Sitesipv4 hash:ip0 unique IPsupdated every 1 day from this link
bambenek_banjoriBambenek Consulting feed of current IPs of banjori C&Cs with 90 minute lookbackipv4 hash:ip113 unique IPsupdated every 30 mins from this link
bambenek_beblohBambenek Consulting feed of current IPs of bebloh C&Cs with 90 minute lookbackipv4 hash:ip1 unique IPsupdated every 30 mins from this link
bambenek_c2Bambenek Consulting master feed of known, active and non-sinkholed C&Cs IP addressesipv4 hash:ip376 unique IPsupdated every 30 mins from this link
bambenek_clBambenek Consulting feed of current IPs of cl C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_cryptowallBambenek Consulting feed of current IPs of cryptowall C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_dircryptBambenek Consulting feed of current IPs of dircrypt C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_dyreBambenek Consulting feed of current IPs of dyre C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_geodoBambenek Consulting feed of current IPs of geodo C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_hesperbotBambenek Consulting feed of current IPs of hesperbot C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_matsnuBambenek Consulting feed of current IPs of matsnu C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_necursBambenek Consulting feed of current IPs of necurs C&Cs with 90 minute lookbackipv4 hash:ip11 unique IPsupdated every 30 mins from this link
bambenek_p2pgozBambenek Consulting feed of current IPs of p2pgoz C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_pushdoBambenek Consulting feed of current IPs of pushdo C&Cs with 90 minute lookbackipv4 hash:ip1 unique IPsupdated every 30 mins from this link
bambenek_pykspaBambenek Consulting feed of current IPs of pykspa C&Cs with 90 minute lookbackipv4 hash:ip5 unique IPsupdated every 30 mins from this link
bambenek_qakbotBambenek Consulting feed of current IPs of qakbot C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_ramnitBambenek Consulting feed of current IPs of ramnit C&Cs with 90 minute lookbackipv4 hash:ip40 unique IPsupdated every 30 mins from this link
bambenek_ranbyusBambenek Consulting feed of current IPs of ranbyus C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_simdaBambenek Consulting feed of current IPs of simda C&Cs with 90 minute lookbackipv4 hash:ip113 unique IPsupdated every 30 mins from this link
bambenek_suppoboxBambenek Consulting feed of current IPs of suppobox C&Cs with 90 minute lookbackipv4 hash:ip38 unique IPsupdated every 30 mins from this link
bambenek_symmiBambenek Consulting feed of current IPs of symmi C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bambenek_tinbaBambenek Consulting feed of current IPs of tinba C&Cs with 90 minute lookbackipv4 hash:ip3 unique IPsupdated every 30 mins from this link
bambenek_volatileBambenek Consulting feed of current IPs of volatile C&Cs with 90 minute lookbackipv4 hash:ip0 unique IPsupdated every 30 mins from this link
bbcan177_ms1pfBlockerNG Malicious Threatsipv4 hash:net2565 subnets, 5268567 unique IPsupdated every 1 day from this link
bbcan177_ms3pfBlockerNG Malicious Threatsipv4 hash:net1146 subnets, 30151694 unique IPsupdated every 1 day from this link
bds_atifArtillery Threat Intelligence Feed and Banlist Feedipv4 hash:ip270 unique IPsupdated every 1 day from this link
bi_any_2_1dBadIPs.com Bad IPs in category any with score above 2 and age less than 1dipv4 hash:ip154 unique IPsupdated every 30 mins from this link
bi_any_2_30dBadIPs.com Bad IPs in category any with score above 2 and age less than 30dipv4 hash:ip4999 unique IPsupdated every 1 day from this link
bi_any_2_7dBadIPs.com Bad IPs in category any with score above 2 and age less than 7dipv4 hash:ip713 unique IPsupdated every 6 hours from this link
bi_bruteforce_2_30dBadIPs.com Bad IPs in category bruteforce with score above 2 and age less than 30dipv4 hash:ip0 unique IPsupdated every 1 day from this link
bi_ftp_2_30dBadIPs.com Bad IPs in category ftp with score above 2 and age less than 30dipv4 hash:ip16 unique IPsupdated every 1 day from this link
bi_http_2_30dBadIPs.com Bad IPs in category http with score above 2 and age less than 30dipv4 hash:ip94 unique IPsupdated every 1 day from this link
bi_mail_2_30dBadIPs.com Bad IPs in category mail with score above 2 and age less than 30dipv4 hash:ip1308 unique IPsupdated every 1 day from this link
bi_proxy_2_30dBadIPs.com Bad IPs in category proxy with score above 2 and age less than 30dipv4 hash:ip0 unique IPsupdated every 1 day from this link
bi_sql_2_30dBadIPs.com Bad IPs in category sql with score above 2 and age less than 30dipv4 hash:ip0 unique IPsupdated every 1 day from this link
bi_ssh_2_30dBadIPs.com Bad IPs in category ssh with score above 2 and age less than 30dipv4 hash:ip3609 unique IPsupdated every 1 day from this link
bi_voip_2_30dBadIPs.com Bad IPs in category voip with score above 2 and age less than 30dipv4 hash:ip5 unique IPsupdated every 1 day from this link
bitcoin_blockchain_infoBlockchain.info Bitcoin nodes connected to Blockchain.info.ipv4 hash:ip646 unique IPsupdated every 10 mins from this link
bitcoin_blockchain_info_1dBlockchain.info Bitcoin nodes connected to Blockchain.info.ipv4 hash:ip988 unique IPsupdated every 10 mins from this link
bitcoin_blockchain_info_30dBlockchain.info Bitcoin nodes connected to Blockchain.info.ipv4 hash:ip8196 unique IPsupdated every 10 mins from this link
bitcoin_blockchain_info_7dBlockchain.info Bitcoin nodes connected to Blockchain.info.ipv4 hash:ip2636 unique IPsupdated every 10 mins from this link
bitcoin_nodesBitNodes Bitcoin connected nodes, globally.ipv4 hash:ip8664 unique IPsupdated every 10 mins from this link
bitcoin_nodes_1dBitNodes Bitcoin connected nodes, globally.ipv4 hash:ip10371 unique IPsupdated every 10 mins from this link
bitcoin_nodes_30dBitNodes Bitcoin connected nodes, globally.ipv4 hash:ip28498 unique IPsupdated every 10 mins from this link
bitcoin_nodes_7dBitNodes Bitcoin connected nodes, globally.ipv4 hash:ip15248 unique IPsupdated every 10 mins from this link
blocklist_deBlocklist.de IPs that have been detected by fail2ban in the last 48 hoursipv4 hash:ip27360 unique IPsupdated every 15 mins from this link
blocklist_de_apacheBlocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.ipv4 hash:ip8994 unique IPsupdated every 15 mins from this link
blocklist_de_botsBlocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = it has posted a Spam-Comment on a open Forum or Wiki).ipv4 hash:ip132 unique IPsupdated every 15 mins from this link
blocklist_de_bruteforceBlocklist.de All IPs which attacks Joomla, Wordpress and other Web-Logins with Brute-Force Logins.ipv4 hash:ip536 unique IPsupdated every 15 mins from this link
blocklist_de_ftpBlocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.ipv4 hash:ip658 unique IPsupdated every 15 mins from this link
blocklist_de_imapBlocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.ipv4 hash:ip3337 unique IPsupdated every 15 mins from this link
blocklist_de_mailBlocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.ipv4 hash:ip15039 unique IPsupdated every 15 mins from this link
blocklist_de_sipBlocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.netipv4 hash:ip175 unique IPsupdated every 15 mins from this link
blocklist_de_sshBlocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.ipv4 hash:ip10643 unique IPsupdated every 15 mins from this link
blocklist_de_strongipsBlocklist.de All IPs which are older then 2 month and have more then 5.000 attacks.ipv4 hash:ip105 unique IPsupdated every 15 mins from this link
blocklist_net_uablocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment.ipv4 hash:ip16634 unique IPsupdated every 10 mins from this link
blueliv_crimeserver_lastblueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip10697 unique IPsupdated every 6 hours
blueliv_crimeserver_last_1dblueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip11508 unique IPsupdated every 6 hours
blueliv_crimeserver_last_2dblueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip12138 unique IPsupdated every 6 hours
blueliv_crimeserver_last_30dblueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip23051 unique IPsupdated every 6 hours
blueliv_crimeserver_last_7dblueliv.com Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip16501 unique IPsupdated every 6 hours
blueliv_crimeserver_onlineblueliv.com Online Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip60890 unique IPsupdated every 1 day
blueliv_crimeserver_recentblueliv.com Recent Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)ipv4 hash:ip11194 unique IPsupdated every 1 day
bm_tortorstatus.blutmagie.de list of all TOR network serversipv4 hash:ip6285 unique IPsupdated every 30 mins from this link
bogonsTeam-Cymru.org private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registryipv4 hash:net13 subnets, 592708608 unique IPsupdated every 1 day from this link
botscoutBotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.ipv4 hash:ip25 unique IPsupdated every 30 mins from this link
botscout_1dBotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.ipv4 hash:ip932 unique IPsupdated every 30 mins from this link
botscout_30dBotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.ipv4 hash:ip14795 unique IPsupdated every 30 mins from this link
botscout_7dBotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.ipv4 hash:ip4878 unique IPsupdated every 30 mins from this link
botvrij_dstbotvrij.eu Indicators of Compromise (IOCS) about malicious destination IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.ipv4 hash:ip130 unique IPsupdated every 1 day from this link
botvrij_srcbotvrij.eu Indicators of Compromise (IOCS) about malicious source IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.ipv4 hash:ip5 unique IPsupdated every 1 day from this link
bruteforceblockerdanger.rulez.sk bruteforceblocker (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days.ipv4 hash:ip2081 unique IPsupdated every 3 hours from this link
chaosreigns_iprep0ChaosReigns.com The iprep0 list includes all IPs that sent only spam emails. This is an automated, free, public email IP reputation system. The primary goal is a whitelist. Other data is provided as a consequence.ipv4 hash:ip5323 unique IPsupdated every 1 day from this link
chaosreigns_iprep100ChaosReigns.com The iprep100 list includes all IPs that sent 100% ham emails. This is an automated, free, public email IP reputation system. The primary goal is a whitelist. Other data is provided as a consequence.ipv4 hash:ip5323 unique IPsupdated every 1 day from this link
chaosreigns_iprep50ChaosReigns.com The iprep50 list includes all IPs that sent both ham and spam emails. This is an automated, free, public email IP reputation system. The primary goal is a whitelist. Other data is provided as a consequence.ipv4 hash:ip5323 unique IPsupdated every 1 day from this link
ciarmyCIArmy.com IPs with poor Rogue Packet score that have not yet been identified as malicious by the communityipv4 hash:ip15000 unique IPsupdated every 3 hours from this link
cidr_report_bogonsUnallocated (Free) Address Space, generated on a daily basis using the IANA registry files, the Regional Internet Registry stats files and the Regional Internet Registry whois data.ipv4 hash:net4090 subnets, 600812232 unique IPsupdated every 1 day from this link
cleanmx_phishingClean-MX.de IPs sending phishing messagesipv4 hash:ip4519 unique IPsupdated every 30 mins from this link
cleanmx_virusesClean-MX.de IPs with virusesipv4 hash:ip12190 unique IPsupdated every 30 mins from this link
cleantalkCleanTalk Today's HTTP Spammers (includes: cleantalk_new cleantalk_updated)ipv4 hash:ip2926 unique IPsupdated every 1 min
cleantalk_1dCleanTalk Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d)ipv4 hash:ip30334 unique IPsupdated every 1 min
cleantalk_30dCleanTalk Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d)ipv4 hash:ip126875 unique IPsupdated every 1 min
cleantalk_7dCleanTalk Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d)ipv4 hash:ip64861 unique IPsupdated every 1 min
cleantalk_newCleanTalk Recent HTTP Spammersipv4 hash:ip971 unique IPsupdated every 15 mins from this link
cleantalk_new_1dCleanTalk Recent HTTP Spammersipv4 hash:ip1958 unique IPsupdated every 15 mins from this link
cleantalk_new_30dCleanTalk Recent HTTP Spammersipv4 hash:ip28831 unique IPsupdated every 15 mins from this link
cleantalk_new_7dCleanTalk Recent HTTP Spammersipv4 hash:ip8191 unique IPsupdated every 15 mins from this link
cleantalk_top20CleanTalk Top 20 HTTP Spammersipv4 hash:ip20 unique IPsupdated every 1 day from this link
cleantalk_updatedCleanTalk Recurring HTTP Spammersipv4 hash:ip2000 unique IPsupdated every 15 mins from this link
cleantalk_updated_1dCleanTalk Recurring HTTP Spammersipv4 hash:ip35835 unique IPsupdated every 15 mins from this link
cleantalk_updated_30dCleanTalk Recurring HTTP Spammersipv4 hash:ip169168 unique IPsupdated every 15 mins from this link
cleantalk_updated_7dCleanTalk Recurring HTTP Spammersipv4 hash:ip84477 unique IPsupdated every 15 mins from this link
cruzit_web_attacksCruzIt.com IPs of compromised machines scanning for vulnerabilities and DDOS attacksipv4 hash:ip7616 unique IPsupdated every 12 hours from this link
cta_cryptowallCyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide.|ipv4 hash:ip|1360 unique IPs|updated every 1 day from [[https://public.tableau.com/views/CTAOnlineViz/DashboardData.csv?:embed=y&:showVizHome=no&:showTabs=y&:display_count=y&:display_static_image=y&:bootstrapWhenNotified=true|this link]]| |[[http://iplists.firehol.org/?ipset=cta_cryptowall|cta_cryptowall]]|[[http://www.cyberthreatalliance.org/cryptowall-dashboard.html|Cyber Threat Alliance]] CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide.ipv4 hash:ip1229 unique IPsupdated every 1 day from this link
cybercrimeCyberCrime A project tracking Command and Control.ipv4 hash:ip15 unique IPsupdated every 12 hours from this link
darklist_dedarklist.de ssh fail2ban reportingipv4 hash:net836 subnets, 6709 unique IPsupdated every 1 day from this link
dataplane_dnsrdDataPlane.org IP addresses that have been identified as sending recursive DNS queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers or evaluating cache entries.ipv4 hash:ip331 unique IPsupdated every 1 hour
dataplane_dnsrdanyDataPlane.org IP addresses that have been identified as sending recursive DNS IN ANY queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers for the purpose of later using them to facilitate DNS amplification and reflection attacks.ipv4 hash:ip16 unique IPsupdated every 1 hour
dataplane_dnsversionDataPlane.org IP addresses that have been identified as sending DNS CH TXT VERSION.BIND queries to a remote host. This report lists addresses that may be cataloging DNS software.ipv4 hash:ip217 unique IPsupdated every 1 hour
dataplane_sipinvitationDataPlane.org IP addresses that have been seen initiating a SIP INVITE operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse.ipv4 hash:ip18 unique IPsupdated every 1 hour
dataplane_sipqueryDataPlane.org IP addresses that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP server cataloging or conducting various forms of telephony abuse.ipv4 hash:ip456 unique IPsupdated every 1 hour
dataplane_sipregistrationDataPlane.org IP addresses that have been seen initiating a SIP REGISTER operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse.ipv4 hash:ip14 unique IPsupdated every 1 hour
dataplane_sshclientDataPlane.org IP addresses that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SSH server cataloging or conducting authentication attack attempts.ipv4 hash:ip14657 unique IPsupdated every 1 hour
dataplane_sshpwauthDataPlane.org IP addresses that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.ipv4 hash:ip12693 unique IPsupdated every 1 hour
dataplane_vncrfbDataPlane.org IP addresses that have been seen initiating a VNC remote frame buffer (RFB) session to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be VNC server cataloging or conducting various forms of remote access abuse.ipv4 hash:ip412 unique IPsupdated every 1 hour
dm_tordan.me.uk dynamic list of TOR nodesipv4 hash:ip6283 unique IPsupdated every 30 mins from this link
dragon_httpDragon Research Group IPs that have been seen sending HTTP requests to Dragon Research Pods in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious HTTP attacks. LEGITIMATE SEARCH ENGINE BOTS MAY BE IN THIS LIST. This report is informational. It is not a blacklist, but some operators may choose to use it to help protect their networks and hosts in the forms of automated reporting and mitigation services.ipv4 hash:net219 subnets, 59136 unique IPsupdated every 1 hour from this link
dragon_sshpauthDragon Research Group IP address that has been seen attempting to remotely login to a host using SSH password authentication, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.ipv4 hash:net324 subnets, 333 unique IPsupdated every 1 hour from this link
dragon_vncprobeDragon Research Group IP address that has been seen attempting to remotely connect to a host running the VNC application service, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute force attacks.ipv4 hash:net60 subnets, 60 unique IPsupdated every 1 hour from this link
dronebl_anonymizersDroneBL.org List of open proxies. It includes IPs which DroneBL categorizes as SOCKS proxies (8), HTTP proxies (9), web page proxies (11), WinGate proxies (14), proxy chains (10).ipv4 hash:net660334 subnets, 689319 unique IPsupdated every 1 min
dronebl_auto_botnetsDroneBL.org IPs of automatically detected botnets. It includes IPs for which DroneBL responds with 17.ipv4 hash:net303030 subnets, 312583 unique IPsupdated every 1 min
dronebl_autorooting_wormsDroneBL.org IPs of autorooting worms. It includes IPs for which DroneBL responds with 16. These are usually SSH bruteforce attacks.ipv4 hash:net969 subnets, 1044 unique IPsupdated every 1 min
dronebl_compromisedDroneBL.org IPs of compromised routers / gateways. It includes IPs for which DroneBL responds with 15 (BOPM detected).ipv4 hash:net5801 subnets, 5894 unique IPsupdated every 1 min
dronebl_ddos_dronesDroneBL.org IPs of DDoS drones. It includes IPs for which DroneBL responds with 7.ipv4 hash:net354546 subnets, 366882 unique IPsupdated every 1 min
dronebl_dns_mx_on_ircDroneBL.org List of IPs of DNS / MX hostname detected on IRC. It includes IPs for which DroneBL responds with 18.ipv4 hash:net2921 subnets, 2977 unique IPsupdated every 1 min
dronebl_irc_dronesDroneBL.org List of IRC spam drones (litmus/sdbot/fyle). It includes IPs for which DroneBL responds with 3.ipv4 hash:net63585 subnets, 64404 unique IPsupdated every 1 min
dronebl_unknownDroneBL.org List of IPs of uncategorized threats. It includes IPs for which DroneBL responds with 255.ipv4 hash:net34 subnets, 35 unique IPs
dronebl_worms_botsDroneBL.org IPs of unknown worms or spambots. It includes IPs for which DroneBL responds with 6ipv4 hash:net57642 subnets, 134205 unique IPsupdated every 1 min
dshieldDShield.org top 20 attacking class C (/24) subnets over the last three daysipv4 hash:net20 subnets, 5120 unique IPsupdated every 10 mins from this link
dshield_1dDShield.org top 20 attacking class C (/24) subnets over the last three daysipv4 hash:net32 subnets, 8192 unique IPsupdated every 10 mins from this link
dshield_30dDShield.org top 20 attacking class C (/24) subnets over the last three daysipv4 hash:net123 subnets, 34048 unique IPsupdated every 10 mins from this link
dshield_7dDShield.org top 20 attacking class C (/24) subnets over the last three daysipv4 hash:net62 subnets, 16896 unique IPsupdated every 10 mins from this link
dshield_top_1000DShield.org top 1000 attacking hosts in the last 30 daysipv4 hash:ip899 unique IPsupdated every 1 hour from this link
dyndns_ponmocupDynDNS.org Ponmocup. The malware powering the botnet has been around since 2006 and it’s known under various names, including Ponmocup, Vundo, Virtumonde, Milicenso and Swisyn. It has been used for ad fraud, data theft and downloading additional threats to infected systems. Ponmocup is one of the largest currently active and, with nine consecutive years, also one of the longest running, but it is rarely noticed as the operators take care to keep it operating under the radar.ipv4 hash:ip161 unique IPsupdated every 1 day from this link
esentire_14072015_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip579 unique IPsupdated every 1 day from this link
esentire_14072015q_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip575 unique IPsupdated every 1 day from this link
esentire_22072014a_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip1290 unique IPsupdated every 1 day from this link
esentire_22072014b_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip1288 unique IPsupdated every 1 day from this link
esentire_22072014c_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip1289 unique IPsupdated every 1 day from this link
esentire_atomictrivia_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip7 unique IPsupdated every 1 day from this link
esentire_auth_update_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip1306 unique IPsupdated every 1 day from this link
esentire_burmundisoul_ruUrsnif Variant CnCipv4 hash:ipdisabledupdated every 1 day from this link
esentire_crazyerror_suMalicious Botnet Serving Various Malware Familiesipv4 hash:ip18613 unique IPsupdated every 1 day from this link
esentire_dagestanskiiviskis_ruUrsnif Variant CnCipv4 hash:ip517 unique IPsupdated every 1 day from this link
esentire_differentia_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip12 unique IPsupdated every 1 day from this link
esentire_disorderstatus_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip7 unique IPsupdated every 1 day from this link
esentire_dorttlokolrt_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip23664 unique IPsupdated every 1 day from this link
esentire_downs1_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip7231 unique IPsupdated every 1 day from this link
esentire_ebankoalalusys_ruUrsnif Variant CnCipv4 hash:ip898 unique IPsupdated every 1 day from this link
esentire_emptyarray_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip20139 unique IPsupdated every 1 day from this link
esentire_fioartd_comAndromeda/Gamarue Checkinipv4 hash:ip601 unique IPsupdated every 1 day from this link
esentire_getarohirodrons_comAndromeda/Gamarue Checkinipv4 hash:ip2156 unique IPsupdated every 1 day from this link
esentire_hasanhashsde_ruUrsnif Variant CnCipv4 hash:ip1184 unique IPsupdated every 1 day from this link
esentire_inleet_ruUrsnif Variant CnCipv4 hash:ip4219 unique IPsupdated every 1 day from this link
esentire_islamislamdi_ruUrsnif Variant CnCipv4 hash:ip673 unique IPsupdated every 1 day from this link
esentire_krnqlwlplttc_comMalicious Botnet Serving Various Malware Familiesipv4 hash:ip2 unique IPsupdated every 1 day from this link
esentire_maddox1_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip11345 unique IPsupdated every 1 day from this link
esentire_manning1_ruMalicious Botnet Serving Various Malware Familiesipv4 hash:ip6824 unique IPsupdated every 1 day from this link
esentire_misteryherson_ruUrsnif Variant CnCipv4 hash:ip176 unique IPsupdated every 1 day from this link
esentire_mysebstarion_ruUrsnif Variant CnCipv4 hash:ip1058 unique IPsupdated every 1 day from this link
esentire_smartfoodsglutenfree_kzMalicious Botnet Serving Various Malware Familiesipv4 hash:ip2674 unique IPsupdated every 1 day from this link
esentire_venerologvasan93_ruUrsnif Variant CnCipv4 hash:ip1263 unique IPsupdated every 1 day from this link
esentire_volaya_ruWin32/PSW.Papras.CK CnCipv4 hash:ip5080 unique IPsupdated every 1 day from this link
et_blockEmergingThreats.net default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates)ipv4 hash:net1986 subnets, 24411562 unique IPsupdated every 12 hours from this link
et_botccEmergingThreats.net Command and Control IPs These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server - (although they say this includes abuse.ch trackers, it does not - check its overlaps)ipv4 hash:ip734 unique IPsupdated every 12 hours from this link
et_compromisedEmergingThreats.net compromised hostsipv4 hash:ip2069 unique IPsupdated every 12 hours from this link
et_dshieldEmergingThreats.net dshield blocklistipv4 hash:net20 subnets, 5120 unique IPsupdated every 12 hours from this link
et_spamhausEmergingThreats.net spamhaus blocklistipv4 hash:net777 subnets, 24405504 unique IPsupdated every 12 hours from this link
et_torEmergingThreats.net TOR list of TOR network IPsipv4 hash:ip6290 unique IPsupdated every 12 hours from this link
feodoAbuse.ch Feodo tracker trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraudipv4 hash:ip1078 unique IPsupdated every 30 mins from this link
feodo_badipsAbuse.ch Feodo tracker BadIPs The Feodo Tracker Feodo BadIP Blocklist only contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan version B. These IP addresses are usually servers rented by cybercriminals directly and used for the exclusive purpose of hosting a Feodo C&C server. Hence you should expect no legit traffic to those IP addresses. The site highly recommends you to block/drop any traffic towards any Feodo C&C using the Feodo BadIP Blocklist. Please consider that this blocklist only contains IP addresses used by version B of the Feodo Trojan. C&C communication channels used by version A, version C and version D are not covered by this blocklist.ipv4 hash:ip0 unique IPsupdated every 30 mins from this link
firehol_abusers_1dAn ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d)ipv4 hash:net36952 subnets, 40078 unique IPsupdated every 1 min
firehol_abusers_30dAn ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)ipv4 hash:net249118 subnets, 281636 unique IPsupdated every 1 min
firehol_anonymousAn ipset that includes all the anonymizing IPs of the world. (includes: anonymous bm_tor dm_tor firehol_proxies tor_exits)ipv4 hash:net35610 subnets, 45060 unique IPsupdated every 1 min
firehol_level1A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw)ipv4 hash:net6639 subnets, 650498093 unique IPsupdated every 1 min
firehol_level2An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow)ipv4 hash:net20404 subnets, 37060 unique IPsupdated every 1 min
firehol_level3An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dragon_http dragon_sshpauth dragon_vncprobe dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)ipv4 hash:net32369 subnets, 125263 unique IPsupdated every 1 min
firehol_level4An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)ipv4 hash:net80030 subnets, 9403525 unique IPsupdated every 1 min
firehol_proxiesAn ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: iblocklist_proxies maxmind_proxy_fraud proxylists_30d proxyrss_30d proxz_30d proxyspy_30d ri_connect_proxies_30d ri_web_proxies_30d socks_proxy_30d sslproxies_30d xroxy_30d)ipv4 hash:net29660 subnets, 33157 unique IPsupdated every 1 min
firehol_webclientAn IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime dyndns_ponmocup maxmind_proxy_fraud)ipv4 hash:net3938 subnets, 4003 unique IPsupdated every 1 min
firehol_webserverA web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous). (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)ipv4 hash:net4250 subnets, 34676642 unique IPsupdated every 1 min
fullbogonsTeam-Cymru.org IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-useripv4 hash:net3871 subnets, 625362312 unique IPsupdated every 1 day
geolite2_countryMaxMind GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers.ipv4 hash:netAll the worldupdated every 7 days from this link
gofferje_sipStefan Gofferje A personal blacklist of networks and IPs of SIP attackers. To end up here, the IP or network must have been the origin of considerable and repeated attacks on my PBX and additionally, the ISP didn't react to any complaint. Note from the author: I don't give any guarantees of accuracy, completeness or even usability! USE AT YOUR OWN RISK! Also note that I block complete countries, namely China, Korea and Palestine with blocklists from ipdeny.com, so some attackers will never even get the chance to get noticed by me to be put on this blacklist. I also don't accept any liabilities related to this blocklist. If you're an ISP and don't like your IPs being listed here, too bad! You should have done something about your customers' behavior and reacted to my complaints. This blocklist is nothing but an expression of my personal opinion and exercising my right of free speech.ipv4 hash:net2173 subnets, 1096082 unique IPsupdated every 6 hours from this link
gpf_comicsThe GPF DNS Block List is a list of IP addresses on the Internet that have attacked the GPF Comics family of Web sites. IPs on this block list have been banned from accessing all of our servers because they were caught in the act of spamming, attempting to exploit our scripts, scanning for vulnerabilities, or consuming resources to the detriment of our human visitors.ipv4 hash:ip2807 unique IPsupdated every 1 day from this link
graphiclinewebGraphiclineWeb The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organisations spying on websites for commercial reasons.ipv4 hash:net2579 subnets, 330527 unique IPsupdated every 1 day from this link
graphiclinewebGraphiclineWeb The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organisations spying on websites for commercial reasons.ipv4 hash:net2579 subnets, 330527 unique IPsupdated every 1 day from this link
greensnowGreenSnow is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc.ipv4 hash:ip2109 unique IPsupdated every 30 mins from this link
haley_sshCharles Haley IPs launching SSH dictionary attacks.ipv4 hash:ip25494 unique IPsupdated every 4 hours from this link
hphosts_atshpHosts ad/tracking servers listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip14726 unique IPsupdated every 1 day from this link
hphosts_emdhpHosts malware sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip28060 unique IPsupdated every 1 day from this link
hphosts_exphpHosts exploit sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip314 unique IPsupdated every 1 day from this link
hphosts_fsahpHosts fraud sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip27291 unique IPsupdated every 1 day from this link
hphosts_grmhpHosts sites involved in spam (that do not otherwise meet any other classification criteria) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip330 unique IPsupdated every 1 day from this link
hphosts_hfshpHosts sites spamming the hpHosts forums (and not meeting any other classification criteria) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip262 unique IPsupdated every 1 day from this link
hphosts_hjkhpHosts hijack sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip57 unique IPsupdated every 1 day from this link
hphosts_mmthpHosts sites involved in misleading marketing (e.g. fake Flash update adverts) listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip1136 unique IPsupdated every 1 day from this link
hphosts_phahpHosts illegal pharmacy sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip1924 unique IPsupdated every 1 day from this link
hphosts_pshhpHosts phishing sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip33881 unique IPsupdated every 1 day from this link
hphosts_wrzhpHosts warez/piracy sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.ipv4 hash:ip1052 unique IPsupdated every 1 day from this link
iblocklist_abuse_palevopalevotracker.abuse.ch IP blocklist.ipv4 hash:net12 subnets, 12 unique IPsupdated every 12 hours from this link
iblocklist_abuse_spyeyespyeyetracker.abuse.ch IP blocklist.ipv4 hash:net83 subnets, 84 unique IPsupdated every 12 hours from this link
iblocklist_abuse_spyeyespyeyetracker.abuse.ch IP blocklist.ipv4 hash:net83 subnets, 84 unique IPsupdated every 12 hours from this link
iblocklist_abuse_zeuszeustracker.abuse.ch IP blocklist that contains IP addresses which are currently beeing tracked on the abuse.ch ZeuS Tracker.ipv4 hash:net209 subnets, 212 unique IPsupdated every 12 hours from this link
iblocklist_abuse_zeuszeustracker.abuse.ch IP blocklist that contains IP addresses which are currently beeing tracked on the abuse.ch ZeuS Tracker.ipv4 hash:net209 subnets, 212 unique IPsupdated every 12 hours from this link
iblocklist_adsAdvertising trackers and a short list of bad/intrusive porn sites.ipv4 hash:net3304 subnets, 886847 unique IPsupdated every 12 hours
iblocklist_badpeersIPs that have been reported for bad deeds in p2p.ipv4 hash:net48463 subnets, 1568829 unique IPsupdated every 12 hours from this link
iblocklist_bogonsUnallocated address space.ipv4 hash:net2690 subnets, 639382179 unique IPsupdated every 12 hours from this link
iblocklist_ciarmy_maliciousciarmy.com IP blocklist. Based on information from a network of Sentinel devices deployed around the world, they compile a list of known bad IP addresses. Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, the IP is malicious and should be blocked.ipv4 hash:net14491 subnets, 14900 unique IPsupdated every 12 hours from this link
iblocklist_cidr_report_bogonscidr-report.org IP list of Unallocated address space.ipv4 hash:net4090 subnets, 600812232 unique IPsupdated every 12 hours from this link
iblocklist_cruzit_web_attacksCruzIT IP list with individual IP addresses of compromised machines scanning for vulnerabilities and DDOS attacks.ipv4 hash:net7447 subnets, 7577 unique IPsupdated every 12 hours from this link
iblocklist_dshieldknown Hackers and such people.ipv4 hash:net16 subnets, 2566 unique IPsupdated every 12 hours from this link
iblocklist_eduIPs used by Educational Institutions.ipv4 hash:net40778 subnets, 227982446 unique IPsupdated every 12 hours
iblocklist_exclusionsExclusions.ipv4 hash:net297 subnets, 7427 unique IPsupdated every 12 hours from this link
iblocklist_exclusionsExclusions.ipv4 hash:net297 subnets, 7427 unique IPsupdated every 12 hours from this link
iblocklist_fornonlancomputersIP blocklist for non-LAN computers.ipv4 hash:net4 subnets, 302055424 unique IPsupdated every 12 hours from this link
iblocklist_fornonlancomputersIP blocklist for non-LAN computers.ipv4 hash:net4 subnets, 302055424 unique IPsupdated every 12 hours from this link
iblocklist_forumspamForum spam.ipv4 hash:net454 subnets, 475 unique IPsupdated every 12 hours from this link
iblocklist_hijackedHijacked IP-Blocks. Contains hijacked IP-Blocks and known IP-Blocks that are used to deliver Spam. This list is a combination of lists with hijacked IP-Blocks. Hijacked IP space are IP blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the IP block. In essence it's stealing of somebody else's IP resources.ipv4 hash:net515 subnets, 8974080 unique IPsupdated every 12 hours from this link
iblocklist_iana_multicastIANA Multicast IPs.ipv4 hash:net1 subnets, 268435456 unique IPsupdated every 12 hours from this link
iblocklist_iana_multicastIANA Multicast IPs.ipv4 hash:net1 subnets, 268435456 unique IPsupdated every 12 hours from this link
iblocklist_iana_privateIANA Private IPs.ipv4 hash:net56 subnets, 51643638 unique IPsupdated every 12 hours from this link
iblocklist_iana_privateIANA Private IPs.ipv4 hash:net56 subnets, 51643638 unique IPsupdated every 12 hours from this link
iblocklist_iana_reservedIANA Reserved IPs.ipv4 hash:net1 subnets, 536870912 unique IPsupdated every 12 hours from this link
iblocklist_iana_reservedIANA Reserved IPs.ipv4 hash:net1 subnets, 536870912 unique IPsupdated every 12 hours from this link
iblocklist_isp_aolAOL IPs.ipv4 hash:net16 subnets, 6627584 unique IPsupdated every 1 day from this link
iblocklist_isp_aolAOL IPs.ipv4 hash:net16 subnets, 6627584 unique IPsupdated every 1 day from this link
iblocklist_isp_attAT&T IPs.ipv4 hash:net35 subnets, 55845128 unique IPsupdated every 1 day from this link
iblocklist_isp_cablevisionCablevision IPs.ipv4 hash:net11 subnets, 1787136 unique IPsupdated every 1 day from this link
iblocklist_isp_cablevisionCablevision IPs.ipv4 hash:net11 subnets, 1787136 unique IPsupdated every 1 day from this link
iblocklist_isp_charterCharter IPs.ipv4 hash:net21 subnets, 6138112 unique IPsupdated every 1 day from this link
iblocklist_isp_charterCharter IPs.ipv4 hash:net21 subnets, 6138112 unique IPsupdated every 1 day from this link
iblocklist_isp_comcastComcast IPs.ipv4 hash:net33 subnets, 45121536 unique IPsupdated every 1 day from this link
iblocklist_isp_embarqEmbarq IPs.ipv4 hash:net14 subnets, 2703360 unique IPsupdated every 1 day from this link
iblocklist_isp_embarqEmbarq IPs.ipv4 hash:net14 subnets, 2703360 unique IPsupdated every 1 day from this link
iblocklist_isp_qwestQwest IPs.ipv4 hash:net73 subnets, 15777552 unique IPsupdated every 1 day from this link
iblocklist_isp_qwestQwest IPs.ipv4 hash:net73 subnets, 15777552 unique IPsupdated every 1 day from this link
iblocklist_isp_sprintSprint IPs.ipv4 hash:net63 subnets, 6310530 unique IPsupdated every 1 day from this link
iblocklist_isp_sprintSprint IPs.ipv4 hash:net63 subnets, 6310530 unique IPsupdated every 1 day from this link
iblocklist_isp_suddenlinkSuddenlink IPs.ipv4 hash:net3 subnets, 458752 unique IPsupdated every 1 day from this link
iblocklist_isp_suddenlinkSuddenlink IPs.ipv4 hash:net3 subnets, 458752 unique IPsupdated every 1 day from this link
iblocklist_isp_twcTime Warner Cable IPs.ipv4 hash:net56 subnets, 15015936 unique IPsupdated every 1 day from this link
iblocklist_isp_twcTime Warner Cable IPs.ipv4 hash:net56 subnets, 15015936 unique IPsupdated every 1 day from this link
iblocklist_isp_verizonVerizon IPs.ipv4 hash:net22 subnets, 18087936 unique IPsupdated every 1 day from this link
iblocklist_isp_verizonVerizon IPs.ipv4 hash:net22 subnets, 18087936 unique IPsupdated every 1 day from this link
iblocklist_level1Level 1 (for use in p2p): Companies or organizations who are clearly involved with trying to stop filesharing (e.g. Baytsp, MediaDefender, Mediasentry). Companies which anti-p2p activity has been seen from. Companies that produce or have a strong financial interest in copyrighted material (e.g. music, movie, software industries a.o.). Government ranges or companies that have a strong financial interest in doing work for governments. Legal industry ranges. IPs or ranges of ISPs from which anti-p2p activity has been observed. Basically this list will block all kinds of internet connections that most people would rather not have during their internet travels.ipv4 hash:net218285 subnets, 762691171 unique IPsupdated every 12 hours
iblocklist_level2Level 2 (for use in p2p). General corporate ranges. Ranges used by labs or researchers. Proxies.ipv4 hash:net72937 subnets, 346602363 unique IPsupdated every 12 hours
iblocklist_level3Level 3 (for use in p2p). Many portal-type websites. ISP ranges that may be dodgy for some reason. Ranges that belong to an individual, but which have not been determined to be used by a particular company. Ranges for things that are unusual in some way. The L3 list is aka the paranoid list.ipv4 hash:net17791 subnets, 138981046 unique IPsupdated every 12 hours
iblocklist_malc0demalc0de.com IP blocklist. Addresses that have been identified distributing malware during the past 30 days.ipv4 hash:net213 subnets, 214 unique IPsupdated every 12 hours from this link
iblocklist_onion_routerThe Onion Router IP addresses.ipv4 hash:net6163 subnets, 6252 unique IPsupdated every 12 hours from this link
iblocklist_org_activisionActivision IPs.ipv4 hash:net46 subnets, 4890 unique IPsupdated every 1 day from this link
iblocklist_org_activisionActivision IPs.ipv4 hash:net46 subnets, 4890 unique IPsupdated every 1 day from this link
iblocklist_org_appleApple IPs.ipv4 hash:net1 subnets, 16777216 unique IPsupdated every 1 day from this link
iblocklist_org_appleApple IPs.ipv4 hash:net1 subnets, 16777216 unique IPsupdated every 1 day from this link
iblocklist_org_blizzardBlizzard IPs.ipv4 hash:net8 subnets, 16795139 unique IPsupdated every 1 day from this link
iblocklist_org_blizzardBlizzard IPs.ipv4 hash:net8 subnets, 16795139 unique IPsupdated every 1 day from this link
iblocklist_org_crowd_controlCrowd Control Productions IPs.ipv4 hash:net2 subnets, 768 unique IPsupdated every 1 day from this link
iblocklist_org_crowd_controlCrowd Control Productions IPs.ipv4 hash:net2 subnets, 768 unique IPsupdated every 1 day from this link
iblocklist_org_electronic_artsElectronic Arts IPs.ipv4 hash:net42 subnets, 69720 unique IPsupdated every 1 day from this link
iblocklist_org_electronic_artsElectronic Arts IPs.ipv4 hash:net42 subnets, 69720 unique IPsupdated every 1 day from this link
iblocklist_org_joostJoost IPs.ipv4 hash:net4 subnets, 16779456 unique IPsupdated every 1 day from this link
iblocklist_org_joostJoost IPs.ipv4 hash:net4 subnets, 16779456 unique IPsupdated every 1 day from this link
iblocklist_org_linden_labLinden Lab IPs.ipv4 hash:net11 subnets, 23600 unique IPsupdated every 1 day from this link
iblocklist_org_linden_labLinden Lab IPs.ipv4 hash:net11 subnets, 23600 unique IPsupdated every 1 day from this link
iblocklist_org_logmeinLogMeIn IPs.ipv4 hash:net13 subnets, 16781568 unique IPsupdated every 1 day from this link
iblocklist_org_logmeinLogMeIn IPs.ipv4 hash:net13 subnets, 16781568 unique IPsupdated every 1 day from this link
iblocklist_org_microsoftMicrosoft IP ranges.ipv4 hash:net729 subnets, 1847911 unique IPsupdated every 12 hours from this link
iblocklist_org_ncsoftNCsoft IPs.ipv4 hash:net5 subnets, 12560 unique IPsupdated every 1 day from this link
iblocklist_org_ncsoftNCsoft IPs.ipv4 hash:net5 subnets, 12560 unique IPsupdated every 1 day from this link
iblocklist_org_nintendoNintendo IPs.ipv4 hash:net40 subnets, 3907 unique IPsupdated every 1 day from this link
iblocklist_org_pandoraPandora IPs.ipv4 hash:net1 subnets, 2048 unique IPsupdated every 1 day from this link
iblocklist_org_pandoraPandora IPs.ipv4 hash:net1 subnets, 2048 unique IPsupdated every 1 day from this link
iblocklist_org_pirate_bayThe Pirate Bay IPs.ipv4 hash:net5 subnets, 323 unique IPsupdated every 1 day from this link
iblocklist_org_pirate_bayThe Pirate Bay IPs.ipv4 hash:net5 subnets, 323 unique IPsupdated every 1 day from this link
iblocklist_org_punkbusterPunkbuster IPs.ipv4 hash:net1 subnets, 1 unique IPsupdated every 1 day from this link
iblocklist_org_punkbusterPunkbuster IPs.ipv4 hash:net1 subnets, 1 unique IPsupdated every 1 day from this link
iblocklist_org_riot_gamesRiot Games IPs.ipv4 hash:net6 subnets, 1792 unique IPsupdated every 1 day from this link
iblocklist_org_riot_gamesRiot Games IPs.ipv4 hash:net6 subnets, 1792 unique IPsupdated every 1 day from this link
iblocklist_org_sony_onlineSony Online Entertainment IPs.ipv4 hash:net7 subnets, 24616 unique IPsupdated every 1 day from this link
iblocklist_org_sony_onlineSony Online Entertainment IPs.ipv4 hash:net7 subnets, 24616 unique IPsupdated every 1 day from this link
iblocklist_org_square_enixSquare Enix IPs.ipv4 hash:net2 subnets, 4112 unique IPsupdated every 1 day from this link
iblocklist_org_square_enixSquare Enix IPs.ipv4 hash:net2 subnets, 4112 unique IPsupdated every 1 day from this link
iblocklist_org_steamSteam IPs.ipv4 hash:net51 subnets, 596440 unique IPsupdated every 1 day from this link
iblocklist_org_steamSteam IPs.ipv4 hash:net51 subnets, 596440 unique IPsupdated every 1 day from this link
iblocklist_org_ubisoftUbisoft IPs.ipv4 hash:net9 subnets, 5304 unique IPsupdated every 1 day from this link
iblocklist_org_ubisoftUbisoft IPs.ipv4 hash:net9 subnets, 5304 unique IPsupdated every 1 day from this link
iblocklist_org_xfireXFire IPs.ipv4 hash:net3 subnets, 3328 unique IPsupdated every 1 day from this link
iblocklist_org_xfireXFire IPs.ipv4 hash:net3 subnets, 3328 unique IPsupdated every 1 day from this link
iblocklist_pedophilesIP ranges of people who we have found to be sharing child pornography in the p2p community.ipv4 hash:net28630 subnets, 845657 unique IPsupdated every 12 hours from this link
iblocklist_proxiesOpen Proxies IPs list (without TOR)ipv4 hash:ip672 unique IPsupdated every 12 hours from this link
iblocklist_rangetestSuspicious IPs that are under investigation.ipv4 hash:net483 subnets, 4235342 unique IPsupdated every 12 hours from this link
iblocklist_spamhaus_dropSpamhaus.org DROP (Don't Route Or Peer) list.ipv4 hash:net777 subnets, 24405504 unique IPsupdated every 12 hours from this link
iblocklist_spiderIP list intended to be used by webmasters to block hostile spiders from their web sites.ipv4 hash:net732 subnets, 846624 unique IPsupdated every 12 hours from this link
iblocklist_spywareKnown malicious SPYWARE and ADWARE IP Address ranges. It is compiled from various sources, including other available spyware blacklists, HOSTS files, from research found at many of the top anti-spyware forums, logs of spyware victims, etc.ipv4 hash:net3281 subnets, 338479 unique IPsupdated every 12 hours
iblocklist_webexploitWeb server hack and exploit attempts. IP addresses related to current web server hack and exploit attempts that have been logged or can be found in and cross referenced with other related IP databases. Malicious and other non search engine bots will also be listed here, along with anything found that can have a negative impact on a website or webserver such as proxies being used for negative SEO hijacks, unauthorised site mirroring, harvesting, scraping, snooping and data mining / spy bot / security & copyright enforcement companies that target and continuosly scan webservers.ipv4 hash:ip15382 unique IPsupdated every 12 hours from this link
iblocklist_yoyo_adserverspgl.yoyo.org ad serversipv4 hash:net10228 subnets, 11622 unique IPsupdated every 12 hours from this link
ip2location_countryIP2Location.com geolocation databaseipv4 hash:netAll the worldupdated every 1 day from this link
ip2location_country_ccCocos (Keeling) Islands (CC) – IP2Location.comipv4 hash:net1 subnets, 256 unique IPsupdated every 1 day from this link
ip2location_country_cxChristmas Island (CX) – IP2Location.comipv4 hash:net1 subnets, 256 unique IPsupdated every 1 day from this link
ip2location_country_ehWestern Sahara (EH) – IP2Location.comipv4 hash:net1 subnets, 256 unique IPsupdated every 1 day from this link
ip2location_country_shSaint Helena (SH) – IP2Location.comipv4 hash:net1 subnets, 256 unique IPsupdated every 1 day from this link
ipblacklistcloud_recentIP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin!ipv4 hash:ip32 unique IPsupdated every 4 hours from this link
ipblacklistcloud_recent_1dIP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin!ipv4 hash:ip32 unique IPsupdated every 4 hours from this link
ipblacklistcloud_recent_30dIP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin!ipv4 hash:ip342 unique IPsupdated every 4 hours from this link
ipblacklistcloud_recent_7dIP Blacklist Cloud These are the most recent IP addresses that have been blacklisted by websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin!ipv4 hash:ip143 unique IPsupdated every 4 hours from this link
ipblacklistcloud_topIP Blacklist Cloud These are the top IP addresses that have been blacklisted by many websites. IP Blacklist Cloud plugin protects your WordPress based website from spam comments, gives details about login attacks which you don't even know are happening without this plugin!ipv4 hash:ip232 unique IPsupdated every 1 day from this link
ipdeny_countryIPDeny.com geolocation databaseipv4 hash:netAll the worldupdated every 1 day from this link
iw_spamlistImproWare Antispam IPs sending spam, in the last 3 daysipv4 hash:ip943 unique IPsupdated every 1 hour from this link
iw_wormlistImproWare Antispam IPs sending emails with viruses or worms, in the last 3 daysipv4 hash:ip1 unique IPsupdated every 1 hour from this link
lashback_ublThe LashBack UBL The Unsubscribe Blacklist (UBL) is a real-time blacklist of IP addresses which are sending email to names harvested from suppression files (this is a big list, more than 500.000 IPs)ipv4 hash:ip2711097 unique IPsupdated every 1 day from this link
malc0deMalc0de.com malicious IPs of the last 30 daysipv4 hash:ip202 unique IPsupdated every 1 day from this link
malwaredomainlistmalwaredomainlist.com list of malware active ip addressesipv4 hash:ip1030 unique IPsupdated every 12 hours from this link
maxmind_proxy_fraudMaxMind.com sample list of high-risk IP addresses.ipv4 hash:ip482 unique IPsupdated every 4 hours from this link
myipmyip.ms IPs identified as web bots in the last 10 days, using several sites that require human actionipv4 hash:ip3587 unique IPsupdated every 1 day from this link
nixspamNiX Spam IP addresses that sent spam in the last hour - automatically generated entries without distinguishing open proxies from relays, dialup gateways, and so on. All IPs are removed after 12 hours if there is no spam from there.ipv4 hash:ip27248 unique IPsupdated every 15 mins from this link
nt_malware_dnsNo Think Malware DNS (the original list includes hostnames and domains, which are ignored)ipv4 hash:ip235 unique IPsupdated every 1 hour from this link
nt_malware_dnsNo Think Malware DNS (the original list includes hostnames and domains, which are ignored)ipv4 hash:ip235 unique IPsupdated every 1 hour from this link
nt_malware_httpNo Think Malware HTTPipv4 hash:ip69 unique IPsupdated every 1 hour from this link
nt_malware_httpNo Think Malware HTTPipv4 hash:ip69 unique IPsupdated every 1 hour from this link
nt_malware_ircNo Think Malware IRCipv4 hash:ip43 unique IPsupdated every 1 hour from this link
nt_malware_ircNo Think Malware IRCipv4 hash:ip43 unique IPsupdated every 1 hour from this link
nt_ssh_7dNoThink Last 7 days SSH attacksipv4 hash:ip95 unique IPsupdated every 1 hour from this link
nullsecurenullsecure.org This is a free threat feed provided for use in any acceptable manner. This feed was aggregated using the Tango Honeypot Intelligence Splunk App by Brian Warehime, a Senior Security Analyst at Defense Point Security.ipv4 hash:ip29439 unique IPsupdated every 8 hours from this link
packetmailPacketMail.net IP addresses that have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.ipv4 hash:ip3869 unique IPsupdated every 4 hours from this link
packetmail_emerging_ipsPacketMail.net IP addresses that have been detected as potentially of interest based on the number of unique users of the packetmail IP Reputation system. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.ipv4 hash:ip21 unique IPsupdated every 4 hours from this link
packetmail_mailPacketMail.net IP addresses that have been detected performing behavior not in compliance with the requirements this system enforces for email acceptance. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.ipv4 hash:ip97 unique IPsupdated every 4 hours from this link
packetmail_ramnodePacketMail.net IP addresses that have been detected performing TCP SYN to 81.4.103.251 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.ipv4 hash:ip2852 unique IPsupdated every 4 hours from this link
php_badprojecthoneypot.org bad web hosts (this list is composed using an RSS feed)ipv4 hash:ipdisabledupdated every 1 hour from this link
php_commentersprojecthoneypot.org comment spammers (this list is composed using an RSS feed)ipv4 hash:ip50 unique IPsupdated every 1 hour from this link
php_commenters_1dprojecthoneypot.org comment spammers (this list is composed using an RSS feed)ipv4 hash:ip96 unique IPsupdated every 1 hour from this link
php_commenters_30dprojecthoneypot.org comment spammers (this list is composed using an RSS feed)ipv4 hash:ip1204 unique IPsupdated every 1 hour from this link
php_commenters_7dprojecthoneypot.org comment spammers (this list is composed using an RSS feed)ipv4 hash:ip360 unique IPsupdated every 1 hour from this link
php_dictionaryprojecthoneypot.org directory attackers (this list is composed using an RSS feed)ipv4 hash:ip50 unique IPsupdated every 1 hour from this link
php_dictionary_1dprojecthoneypot.org directory attackers (this list is composed using an RSS feed)ipv4 hash:ip50 unique IPsupdated every 1 hour from this link
php_dictionary_30dprojecthoneypot.org directory attackers (this list is composed using an RSS feed)ipv4 hash:ip1010 unique IPsupdated every 1 hour from this link
php_dictionary_7dprojecthoneypot.org directory attackers (this list is composed using an RSS feed)ipv4 hash:ip312 unique IPsupdated every 1 hour from this link
php_harvestersprojecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)ipv4 hash:ip50 unique IPsupdated every 1 hour from this link
php_harvesters_1dprojecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)ipv4 hash:ip78 unique IPsupdated every 1 hour from this link
php_harvesters_30dprojecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)ipv4 hash:ip872 unique IPsupdated every 1 hour from this link
php_harvesters_7dprojecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)ipv4 hash:ip234 unique IPsupdated every 1 hour from this link
php_spammersprojecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)ipv4 hash:ip50 unique IPsupdated every 1 hour from this link
php_spammers_1dprojecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)ipv4 hash:ip95 unique IPsupdated every 1 hour from this link
php_spammers_30dprojecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)ipv4 hash:ip1109 unique IPsupdated every 1 hour from this link
php_spammers_7dprojecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)ipv4 hash:ip315 unique IPsupdated every 1 hour from this link
proxylistsproxylists.net open proxies (this list is composed using an RSS feed)ipv4 hash:ip1417 unique IPsupdated every 1 hour from this link
proxylists_1dproxylists.net open proxies (this list is composed using an RSS feed)ipv4 hash:ip2674 unique IPsupdated every 1 hour from this link
proxylists_30dproxylists.net open proxies (this list is composed using an RSS feed)ipv4 hash:ip5777 unique IPsupdated every 1 hour from this link
proxylists_7dproxylists.net open proxies (this list is composed using an RSS feed)ipv4 hash:ip3757 unique IPsupdated every 1 hour from this link
proxyrssproxyrss.com open proxies syndicated from multiple sources.ipv4 hash:ip1171 unique IPsupdated every 4 hours from this link
proxyrss_1dproxyrss.com open proxies syndicated from multiple sources.ipv4 hash:ip2307 unique IPsupdated every 4 hours from this link
proxyrss_30dproxyrss.com open proxies syndicated from multiple sources.ipv4 hash:ip5260 unique IPsupdated every 4 hours from this link
proxyrss_7dproxyrss.com open proxies syndicated from multiple sources.ipv4 hash:ip3375 unique IPsupdated every 4 hours from this link
proxyspyProxySpy open proxies (updated hourly)ipv4 hash:ip300 unique IPsupdated every 1 hour from this link
proxyspy_1dProxySpy open proxies (updated hourly)ipv4 hash:ip300 unique IPsupdated every 1 hour from this link
proxyspy_30dProxySpy open proxies (updated hourly)ipv4 hash:ip6720 unique IPsupdated every 1 hour from this link
proxyspy_7dProxySpy open proxies (updated hourly)ipv4 hash:ip2828 unique IPsupdated every 1 hour from this link
proxzproxz.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip21 unique IPsupdated every 1 hour from this link
proxz_1dproxz.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip259 unique IPsupdated every 1 hour from this link
proxz_30dproxz.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip2362 unique IPsupdated every 1 hour from this link
proxz_7dproxz.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip944 unique IPsupdated every 1 hour from this link
pushing_inertia_blocklistPushing Inertia IPs of hosting providers that are known to host various bots, spiders, scrapers, etc. to block access from these providers to web servers.ipv4 hash:net878 subnets, 34512264 unique IPsupdated every 1 day from this link
ransomware_cryptowall_psAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is CW_PS_IPBL: CryptoWall Ransomware Payment Sites IP blocklist.ipv4 hash:ip0 unique IPsupdated every 5 mins from this link
ransomware_feedAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. The IPs in this list have been extracted from the tracker data feed.ipv4 hash:ip5218 unique IPsupdated every 5 mins from this link
ransomware_locky_c2Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is LY_C2_IPBL: Locky Ransomware C2 URL blocklist.ipv4 hash:ip297 unique IPsupdated every 5 mins from this link
ransomware_locky_psAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is LY_PS_IPBL: Locky Ransomware Payment Sites IP blocklist.ipv4 hash:ip3 unique IPsupdated every 5 mins from this link
ransomware_onlineAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs.ipv4 hash:ip130 unique IPsupdated every 5 mins from this link
ransomware_rwAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list includes TC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL and it is the recommended blocklist. It might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearance. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.ipv4 hash:ip306 unique IPsupdated every 5 mins from this link
ransomware_teslacrypt_psAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TC_PS_IPBL: TeslaCrypt Ransomware Payment Sites IP blocklist.ipv4 hash:ip0 unique IPsupdated every 5 mins from this link
ransomware_torrentlocker_c2Abuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TL_C2_IPBL: TorrentLocker Ransomware C2 IP blocklist.ipv4 hash:ip11 unique IPsupdated every 5 mins from this link
ransomware_torrentlocker_psAbuse.ch Ransomware Tracker Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreants to commit fraud. This list is TL_PS_IPBL: TorrentLocker Ransomware Payment Sites IP blocklist.ipv4 hash:ip0 unique IPsupdated every 5 mins from this link
ri_connect_proxiesrosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)ipv4 hash:ip151 unique IPsupdated every 1 hour from this link
ri_connect_proxies_1drosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)ipv4 hash:ip274 unique IPsupdated every 1 hour from this link
ri_connect_proxies_30drosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)ipv4 hash:ip2706 unique IPsupdated every 1 hour from this link
ri_connect_proxies_7drosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)ipv4 hash:ip1091 unique IPsupdated every 1 hour from this link
ri_web_proxiesrosinstrument.com open HTTP proxies (this list is composed using an RSS feed)ipv4 hash:ip144 unique IPsupdated every 1 hour from this link
ri_web_proxies_1drosinstrument.com open HTTP proxies (this list is composed using an RSS feed)ipv4 hash:ip430 unique IPsupdated every 1 hour from this link
ri_web_proxies_30drosinstrument.com open HTTP proxies (this list is composed using an RSS feed)ipv4 hash:ip4673 unique IPsupdated every 1 hour from this link
ri_web_proxies_7drosinstrument.com open HTTP proxies (this list is composed using an RSS feed)ipv4 hash:ip1628 unique IPsupdated every 1 hour from this link
sblamsblam.com IPs used by web form spammers, during the last monthipv4 hash:ip11250 unique IPsupdated every 1 day from this link
shunlistAutoShun.org IPs identified as hostile by correlating logs from distributed snort installations running the autoshun pluginipv4 hash:ip500 unique IPsupdated every 4 hours
snort_ipfilterlabs.snort.org supplied IP blacklist (this list seems to be updated frequently, but we found no information about it)ipv4 hash:ip8282 unique IPsupdated every 12 hours from this link
socks_proxysocks-proxy.net open SOCKS proxiesipv4 hash:ip80 unique IPsupdated every 10 mins from this link
socks_proxy_1dsocks-proxy.net open SOCKS proxiesipv4 hash:ip1573 unique IPsupdated every 10 mins from this link
socks_proxy_30dsocks-proxy.net open SOCKS proxiesipv4 hash:ip10647 unique IPsupdated every 10 mins from this link
socks_proxy_7dsocks-proxy.net open SOCKS proxiesipv4 hash:ip5963 unique IPsupdated every 10 mins from this link
sorbs_anonymizersSorbs.net List of open HTTP and SOCKS proxies.ipv4 hash:net597119 subnets, 609175 unique IPs
sorbs_blockSorbs.net List of hosts demanding that they never be tested by SORBS.ipv4 hash:netdisabled
sorbs_dulSorbs.net Dynamic IP Addresses.ipv4 hash:net545831 subnets, 375226662 unique IPs
sorbs_escalationsSorbs.net Netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.ipv4 hash:net8 subnets, 2304 unique IPs
sorbs_new_spamSorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 48 hoursipv4 hash:net33791 subnets, 35223 unique IPs
sorbs_noserverSorbs.net IP addresses and netblocks of where system administrators and ISPs owning the network have indicated that servers should not be present.ipv4 hash:net15066 subnets, 22951270 unique IPs
sorbs_recent_spamSorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 28 days (includes sorbs_new_spam)ipv4 hash:net519715 subnets, 545338 unique IPs
sorbs_smtpSorbs.net List of SMTP Open Relays.ipv4 hash:net1968 subnets, 1976 unique IPs
sorbs_webSorbs.net List of IPs which have spammer abusable vulnerabilities (e.g. FormMail scripts)ipv4 hash:net5868323 subnets, 6267285 unique IPs
sorbs_zombieSorbs.net List of networks hijacked from their original owners, some of which have already used for spamming.ipv4 hash:net78 subnets, 1903876 unique IPs
spamhaus_dropSpamhaus.org DROP list (according to their site this list should be dropped at tier-1 ISPs globally)ipv4 hash:net777 subnets, 24405504 unique IPsupdated every 12 hours from this link
spamhaus_edropSpamhaus.org EDROP (extended matches that should be used with DROP)ipv4 hash:net51 subnets, 763648 unique IPsupdated every 12 hours from this link
sslblAbuse.ch SSL Blacklist bad SSL traffic related to malware or botnet activitiesipv4 hash:ip122 unique IPsupdated every 30 mins from this link
sslbl_aggressiveAbuse.ch SSL Blacklist The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.ipv4 hash:ip3217 unique IPsupdated every 30 mins from this link
sslproxiesSSLProxies.org open SSL proxiesipv4 hash:ip100 unique IPsupdated every 10 mins from this link
sslproxies_1dSSLProxies.org open SSL proxiesipv4 hash:ip989 unique IPsupdated every 10 mins from this link
sslproxies_30dSSLProxies.org open SSL proxiesipv4 hash:ip10665 unique IPsupdated every 10 mins from this link
sslproxies_7dSSLProxies.org open SSL proxiesipv4 hash:ip3526 unique IPsupdated every 10 mins from this link
stopforumspamStopForumSpam.com Banned IPs used by forum spammersipv4 hash:ip157021 unique IPsupdated every 1 day from this link
stopforumspam_180dStopForumSpam.com IPs used by forum spammers (last 180 days)ipv4 hash:ip285113 unique IPsupdated every 1 day from this link
stopforumspam_1dStopForumSpam.com IPs used by forum spammers in the last 24 hoursipv4 hash:ip6841 unique IPsupdated every 1 hour from this link
stopforumspam_30dStopForumSpam.com IPs used by forum spammers (last 30 days)ipv4 hash:ip65286 unique IPsupdated every 1 day from this link
stopforumspam_365dStopForumSpam.com IPs used by forum spammers (last 365 days)ipv4 hash:ip418871 unique IPsupdated every 1 day from this link
stopforumspam_7dStopForumSpam.com IPs used by forum spammers (last 7 days)ipv4 hash:ip18875 unique IPsupdated every 1 day from this link
stopforumspam_90dStopForumSpam.com IPs used by forum spammers (last 90 days)ipv4 hash:ip158452 unique IPsupdated every 1 day from this link
stopforumspam_toxicStopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed.ipv4 hash:net83 subnets, 537175 unique IPsupdated every 1 day from this link
taichungTaichung Education Center Blocked IP Addresses (attacks and bots).ipv4 hash:ip10568 unique IPsupdated every 1 day from this link
talosintel_ipfilterTalosIntel.com List of known malicious network threatsipv4 hash:ip8280 unique IPsupdated every 15 mins from this link
threatcrowdCrowdsourced IP feed from ThreatCrowd. These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community.ipv4 hash:ip6383 unique IPsupdated every 1 hour from this link
tor_exitsTorProject.org list of all current TOR exit points (TorDNSEL)ipv4 hash:ip834 unique IPsupdated every 5 mins from this link
tor_exits_1dTorProject.org list of all current TOR exit points (TorDNSEL)ipv4 hash:ip904 unique IPsupdated every 5 mins from this link
tor_exits_30dTorProject.org list of all current TOR exit points (TorDNSEL)ipv4 hash:ip1909 unique IPsupdated every 5 mins from this link
tor_exits_7dTorProject.org list of all current TOR exit points (TorDNSEL)ipv4 hash:ip1147 unique IPsupdated every 5 mins from this link
trustedsec_atifArtillery Threat Intelligence Feed and Banlist Feedipv4 hash:ip1681 unique IPsupdated every 1 day from this link
turris_greylistTurris Greylist IPs that are blocked on the firewalls of Turris routers. The data is processed and clasified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about services on the router or tried to gain access to them. We do not recommend to use these data as a list of addresses that should be blocked but it can be used for example in analysis of the traffic in other networks.ipv4 hash:ip17540 unique IPsupdated every 7 days from this link
urandomusto_dnsIP Feed about dns, crawled from several sources, including several twitter accounts.ipv4 hash:ip198 unique IPsupdated every 1 hour from this link
urandomusto_ftpIP Feed about ftp, crawled from several sources, including several twitter accounts.ipv4 hash:ip388 unique IPsupdated every 1 hour from this link
urandomusto_httpIP Feed about http, crawled from several sources, including several twitter accounts.ipv4 hash:ip431 unique IPsupdated every 1 hour from this link
urandomusto_mailerIP Feed about mailer, crawled from several sources, including several twitter accounts.ipv4 hash:ip451 unique IPsupdated every 1 hour from this link
urandomusto_malwareIP Feed about malware, crawled from several sources, including several twitter accounts.ipv4 hash:ip1 unique IPsupdated every 1 hour from this link
urandomusto_ntpIP Feed about ntp, crawled from several sources, including several twitter accounts.ipv4 hash:ip230 unique IPsupdated every 1 hour from this link
urandomusto_rdpIP Feed about rdp, crawled from several sources, including several twitter accounts.ipv4 hash:ip197 unique IPsupdated every 1 hour from this link
urandomusto_smbIP Feed about smb, crawled from several sources, including several twitter accounts.ipv4 hash:ip408 unique IPsupdated every 1 hour from this link
urandomusto_spamIP Feed about spam, crawled from several sources, including several twitter accounts.ipv4 hash:ip1 unique IPsupdated every 1 hour from this link
urandomusto_sshIP Feed about ssh, crawled from several sources, including several twitter accounts.ipv4 hash:ip449 unique IPsupdated every 1 hour from this link
urandomusto_telnetIP Feed about telnet, crawled from several sources, including several twitter accounts.ipv4 hash:ip443 unique IPsupdated every 1 hour from this link
urandomusto_unspecifiedIP Feed about unspecified, crawled from several sources, including several twitter accounts.ipv4 hash:ip202 unique IPsupdated every 1 hour from this link
urandomusto_vncIP Feed about vnc, crawled from several sources, including several twitter accounts.ipv4 hash:ip43 unique IPsupdated every 1 hour from this link
urlvirURLVir.com Active Malicious IP Addresses Hosting Malware. URLVir is an online security service developed by NoVirusThanks Company Srl that automatically monitors changes of malicious URLs (executable files).ipv4 hash:ip203 unique IPsupdated every 1 day from this link
uscert_hidden_cobraSince 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group1] (link is external) and Guardians of Peace.[2] (link is external) DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer and Hangman|ipv4 hash:ip|627 unique IPs|updated every 1 day from [this link
voipblVoIPBL.org a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's. Several algorithms, external sources and manual confirmation are used before they categorize something as an attack and determine the threat level.ipv4 hash:net31865 subnets, 34066 unique IPsupdated every 4 hours from this link
vxvaultVxVault The latest 100 additions of VxVault.ipv4 hash:ip75 unique IPsupdated every 12 hours from this link
xforce_bccsIBM X-Force Exchange Botnet Command and Control Serversipv4 hash:ip320 unique IPsupdated every 1 day from this link
xroxyxroxy.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip62 unique IPsupdated every 1 hour from this link
xroxy_1dxroxy.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip142 unique IPsupdated every 1 hour from this link
xroxy_30dxroxy.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip457 unique IPsupdated every 1 hour from this link
xroxy_7dxroxy.com open proxies (this list is composed using an RSS feed)ipv4 hash:ip244 unique IPsupdated every 1 hour from this link
yoyo_adserversYoyo.org IPs of ad serversipv4 hash:ip12230 unique IPsupdated every 12 hours from this link
zeusAbuse.ch Zeus tracker standard, contains the same data as the ZeuS IP blocklist (zeus_badips) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.ipv4 hash:ip130 unique IPsupdated every 30 mins from this link
zeus_badipsAbuse.ch Zeus tracker badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist.ipv4 hash:ip120 unique IPsupdated every 30 mins from this link