loading...

Overview of

About

Evolution of

Each time the IP list is changed, modified, or updated we keep track of its size (both number of entries and number of unique IPs matched). Using this information we can detect what the list maintainers do, get an idea of the list trend and its maintainers habbits.

Using the chart below we attempt to answer these questions:

• How many entries does it have?

  If you are going to use this IP list as a blocklist / blacklist at a firewall, its size can be important for the performance of the firewall.
  Keep in mind that the performance of Linux netfilter / iptables firewalls that use ipsets (like FireHOL does), is not affected by the size of an ipset. Any number of entries can be added and the firewall will just do one lookup for every packet checked against the ipset. Linux ipsets are affected only by the number of different subnets in an ipset. FireHOL solves this by automatically reducing the number of unique subnets on all hash:net ipsets (check this article for more information on how this is done).

• How many unique IPs does it match?

  The number of unique IPs matched by an IP list, determines the effectiveness of the blacklist / blocklist.
  Generally, smaller IP lists are more focused and safer to use as firewall blacklists / blocklists. Fewer unique IPs means fewer possible false positives.
  On the other hand a very small list will not provide a significant level of protection.

• Is it updated frequently and regularly?

  We need IP lists that are well maintained, frequently and regularly.
  In the chart below, every point is updated only when the list maintainers add IPs to, or remove IPs from the IP list, so even if the number of unique IPs remains the same, a point in the chart indicates that something changed in it. The exact number of unique IPs added and removed with each update can be seen on the chart next to the one below.
  The frequency of updates is irrelevant to the retention policy of the IP list. We will examine its retention below in the sections below.

• Does it have a consistent size through time?

  We don't want surprises. Sudden increases or decreases is generally an indication of poor maintainance.
  Of course, there are cases where an IP list will by definition have sudden changes in its size.

• Entries is the number of entries the ipset has.
• UniqueIPs is the number of unique IPs the ipset matches.

The chart below shows the change history of the IP list, i.e. the number of unique IPs added and removed with each update.

Using the chart below we attempt to answer these questions:

• How much of this IP list is changed on every update?

  There are IP lists that, although they have an almost constant size, they change their contents almost entirely on every update.
  In other cases, similar IP lists have minimal incremental updates.
  The following chart attempts to visualize this.

Country Map of

Each time an ipset is updated we check it against the MaxMind GeoLite2 country, the IPDeny.com country, the IP2Location.com Lite country and the IPIP.net country databases, to find the list's unique IPs per country.

Using the maps below we attempt to answer these questions:

• Which countries does it currently match?

  If you are going to install this IP list as a blocklist / blacklist at a firewall, it is important to know which countries will be mainly affected, since you are going to block access from/to these IPs.

  All lists suffer from false positives to some degree, so using this IP list at your firewall might block some of your users or customers.

• Where do the attackers or the abusers come from?

  Some lists focus only on specific regions of the world. The following map illustrates this. It is a heat map of the list's focus.

• MaxMind.com GeoLite2
• IPDeny.com
• IP2Location.com Lite
• IPIP.net

Age of IPs listed in

The age of each IP in the list is shown below. The time shown is calculated in realtime; it will be refreshed as time passes, even if the list is not updated.

Using the chart below we attempt to answer these questions:

• What is the current age of the IPs listed?

  Most lists include IPs that match some criteria (e.g. an attack or abuse is detected originated from the IP in question). Once an IP is listed, it remains listed for a pre-defined amount of time, unless it matches the criteria again, in which case its expiration time is refreshed.

  Many lists announce the duration they list IPs. Many don't and almost all lists have exceptions that do not follow the announced rules.

  A false positive is in place when an IP that was properly detected and added to the list, was released and re-used by another person, before being unlisted from the list. Since the world is full of dynamic IP users, false positives is the biggest problem of blocklist / blacklists.

  In the chart below we show the exact age of the IPs currently listed. Small ages are good. Long ages are not necessarily bad. Normally, longer ages should only be a small part of the list's size.

  Pay attention to the 50% mark. This is the average age of the IPs in the list. Pay also attention to the 75% (most probable) and the 90% (expected max) marks.

• Does the list include any static data?

  The ideal age chart of a well maintained IP list should a straight line from the bottom left corner, to the upper right corner of the chart.

  Of course, this is affected by the pressure of different attacks and possibly the different listing policies for different types of attacks.

  In general though, this chart should be as granural as possible.

  Long horizontal lines indicate either sustaining attacks, or unreasonably high listing policies.