The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs.

The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions.

fullbogons - the unroutable IPs

fullbogons includes IPs that should not be routable in the Internet. It includes bogons which lists private and reserved IPs, but it also includes IPs that are allocated to a local registry, but they are not currently assinged to any one, ISP, corporation, or end user.

fullbogons should be 100% safe, it should never include a false positive and should never give you a complaint from an end user or customer. Of course it needs to be up to date.

spamhaus drop and edrop - Don't Route Or Peer IPs

According to Spamhaus, DROP and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The spamhaus_drop and spamhaus_edrop lists are designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

The spamhaus_drop list will not include any IP address space under the control of any legitimate network - even if being used by "the spammers from hell".

spamhaus_edrop is an extension of the spamhaus_drop list that includes suballocated netblocks controlled by spammers or cyber criminals. spamhaus_edrop is meant to be used in addition to the direct allocations on the spamhaus_drop list.

When implemented at a network or ISP's 'core routers', spamhaus_drop and spamhaus_edrop will help protect the network from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.

Spamhaus strongly encourages the use of spamhaus_drop and spamhaus_edrop by tier-1s and backbones.

In my personal experience, Spamhaus is very responsive cleaning up these lists when it receives complaints.

dshield - the top 20 attacking class-C

dshield summarizes the top 20 attacking class C (/24) subnets over the last three days. This sounds like many false positives are included. They are not, and this is why:

dshield.org, or better The Internet Storm Center of SANS Institute, collects firewall and IDS logs from hundreds of thousands of computers around the globe. You can submit yours too! The dshield IP list includes only the top 20 class-C, i.e. it always lists 5120 IPs only. The rate of change of these top 20 class-C is so high, that most of them are listed for just 15 mins. Check it. Goto to the dshield page and take a look on the second chart (the "changes history" chart). Out of the 5120 IPs listed, about 3000 of them expire on every update.

To visualize it even better, check the dshield_1d list. This one aggregates all IPs listed by dshield, for 24 hours. Check its unique IPs count. 60k to 120k unique IPs pass through dshield every day.

So, if it has a so aggressive change rate, is it usefull at all? The whole idea of dshield is to follow the storm as close as possible. And they are doing a great job accoplishing it.

malware lists - the Command and Control IPs

There are several malware lists that are very focused. They only track IPs that are actively used by specific malwares or trojans. These lists are usualy very small and they even reach zero IP count if the malware is vanished.

We include most the Abuse.ch and Bambenek Consulting lists. Namely:

feodo
sslbl
zeus_badips
bambenek_c2 which includes all Bambenek Consulting lists

These lists do suffer from some false positives, but not for dynamic IP users. The only false positives I ever found on these malware lists was on hosting providers that share the same IP among many sites. If a site is hosting a malware or trojan monitored by these lists, then the IP of that site and therefore all the other sites that share the same IP will be blocked.