This project (blocking list) aims to reduce the number of attacks by inserting IP addresses known to be abusive, aggressive and malicious.
- To give you a few figures, I collect (on average) over 8000 IP addresses unique per day, and after analysis and feedback, once they're really reliable, I add them to this blocking list, which is closely monitored 24/7.
- For the deletion part, the policy in force is that I keep these IP addresses for 30 days max : if no activity has been reported within this period, these IP addresses are removed from the blocking list to be inserted in a βWhitelistβ also monitored.
PS: I want to make it clear that this block list is an additional layer of protection to :
- Reduce the number of attacks
- Reduce the possibility of mapping your exposed assets (public IPs)
- Slightly reduce the attack surface (e.g. Recon)
- This list will be updated every 4/24h
π«ΈBut under no circumstances will it replace all the best practices in your security posture.
- Data-Shield IPv4 Blocklist : target destination π Europa
- Some IP addresses have a relatively short lifespan (such as APTs, groups that deploy infostealers and malware, etc.).
- πHere are some of the vectors and types of attack these IP addresses can inflict at any given timeπ.
| CVEπ | Descriptionπ | Linkπ |
|---|---|---|
| CVE-2020-25078 | An issue was discovered on D-Link DCS-2530L... | Wazuh CTI Website |
| CVE-2021-42013 | It was found that the fix for CVE-2021-41773... | Wazuh CTI Website |
| CVE-2021-41773 | A flaw was found in a change made to path... | Wazuh CTI Website |
| CVE-2024-3400 | PAN-OS : A command injection as a result... | Wazuh CTI Website |
| CVE-2017-16894 | In Laravel framework through 5.5.21... | Wazuh CTI Website |
| CVE-2024-3721 | A vulnerability was found in TBK DVR-4104 and DVR-4216... | Wazuh CTI Website |
| CVE-2022-30023 | Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1... | Wazuh CTI Website |
| CVE-2017-9841 | Util/PHP/eval-stdin.php in PHPUnit before 4.8.28... | Wazuh CTI Website |
| CVE-2018-10561 | An issue was discovered on Dasan GPON home routers... | Wazuh CTI Website |
| CVE-2018-20062 | An issue was discovered in NoneCms V1.3... | Wazuh CTI Website |
| CVE-2022-44808 | Vulnerability has been found on D-Link DIR-823G devices... | Wazuh CTI Website |
| CVE-2022-41040 | Microsoft Exchange Server Elevation of PV** | Wazuh CTI Website |
| CVE-2022-41082 | Microsoft Exchange Server RCE Vulnerability** | Wazuh CTI Website |
| TTPsπ₯· | A few countries of originπ | **Indicator of Risk (%)** |
|---|---|---|
| Apache Attack | Belgium, UK, Poland, Russia | 80 |
| Nginx Attack | Brazil, USA, France, China | 80 |
| Ransomware Attack | Brazil, Lithuania, Russia | 90 |
| VPN Attack | Belgium, UK, Poland, Russia | 80 |
| RDP Attack | USA, Brazil, Peru, Morocco | 90 |
| NTLM Attack | China, UK, Poland, Belgium | 80 |
| Kerberos Attack | Venezuela, Brazil, Poland, Algeria | 85 |
| Wordpress Enumeration | USA, China, Russia, UK | 50 |
| Botnet Recruitment | USA, China, Brazil, Chile | 50 |
| Brute-force Attack | USA, China, UK, France | 80 |
| Brute-Force SSH Login | USA, China, Poland, Netherlands | 80 |
| Directory Busting | USA, China, Italy, India | 60 |
| Credentials Dumping | India, Japan, UK, Netherlands | 90 |
| Email Attack | USA, China, India, Spain | 80 |
| SMB Attack | USA, China, Poland, France | 75 |
| FTP Attack | UK, France, Poland, Vietnam | 70 |
| IMAP Attack | USA, China, Poland, France | 80 |
| Information Gathering | USA, China, India, Lithuania | 70 |
| Remote Code Execution | USA, India, Pakistan, Iran | 80 |
| Scanning | USA, China, India, Indonesia | 50 |
| SSH Attack | USA, China, India, France | 80 |
| OT/ICS Attack | China, India, Vietnam, USA | 90 |
| IoT Attack | China, Japan, Vietnam, UK | 80 |
| Tor Exit Node | Switzerland, France, Germany | 60 |
| Tor Node | Switzerland, France, Germany | 60 |
| VOIP Attack | Belgium, India, Vietnam, Indonesia | 70 |
| Web Traversal | USA, China, Lithuania, France | 75 |
- You can easily integrate this list into your FWs under the Inbound (e.g. Wan to Lan) policy rules, Threat feeds.
- To add my blocklist to the Fortinet, CheckPoint, Palo Alto and OPNsense FWs, here are some interesting links
| Vendor𧱠| Descriptionπ | Linkπ |
|---|---|---|
| Fortinet | External blocklist policy | Fortinet Website |
| Checkpoint | IP Block Feature | Checkpoint Website |
| Palo Alto | Configure the Firewall to Access an External Dynamic List | Palo Alto Website |
| OPNsense | OPNsense : Block malicious IPs | Slash-Root Website |
According to feedback, more than 74 small and medium-sized companies (Acensi as well) have already implemented this list in their FW Fortinet, Palo Alto, Checkpoint, etc.
| Siteπ | Descriptionπ | Linkπ |
|---|---|---|
| Ko-Fi | Join all types of creators getting donations, memberships, etc. from their fans! | Thank you !!! |
Data-Shield IPv4 Blocklist Β© 2023 by Duggy Tuxy is licensed License File
