This repository contains an automatically maintained collection of IP sets and netsets (blocklists) aggregated from various sources across the internet. It is designed to be a reliable source for firewall blocking rules.
Note
The idea for this repository comes from blocklist-ipsets made by FireHOL Project, that are no longer updated regularly. If you prefer not to use this version, you can check out the original.
This repository is updated once per day and includes a list of ipsets dynamically updated using the custom firewall-e.sh script, which is a heavily modified and optimized version of FireHOL's update-ipsets script.
This repository is self-maintained and operates automatically via a daily cron job. It pulls the latest threat intelligence, applies a custom whitelist, processes the data using iprange, and commits the changes directly to this repository.
Important
Your contributions and suggestions are heartily welcome. Please, check the Guide for more details.
If you want to propose changes, just open an issue or a pull request.
As the global digital infrastructure matures, the complexity and sophistication of cybercrime are scaling at an unprecedented rate. We have moved far beyond the era where legacy security stacks β standalone antivirus software, basic firewalls, and traditional Intrusion Detection/Prevention Systems (IDS/IPS) β were sufficient to keep malicious actors at bay. Today's threat landscape requires a much broader perspective.
The most critical paradigm shift in modern cyber warfare is that adversaries often do not intend to cause direct, visible damage to your systems or steal your proprietary data. Instead, they increasingly view your infrastructure as a disposable, tactical asset. Compromised networks are routinely hijacked to serve as silent proxies, botnet nodes, or spam relays to facilitate attacks against completely unrelated third parties. Because these attacks are highly distributed, dynamically routed, and originate from an ever-shifting pool of global IP addresses, identifying and mitigating them in isolation is practically impossible.
To effectively combat these distributed threats, operating in a silo is no longer an option. We must augment our localized security postures with shared global intelligence and collaborative experience. Fortunately, a dedicated community of security researchers, analysts, and threat-hunting teams works around the clock to monitor traffic, deploy honeypots, and pinpoint malicious infrastructure. The result of their labor is the continuous release of curated blocklists targeting compromised domains, URLs, and most crucially, toxic IP addresses.
In this project, our primary focus is strictly on IP addresses.
Integrating robust, community-driven IP blocklists at the outermost edge of your firewall is a foundational pillar of modern internet security. This proactive strategy functions as a form of digital herd immunity β allowing us to leverage the community's collective telemetry to preemptively drop traffic from known fraudsters, automated scanners, and exploit kits before they ever touch our internal services.
Why aggregate this intelligence on GitHub?
The decision to centralize these diverse threat feeds into a single GitHub repository is driven by three core engineering advantages:
Frictionless Availability and Open Source Ethos: These lists are compiled by teams dedicated to improving global internet security and are freely distributed across the web. Aggregating them here creates a reliable, single source of truth. (Disclaimer: While these feeds are publicly available, some may carry specific licensing constraints. Always verify the upstream policies of the original creators before deploying them in commercial environments).Streamlined Automation: Manually parsing and updating dozens of disparate threat feeds is a logistical nightmare. GitHub provides an elegant, unified distribution mechanism. By simply configuring a scheduledgit pull(e.g., via a cron job) on your edge devices, routers, or servers, you can instantly synchronize your entire infrastructure with the latest global threat intelligence in one command.Transparent Version Control and Auditing: Git is the ultimate tool for tracking data over time. Hosting these lists here provides a granular, auditable history of the shifting threat landscape. Network administrators can effortlessly track the delta between commits, allowing them to see exactly when a specific IP or subnet was flagged as malicious and precisely when it was remediated and removed from the list.
While integrating automated threat intelligence is highly effective, it requires strategic and deliberate implementation. Blindly dropping traffic based on external blocklists carries inherent operational risks. A misconfigured firewall rule can easily trigger a self-inflicted Denial of Service (DoS), inadvertently locking out legitimate users or critical business customers or even severing your own administrative access to the infrastructure.
Please deploy these feeds responsibly by adhering to the following core principles:
-
Before integrating any external feed into a production environment, take the time to visit the original maintainer's website. Understand their detection methodology, false-positive mitigation strategies, and data retention policies. By feeding their IP lists directly into your routing logic, you are implicitly trusting their operational accuracy. Know exactly who you are trusting to protect your perimeter.
-
Generating and maintaining high-fidelity threat intelligence requires immense computational resources, bandwidth, and human effort. Many of these dedicated research teams rely on community backing to sustain their operations. If you derive value from their data, consider supporting them through their donation models or upgrading to their premium, commercial-grade feeds to ensure the continued quality and longevity of their work.
-
Threat blocklists must be strictly applied at the absolute perimeter β specifically, the internet-facing WAN interface of your firewall. Exercise extreme caution regarding placement. Certain feeds intentionally include unroutable, private IP spaces (e.g., RFC 1918 addresses). If you mistakenly apply these specific blocklists to your internal interfaces (LAN, DMZ, or management VLANs), you will immediately blackhole your internal routing and irrevocably lock yourself out of your own hardware.
-
A proactive security posture must always be paired with a reliable failsafe. You must maintain a robust, static whitelist containing the IP addresses and CIDR subnets of your trusted infrastructure, essential business partners, and administrative endpoints. Your firewall hierarchy must be engineered so that explicit "Allow" rules strictly override any external blocklist logic.
Note
To mitigate these risks, FireWALL-E has been engineered with built-in safeguards. The script natively parses our predefined whitelist file and strips those trusted IPs from all downloaded threat feeds before the final blocklists are generated and committed. This guarantees that your critical assets remain inherently immune to upstream false positives.
Selecting the appropriate threat intelligence feeds requires carefully balancing your organization's risk tolerance with operational availability. Blindly applying every available blocklist will inevitably lead to severe service disruption and false positives. Instead, adopt a layered, Zero Trust-aligned defense strategy.
Your baseline protection should begin at the absolute edge of your network with foundational, zero-tolerance intelligence. These high-fidelity feeds typically target globally recognized cybercrime syndicates, malware command-and-control infrastructure, and unroutable IP spaces. Because their false-positive rate is near zero, they are ideal for silently dropping toxic traffic at core routers before it consumes firewall state-table resources. Moving deeper into the perimeter, this baseline should be augmented with dynamic threat mitigation feeds that track active brute-force campaigns, credential-stuffing bots, and automated scanners. While these secondary blocklists are highly effective at shielding exposed administrative interfaces or application firewalls, they carry a slight risk of catching legitimate users due to dynamic IP churn, necessitating a robust whitelist and continuous log monitoring.
Beyond baseline protection, the deployment of more aggressive or context-dependent intelligence relies entirely on your specific business model. Threat actors heavily exploit public, unauthenticated infrastructure β such as open proxies and anonymization networks β to mask their origins and bypass rate limits. If you operate an enterprise authentication gateway or a financial platform where verifying true geographic origins is critical for fraud prevention, aggressively blackholing these obfuscation nodes is a highly effective tactic to strip attackers of their camouflage. However, applying these anonymity-control lists, along with crowdsourced heuristic feeds that flag generic spam or aggressive web scraping, requires extreme caution. In environments supporting privacy-conscious users or general public access, such strict rules will inevitably disrupt legitimate traffic and are often better utilized for enriching SIEM telemetry or protecting isolated honeypots rather than triggering automated connection drops.
To be explicitly clear, the open proxy lists are not aggregated here to facilitate proxy shopping or anonymization routing.
If you analyze the underlying data and cross-reference open proxy feeds with active threat intelligence (such as blocklist_de or stopforumspam), you will immediately notice a massive intersection.
This critical overlap proves a well-known operational tactic: Threat actors heavily rely on public, unauthenticated open proxies to obfuscate their true origins while executing distributed attacks.
By proactively blackholing known anonymization infrastructure, you are effectively stripping attackers of their camouflage. If your systems fall under an active, distributed attack, preemptively blocking these open proxy networks can instantly neutralize a vast portion of the malicious traffic.
The following list was automatically generated on Wed Jun 10 06:52:13 UTC 2026.
The update frequency is the maximum allowed by internal configuration. A list will never be downloaded sooner than the update frequency stated. A list may also not be downloaded, after this frequency expired, if it has not been modified on the server (as reported by HTTP IF_MODIFIED_SINCE method).
| name | info | type | entries | update |
|---|---|---|---|---|
| abuseipdb_1d | AbuseIPDB aggregated blocklist of IPs with ~100% abuse confidence score, reported in the last 1 day. Aggregated by borestad. | ipv4 hash:ip | 71818 unique IPs | updated every 1 day from this link |
| abuseipdb_30d | AbuseIPDB aggregated blocklist of IPs with ~100% abuse confidence score, reported in the last 30 days. Aggregated by borestad. | ipv4 hash:ip | 133768 unique IPs | updated every 1 day from this link |
| alienvault_reputation | AlienVault.com IP reputation database | ipv4 hash:ip | 609 unique IPs | updated every 6 hours from this link |
| bds_atif | Binary Defense Artillery Threat Intelligence Feed (ATIF). IPs detected by the Artillery honeypot/monitoring platform. | ipv4 hash:ip | 4016 unique IPs | updated every 1 day from this link |
| blocklist_de | Blocklist.de IPs that have been detected by fail2ban in the last 48 hours | ipv4 hash:ip | 24788 unique IPs | updated every 15 mins from this link |
| blocklist_de_apache | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. | ipv4 hash:ip | 8979 unique IPs | updated every 15 mins from this link |
| blocklist_de_bots | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = it has posted a Spam-Comment on a open Forum or Wiki). | ipv4 hash:ip | 2577 unique IPs | updated every 15 mins from this link |
| blocklist_de_bruteforce | Blocklist.de All IPs which attacks Joomla, Wordpress and other Web-Logins with Brute-Force Logins. | ipv4 hash:ip | 809 unique IPs | updated every 15 mins from this link |
| blocklist_de_ftp | Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. | ipv4 hash:ip | 285 unique IPs | updated every 15 mins from this link |
| blocklist_de_imap | Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc. | ipv4 hash:ip | 3712 unique IPs | updated every 15 mins from this link |
| blocklist_de_mail | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. | ipv4 hash:ip | 13427 unique IPs | updated every 15 mins from this link |
| blocklist_de_sip | Blocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net | ipv4 hash:ip | 36 unique IPs | updated every 15 mins from this link |
| blocklist_de_ssh | Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. | ipv4 hash:ip | 7446 unique IPs | updated every 15 mins from this link |
| blocklist_de_strongips | Blocklist.de All IPs which are older then 2 month and have more then 5.000 attacks. | ipv4 hash:ip | 336 unique IPs | updated every 15 mins from this link |
| blocklist_net_ua | blocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment. | ipv4 hash:ip | 93904 unique IPs | updated every 10 mins from this link |
| botscout | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 25 unique IPs | updated every 30 mins from this link |
| botscout_1d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 25 unique IPs | updated every 30 mins from this link |
| botscout_30d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 567 unique IPs | updated every 30 mins from this link |
| botscout_7d | BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. | ipv4 hash:ip | 189 unique IPs | updated every 30 mins from this link |
| botvrij_dst | botvrij.eu Indicators of Compromise (IOCS) about malicious destination IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. | ipv4 hash:ip | 4 unique IPs | updated every 1 day from this link |
| botvrij_src | botvrij.eu Indicators of Compromise (IOCS) about malicious source IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. | ipv4 hash:ip | 0 unique IPs | updated every 1 day from this link |
| bruteforceblocker | danger.rulez.sk bruteforceblocker (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days. | ipv4 hash:ip | 524 unique IPs | updated every 3 hours from this link |
| c2intel_30d | C2IntelFeeds 30-day verified Command & Control (C2) IPs. | ipv4 hash:ip | 295 unique IPs | updated every 1 day from this link |
| c2intel_unverified | C2IntelFeeds Unverified Command & Control (C2) IPs. | ipv4 hash:ip | 2528 unique IPs | updated every 1 day from this link |
| ciarmy | CIArmy.com IPs with poor Rogue Packet score that have not yet been identified as malicious by the community | ipv4 hash:ip | 15000 unique IPs | updated every 3 hours from this link |
| cleantalk | CleanTalk Today's HTTP Spammers (includes: cleantalk_new cleantalk_updated) | ipv4 hash:ip | 495 unique IPs | updated every 1 min |
| cleantalk_1d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d) | ipv4 hash:ip | 489 unique IPs | updated every 1 min |
| cleantalk_30d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d) | ipv4 hash:ip | 7327 unique IPs | updated every 1 min |
| cleantalk_7d | CleanTalk Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d) | ipv4 hash:ip | 1910 unique IPs | updated every 1 min |
| cleantalk_new | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 250 unique IPs | updated every 15 mins from this link |
| cleantalk_new_1d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 250 unique IPs | updated every 15 mins from this link |
| cleantalk_new_30d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 4531 unique IPs | updated every 15 mins from this link |
| cleantalk_new_7d | CleanTalk Recent HTTP Spammers | ipv4 hash:ip | 1000 unique IPs | updated every 15 mins from this link |
| cleantalk_top20 | CleanTalk Top 20 HTTP Spammers | ipv4 hash:ip | 20 unique IPs | updated every 1 day from this link |
| cleantalk_updated | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 250 unique IPs | updated every 15 mins from this link |
| cleantalk_updated_1d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 250 unique IPs | updated every 15 mins from this link |
| cleantalk_updated_30d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 3123 unique IPs | updated every 15 mins from this link |
| cleantalk_updated_7d | CleanTalk Recurring HTTP Spammers | ipv4 hash:ip | 966 unique IPs | updated every 15 mins from this link |
| cps_abusech | CriticalPathSecurity Abuse.ch IP blocklist feed. | ipv4 hash:ip | 5 unique IPs | updated every 1 hour from this link |
| cps_log4j | CriticalPathSecurity Log4j scanners and exploiters. | ipv4 hash:ip | 25292 unique IPs | updated every 1 hour from this link |
| cta_cryptowall | Cyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide. | ipv4 hash:ip | 1360 unique IPs | updated every 1 day from this link |
| cybercrime | CyberCrime A project tracking Command and Control. | ipv4 hash:ip | 347 unique IPs | updated every 12 hours from this link |
| dataplane_dnsrd | DataPlane.org IP addresses that have been identified as sending recursive DNS queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers or evaluating cache entries. | ipv4 hash:ip | 7680 unique IPs | updated every 1 hour from this link |
| dataplane_dnsrdany | DataPlane.org IP addresses that have been identified as sending recursive DNS IN ANY queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers for the purpose of later using them to facilitate DNS amplification and reflection attacks. | ipv4 hash:ip | 312 unique IPs | updated every 1 hour from this link |
| dataplane_dnsversion | DataPlane.org IP addresses that have been identified as sending DNS CH TXT VERSION.BIND queries to a remote host. This report lists addresses that may be cataloging DNS software. | ipv4 hash:ip | 6319 unique IPs | updated every 1 hour from this link |
| dataplane_sipinvitation | DataPlane.org IP addresses that have been seen initiating a SIP INVITE operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 82 unique IPs | updated every 1 hour from this link |
| dataplane_sipquery | DataPlane.org IP addresses that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP server cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 4768 unique IPs | updated every 1 hour from this link |
| dataplane_sipregistration | DataPlane.org IP addresses that have been seen initiating a SIP REGISTER operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. | ipv4 hash:ip | 282 unique IPs | updated every 1 hour from this link |
| dataplane_sshclient | DataPlane.org IP addresses that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SSH server cataloging or conducting authentication attack attempts. | ipv4 hash:ip | 22210 unique IPs | updated every 1 hour from this link |
| dataplane_sshpwauth | DataPlane.org IP addresses that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. | ipv4 hash:ip | 12069 unique IPs | updated every 1 hour from this link |
| dataplane_vncrfb | DataPlane.org IP addresses that have been seen initiating a VNC remote frame buffer (RFB) session to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be VNC server cataloging or conducting various forms of remote access abuse. | ipv4 hash:ip | 2341 unique IPs | updated every 1 hour from this link |
| dbip_country | DB-IP.com geolocation database | ipv4 hash:net | All the world | updated every 30 days from this link |
| dm_tor | dan.me.uk dynamic list of TOR nodes | ipv4 hash:ip | 7476 unique IPs | updated every 30 mins from this link |
| dshield | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 20 subnets, 5120 unique IPs | updated every 10 mins from this link |
| dshield_1d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 20 subnets, 5120 unique IPs | updated every 10 mins from this link |
| dshield_30d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 63 subnets, 16896 unique IPs | updated every 10 mins from this link |
| dshield_7d | DShield.org top 20 attacking class C (/24) subnets over the last three days | ipv4 hash:net | 41 subnets, 10496 unique IPs | updated every 10 mins from this link |
| et_block | EmergingThreats.net default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates) | ipv4 hash:net | 1384 subnets, 14721541 unique IPs | updated every 12 hours from this link |
| et_compromised | EmergingThreats.net compromised hosts | ipv4 hash:ip | 525 unique IPs | updated every 12 hours from this link |
| et_dshield | EmergingThreats.net dshield blocklist | ipv4 hash:net | 20 subnets, 5120 unique IPs | updated every 12 hours from this link |
| et_spamhaus | EmergingThreats.net spamhaus blocklist | ipv4 hash:net | 1362 subnets, 14717184 unique IPs | updated every 12 hours from this link |
| et_tor | EmergingThreats.net TOR list of TOR network IPs | ipv4 hash:ip | 7510 unique IPs | updated every 12 hours from this link |
| feodo | Abuse.ch Feodo tracker trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud | ipv4 hash:ip | 1 unique IPs | updated every 30 mins from this link |
| feodo_aggressive | Abuse.ch Feodo tracker Aggressive IP blocklist. | ipv4 hash:ip | 7607 unique IPs | updated every 30 mins from this link |
| feodo_badips | Abuse.ch Feodo tracker BadIPs The Feodo Tracker Feodo BadIP Blocklist only contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan version B. These IP addresses are usually servers rented by cybercriminals directly and used for the exclusive purpose of hosting a Feodo C&C server. Hence you should expect no legit traffic to those IP addresses. The site highly recommends you to block/drop any traffic towards any Feodo C&C using the Feodo BadIP Blocklist. Please consider that this blocklist only contains IP addresses used by version B of the Feodo Trojan. C&C communication channels used by version A, version C and version D are not covered by this blocklist. | ipv4 hash:ip | 5 unique IPs | updated every 30 mins from this link |
| geolite2_country | MaxMind GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMindβs GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers. | ipv4 hash:net | All the world | updated every 7 days from this link |
| gpf_comics | The GPF DNS Block List is a list of IP addresses on the Internet that have attacked the GPF Comics family of Web sites. IPs on this block list have been banned from accessing all of our servers because they were caught in the act of spamming, attempting to exploit our scripts, scanning for vulnerabilities, or consuming resources to the detriment of our human visitors. | ipv4 hash:ip | 2095 unique IPs | updated every 1 day from this link |
| graphiclineweb | GraphiclineWeb The IPβs, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organizations spying on websites for commercial reasons. | ipv4 hash:net | 2565 subnets, 330527 unique IPs | updated every 1 day from this link |
| greensnow | GreenSnow is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc. | ipv4 hash:ip | 5586 unique IPs | updated every 30 mins from this link |
| iblocklist_abuse_palevo | palevotracker.abuse.ch IP blocklist. | ipv4 hash:net | 12 subnets, 12 unique IPs | updated every 12 hours from this link |
| iblocklist_abuse_spyeye | spyeyetracker.abuse.ch IP blocklist. | ipv4 hash:net | 83 subnets, 84 unique IPs | updated every 12 hours from this link |
| iblocklist_ads | Advertising trackers and a short list of bad/intrusive porn sites. | ipv4 hash:net | 3117 subnets, 888416 unique IPs | updated every 12 hours from this link |
| iblocklist_ciarmy_malicious | ciarmy.com IP blocklist. Based on information from a network of Sentinel devices deployed around the world, they compile a list of known bad IP addresses. Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, the IP is malicious and should be blocked. | ipv4 hash:net | 12609 subnets, 15000 unique IPs | updated every 12 hours from this link |
| iblocklist_cruzit_web_attacks | CruzIT IP list with individual IP addresses of compromised machines scanning for vulnerabilities and DDOS attacks. | ipv4 hash:net | 13892 subnets, 14397 unique IPs | updated every 12 hours from this link |
| iblocklist_dshield | known Hackers and such people. | ipv4 hash:net | 16 subnets, 2566 unique IPs | updated every 12 hours from this link |
| iblocklist_edu | IPs used by Educational Institutions. | ipv4 hash:net | 36780 subnets, 227856044 unique IPs | updated every 12 hours from this link |
| iblocklist_exclusions | Exclusions. | ipv4 hash:net | 273 subnets, 7488 unique IPs | updated every 12 hours from this link |
| iblocklist_fornonlancomputers | IP blocklist for non-LAN computers. | ipv4 hash:net | 4 subnets, 302055424 unique IPs | updated every 12 hours from this link |
| iblocklist_forumspam | Forum spam. | ipv4 hash:net | 444 subnets, 479 unique IPs | updated every 12 hours from this link |
| iblocklist_hijacked | Hijacked IP-Blocks. Contains hijacked IP-Blocks and known IP-Blocks that are used to deliver Spam. This list is a combination of lists with hijacked IP-Blocks. Hijacked IP space are IP blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the IP block. In essence it's stealing of somebody else's IP resources. | ipv4 hash:net | 473 subnets, 8736512 unique IPs | updated every 12 hours from this link |
| iblocklist_iana_multicast | IANA Multicast IPs. | ipv4 hash:net | 1 subnets, 268435456 unique IPs | updated every 12 hours from this link |
| iblocklist_iana_private | IANA Private IPs. | ipv4 hash:net | 13 subnets, 51643646 unique IPs | updated every 12 hours from this link |
| iblocklist_iana_reserved | IANA Reserved IPs. | ipv4 hash:net | 1 subnets, 536870912 unique IPs | updated every 12 hours from this link |
| iblocklist_isp_aol | AOL IPs. | ipv4 hash:net | 13 subnets, 6627584 unique IPs | updated every 1 day from this link |
| iblocklist_isp_att | AT&T IPs. | ipv4 hash:net | 30 subnets, 55845128 unique IPs | updated every 1 day from this link |
| iblocklist_isp_cablevision | Cablevision IPs. | ipv4 hash:net | 11 subnets, 1787136 unique IPs | updated every 1 day from this link |
| iblocklist_isp_charter | Charter IPs. | ipv4 hash:net | 19 subnets, 6138112 unique IPs | updated every 1 day from this link |
| iblocklist_isp_comcast | Comcast IPs. | ipv4 hash:net | 26 subnets, 45121536 unique IPs | updated every 1 day from this link |
| iblocklist_isp_cox | Cox Communications IPs. | ipv4 hash:net | 7 subnets, 8423424 unique IPs | updated every 1 day from this link |
| iblocklist_isp_embarq | Embarq IPs. | ipv4 hash:net | 14 subnets, 2703360 unique IPs | updated every 1 day from this link |
| iblocklist_isp_qwest | Qwest IPs. | ipv4 hash:net | 58 subnets, 15777552 unique IPs | updated every 1 day from this link |
| iblocklist_isp_sprint | Sprint IPs. | ipv4 hash:net | 66 subnets, 6310570 unique IPs | updated every 1 day from this link |
| iblocklist_isp_suddenlink | Suddenlink IPs. | ipv4 hash:net | 2 subnets, 458752 unique IPs | updated every 1 day from this link |
| iblocklist_isp_twc | Time Warner Cable IPs. | ipv4 hash:net | 36 subnets, 15015936 unique IPs | updated every 1 day from this link |
| iblocklist_isp_verizon | Verizon IPs. | ipv4 hash:net | 13 subnets, 18087936 unique IPs | updated every 1 day from this link |
| iblocklist_level1 | Level 1 (for use in p2p): Companies or organizations who are clearly involved with trying to stop filesharing (e.g. Baytsp, MediaDefender, Mediasentry). Companies which anti-p2p activity has been seen from. Companies that produce or have a strong financial interest in copyrighted material (e.g. music, movie, software industries a.o.). Government ranges or companies that have a strong financial interest in doing work for governments. Legal industry ranges. IPs or ranges of ISPs from which anti-p2p activity has been observed. Basically this list will block all kinds of internet connections that most people would rather not have during their internet travels. | ipv4 hash:net | 207198 subnets, 725210343 unique IPs | updated every 12 hours from this link |
| iblocklist_level2 | Level 2 (for use in p2p). General corporate ranges. Ranges used by labs or researchers. Proxies. | ipv4 hash:net | 69674 subnets, 337916979 unique IPs | updated every 12 hours from this link |
| iblocklist_level3 | Level 3 (for use in p2p). Many portal-type websites. ISP ranges that may be dodgy for some reason. Ranges that belong to an individual, but which have not been determined to be used by a particular company. Ranges for things that are unusual in some way. The L3 list is aka the paranoid list. | ipv4 hash:net | 16932 subnets, 137059731 unique IPs | updated every 12 hours from this link |
| iblocklist_malc0de | malc0de.com IP blocklist. Addresses that have been identified distributing malware during the past 30 days. | ipv4 hash:net | 21 subnets, 21 unique IPs | updated every 12 hours from this link |
| iblocklist_onion_router | The Onion Router IP addresses. | ipv4 hash:net | 699 subnets, 1259 unique IPs | updated every 12 hours from this link |
| iblocklist_org_activision | Activision IPs. | ipv4 hash:net | 47 subnets, 4902 unique IPs | updated every 1 day from this link |
| iblocklist_org_apple | Apple IPs. | ipv4 hash:net | 1 subnets, 16777216 unique IPs | updated every 1 day from this link |
| iblocklist_org_blizzard | Blizzard IPs. | ipv4 hash:net | 5 subnets, 16795139 unique IPs | updated every 1 day from this link |
| iblocklist_org_crowd_control | Crowd Control Productions IPs. | ipv4 hash:net | 2 subnets, 768 unique IPs | updated every 1 day from this link |
| iblocklist_org_electronic_arts | Electronic Arts IPs. | ipv4 hash:net | 39 subnets, 69720 unique IPs | updated every 1 day from this link |
| iblocklist_org_joost | Joost IPs. | ipv4 hash:net | 4 subnets, 16779456 unique IPs | updated every 1 day from this link |
| iblocklist_org_linden_lab | Linden Lab IPs. | ipv4 hash:net | 11 subnets, 23600 unique IPs | updated every 1 day from this link |
| iblocklist_org_logmein | LogMeIn IPs. | ipv4 hash:net | 13 subnets, 16781568 unique IPs | updated every 1 day from this link |
| iblocklist_org_microsoft | Microsoft IP ranges. | ipv4 hash:net | 832 subnets, 1848599 unique IPs | updated every 12 hours from this link |
| iblocklist_org_ncsoft | NCsoft IPs. | ipv4 hash:net | 5 subnets, 12560 unique IPs | updated every 1 day from this link |
| iblocklist_org_nintendo | Nintendo IPs. | ipv4 hash:net | 42 subnets, 3927 unique IPs | updated every 1 day from this link |
| iblocklist_org_pandora | Pandora IPs. | ipv4 hash:net | 1 subnets, 2048 unique IPs | updated every 1 day from this link |
| iblocklist_org_pirate_bay | The Pirate Bay IPs. | ipv4 hash:net | 5 subnets, 323 unique IPs | updated every 1 day from this link |
| iblocklist_org_punkbuster | Punkbuster IPs. | ipv4 hash:net | 1 subnets, 1 unique IPs | updated every 1 day from this link |
| iblocklist_org_riot_games | Riot Games IPs. | ipv4 hash:net | 6 subnets, 1792 unique IPs | updated every 1 day from this link |
| iblocklist_org_sony_online | Sony Online Entertainment IPs. | ipv4 hash:net | 7 subnets, 24616 unique IPs | updated every 1 day from this link |
| iblocklist_org_square_enix | Square Enix IPs. | ipv4 hash:net | 2 subnets, 4112 unique IPs | updated every 1 day from this link |
| iblocklist_org_steam | Steam IPs. | ipv4 hash:net | 51 subnets, 596448 unique IPs | updated every 1 day from this link |
| iblocklist_org_ubisoft | Ubisoft IPs. | ipv4 hash:net | 10 subnets, 5308 unique IPs | updated every 1 day from this link |
| iblocklist_org_xfire | XFire IPs. | ipv4 hash:net | 3 subnets, 3328 unique IPs | updated every 1 day from this link |
| iblocklist_pedophiles | IP ranges of people who we have found to be sharing child pornography in the p2p community. | ipv4 hash:net | 25182 subnets, 847889 unique IPs | updated every 12 hours from this link |
| iblocklist_proxies | Open Proxies IPs list (without TOR) | ipv4 hash:ip | 672 unique IPs | updated every 12 hours from this link |
| iblocklist_rangetest | Suspicious IPs that are under investigation. | ipv4 hash:net | 283 subnets, 4280758 unique IPs | updated every 12 hours from this link |
| iblocklist_spamhaus_drop | Spamhaus.org DROP (Don't Route Or Peer) list. | ipv4 hash:net | 796 subnets, 17338368 unique IPs | updated every 12 hours from this link |
| iblocklist_spider | IP list intended to be used by webmasters to block hostile spiders from their web sites. | ipv4 hash:net | 639 subnets, 846788 unique IPs | updated every 12 hours from this link |
| iblocklist_spyware | Known malicious SPYWARE and ADWARE IP Address ranges. It is compiled from various sources, including other available spyware blacklists, HOSTS files, from research found at many of the top anti-spyware forums, logs of spyware victims, etc. | ipv4 hash:net | 2975 subnets, 339309 unique IPs | updated every 12 hours from this link |
| iblocklist_webexploit | Web server hack and exploit attempts. IP addresses related to current web server hack and exploit attempts that have been logged or can be found in and cross referenced with other related IP databases. Malicious and other non search engine bots will also be listed here, along with anything found that can have a negative impact on a website or webserver such as proxies being used for negative SEO hijacks, unauthorised site mirroring, harvesting, scraping, snooping and data mining / spy bot / security & copyright enforcement companies that target and continuously scan webservers. | ipv4 hash:ip | 15382 unique IPs | updated every 12 hours from this link |
| iblocklist_yoyo_adservers | pgl.yoyo.org ad servers | ipv4 hash:net | 6816 subnets, 8862 unique IPs | updated every 12 hours from this link |
| ipdeny_country | IPDeny.com geolocation database | ipv4 hash:net | All the world | updated every 1 day from this link |
| ipsum | IPsum threat intelligence feed of IPs appearing on at least 1 blacklist. Based on analysis of 30+ publicly available blacklists updated daily. This is the full list with the most entries and the highest false positive rate. | ipv4 hash:ip | 124567 unique IPs | updated every 1 day from this link |
| ipsum_2 | IPsum threat intelligence feed of IPs appearing on at least 2 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. | ipv4 hash:ip | 38315 unique IPs | updated every 1 day from this link |
| ipsum_3 | IPsum threat intelligence feed of IPs appearing on at least 3 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. This is the recommended level for most use cases. | ipv4 hash:ip | 18293 unique IPs | updated every 1 day from this link |
| ipsum_4 | IPsum threat intelligence feed of IPs appearing on at least 4 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. | ipv4 hash:ip | 8804 unique IPs | updated every 1 day from this link |
| ipsum_5 | IPsum threat intelligence feed of IPs appearing on at least 5 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. | ipv4 hash:ip | 3731 unique IPs | updated every 1 day from this link |
| ipsum_6 | IPsum threat intelligence feed of IPs appearing on at least 6 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. | ipv4 hash:ip | 768 unique IPs | updated every 1 day from this link |
| ipsum_7 | IPsum threat intelligence feed of IPs appearing on at least 7 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. | ipv4 hash:ip | 123 unique IPs | updated every 1 day from this link |
| ipsum_8 | IPsum threat intelligence feed of IPs appearing on at least 8 blacklists. Based on analysis of 30+ publicly available blacklists updated daily. This is the most conservative level with the highest confidence and fewest entries. | ipv4 hash:ip | 25 unique IPs | updated every 1 day from this link |
| maltrail_scanners | MalTrail list of known mass-Internet scanners. These IPs are known to perform large-scale scanning across the Internet. | ipv4 hash:ip | 16854 unique IPs | updated every 1 day from this link |
| myip | myip.ms IPs identified as web bots in the last 10 days, using several sites that require human action | ipv4 hash:ip | 1707 unique IPs | updated every 1 day from this link |
| myip_full | myip.ms Full Blacklist Database. | ipv4 hash:ip | 191310 unique IPs | updated every 1 day from this link |
| ngosang_trackers | Ngosang BitTorrent Trackers IP list. | ipv4 hash:ip | 42 unique IPs | updated every 1 day from this link |
| opsxcq_proxy | Opsxcq Open Proxy list. | ipv4 hash:ip | 320 unique IPs | updated every 12 hours from this link |
| php_bad | projecthoneypot.org bad web hosts (this list is composed using an RSS feed) | ipv4 hash:ip | 48 unique IPs | updated every 1 hour from this link |
| php_bad_1d | projecthoneypot.org bad web hosts (this list is composed using an RSS feed) | ipv4 hash:ip | 48 unique IPs | updated every 1 hour from this link |
| php_bad_30d | projecthoneypot.org bad web hosts (this list is composed using an RSS feed) | ipv4 hash:ip | 1212 unique IPs | updated every 1 hour from this link |
| php_bad_7d | projecthoneypot.org bad web hosts (this list is composed using an RSS feed) | ipv4 hash:ip | 330 unique IPs | updated every 1 hour from this link |
| php_commenters | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 49 unique IPs | updated every 1 hour from this link |
| php_commenters_1d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 49 unique IPs | updated every 1 hour from this link |
| php_commenters_30d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 1124 unique IPs | updated every 1 hour from this link |
| php_commenters_7d | projecthoneypot.org comment spammers (this list is composed using an RSS feed) | ipv4 hash:ip | 320 unique IPs | updated every 1 hour from this link |
| php_dictionary | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 49 unique IPs | updated every 1 hour from this link |
| php_dictionary_1d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 49 unique IPs | updated every 1 hour from this link |
| php_dictionary_30d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 936 unique IPs | updated every 1 hour from this link |
| php_dictionary_7d | projecthoneypot.org directory attackers (this list is composed using an RSS feed) | ipv4 hash:ip | 278 unique IPs | updated every 1 hour from this link |
| php_harvesters | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
| php_harvesters_1d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 50 unique IPs | updated every 1 hour from this link |
| php_harvesters_30d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 265 unique IPs | updated every 1 hour from this link |
| php_harvesters_7d | projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) | ipv4 hash:ip | 89 unique IPs | updated every 1 hour from this link |
| php_spammers | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 47 unique IPs | updated every 1 hour from this link |
| php_spammers_1d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 47 unique IPs | updated every 1 hour from this link |
| php_spammers_30d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 1147 unique IPs | updated every 1 hour from this link |
| php_spammers_7d | projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) | ipv4 hash:ip | 319 unique IPs | updated every 1 hour from this link |
| r2_drop2_scanners | [R2-Drop2] Distributed honeypot telemetry capturing active Internet scanning bots and malicious reconnaissance probes. | ipv4 hash:ip | 40771 unique IPs | updated every 12 hours from this link |
| sblam | sblam.com IPs used by web form spammers, during the last month | ipv4 hash:ip | 1020 unique IPs | updated every 1 day from this link |
| secops_tor_exits | SecOps-Institute Tor Exit Nodes list. | ipv4 hash:ip | 1127 unique IPs | updated every 1 day from this link |
| secops_tor_nodes | SecOps-Institute Tor Nodes list. | ipv4 hash:ip | 5631 unique IPs | updated every 1 day from this link |
| snort_ip_blocklist | Snort.org Official Snort IP blocklist. | ipv4 hash:net | 1386 subnets, 1528 unique IPs | updated every 1 day from this link |
| socks_proxy | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 302 unique IPs | updated every 10 mins from this link |
| socks_proxy_1d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 302 unique IPs | updated every 10 mins from this link |
| socks_proxy_30d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 3011 unique IPs | updated every 10 mins from this link |
| socks_proxy_7d | socks-proxy.net open SOCKS proxies | ipv4 hash:ip | 1444 unique IPs | updated every 10 mins from this link |
| spamhaus_drop | Spamhaus.org DROP list (according to their site this list should be dropped at tier-1 ISPs globally) | ipv4 hash:net | 1395 subnets, 14756352 unique IPs | updated every 12 hours from this link |
| sslproxies | SSLProxies.org open SSL proxies | ipv4 hash:ip | 102 unique IPs | updated every 10 mins from this link |
| sslproxies_1d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 102 unique IPs | updated every 10 mins from this link |
| sslproxies_30d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 1276 unique IPs | updated every 10 mins from this link |
| sslproxies_7d | SSLProxies.org open SSL proxies | ipv4 hash:ip | 368 unique IPs | updated every 10 mins from this link |
| stopforumspam | StopForumSpam.com Banned IPs used by forum spammers | ipv4 hash:ip | 127624 unique IPs | updated every 1 day from this link |
| stopforumspam_180d | StopForumSpam.com IPs used by forum spammers (last 180 days) | ipv4 hash:ip | 234437 unique IPs | updated every 1 day from this link |
| stopforumspam_180d_all | StopForumSpam.com IPs used by forum spammers (last 180 days, ALL) | ipv4 hash:ip | 235810 unique IPs | updated every 1 day from this link |
| stopforumspam_1d | StopForumSpam.com IPs used by forum spammers in the last 24 hours | ipv4 hash:ip | 5124 unique IPs | updated every 1 hour from this link |
| stopforumspam_30d | StopForumSpam.com IPs used by forum spammers (last 30 days) | ipv4 hash:ip | 51644 unique IPs | updated every 1 day from this link |
| stopforumspam_365d | StopForumSpam.com IPs used by forum spammers (last 365 days) | ipv4 hash:ip | 509838 unique IPs | updated every 1 day from this link |
| stopforumspam_7d | StopForumSpam.com IPs used by forum spammers (last 7 days) | ipv4 hash:ip | 17946 unique IPs | updated every 1 day from this link |
| stopforumspam_90d | StopForumSpam.com IPs used by forum spammers (last 90 days) | ipv4 hash:ip | 126169 unique IPs | updated every 1 day from this link |
| stopforumspam_toxic | StopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed. | ipv4 hash:net | 31 subnets, 122988 unique IPs | updated every 1 day from this link |
| threatview_high_conf | Threatview.io High Confidence IP Threat Feed. | ipv4 hash:ip | 17635 unique IPs | updated every 1 hour from this link |
| tor_exits | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1260 unique IPs | updated every 5 mins from this link |
| tor_exits_1d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1260 unique IPs | updated every 5 mins from this link |
| tor_exits_30d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1535 unique IPs | updated every 5 mins from this link |
| tor_exits_7d | TorProject.org list of all current TOR exit points (TorDNSEL) | ipv4 hash:ip | 1306 unique IPs | updated every 5 mins from this link |
| ultimate_hosts_ips0 | Ultimate Hosts Blacklist IPs. | ipv4 hash:ip | 144439 unique IPs | updated every 1 day from this link |
| urlhaus_recent | URLhaus Recent additions to URLhaus (URLs/IPs used for malware distribution). | ipv4 hash:ip | 4711 unique IPs | updated every 30 mins from this link |
| vxvault | VxVault The latest 100 additions of VxVault. | ipv4 hash:ip | 66 unique IPs | updated every 12 hours from this link |
| yoyo_adservers | Yoyo.org IPs of ad servers | ipv4 hash:ip | 8862 unique IPs | updated every 12 hours from this link |