Latest TweetsGreat post about the latest power grab: www.eff.org/deeplinks/2018/09/…
Perishable Press

2010 IP Blacklist

Over the course of each year, I blacklist a considerable number of individual IP addresses. Every day, Perishable Press is hit with countless numbers of spammers, scrapers, crackers and all sorts of other hapless turds. Weekly examinations of my site’s error logs enable me to filter through the chaff and cherry-pick only the most heinous, nefarious attackers for blacklisting. Minor offenses are generally dismissed, but the evil bastards that insist on wasting resources running redundant automated scripts are immediately investigated via IP lookup and denied access via simple htaccess directive:

<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 123.456.789
</LIMIT>

Although many of the worst attacks happen in randomized, zombie-like fashion, I have found that individual IPs that are not blacklisted will return repeatedly until finally blocked. Yet, despite the short-term success enjoyed by denying access to the most malicious IPs, the long-term futility of such blacklisting reflects the temporary nature of this solution.

Update: Check out the new and improved 2013 IP Blacklist »

In other words, I have found that blocking individual IPs is useful only for limited periods of time. Thus, every year, I gather my code and flush the blacklist of all individually blocked IP addresses. I then start fresh, adding the worst villains to the list, blocking entire IP ranges if necessary, and referring to previous versions of my htaccess files to cross-check suspiciously familiar entities. Eventually, a new blacklist emerges and I share it at Perishable Press. Here is the current version for 2010..

2010 IP Blacklist, Featuring over 100 Blocked IPs

Here is my custom-built IP blacklist for 2010:

# 2010 IP BLACKLIST
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 208.120.202.98
 Deny from 208.64.202.134
 Deny from 217.218.166.14
 Deny from 173.65.81.35
 Deny from 77.21.46.241
 Deny from 82.166.163.
 Deny from 85.175.209.175
 Deny from 212.107.136.66
 Deny from 76.70.116.52
 Deny from 70.106.192.200
 Deny from 213.98.214.17
 Deny from 114.58.253.56
 Deny from 70.27.145.208
 Deny from 208.99.193.10
 Deny from 58.243.5.216
 Deny from 146.115.72.39
 Deny from 219.136.130.241
 Deny from 65.208.151.
 Deny from 222.73.173.11
 Deny from 65.55.106.
 Deny from 72.206.102.189
 Deny from 99.159.41.74
 Deny from 188.40.42.199
 Deny from 195.10.218.132
 Deny from 69.116.41.121
 Deny from 84.220.96.39
 Deny from 85.137.90.133
 Deny from 85.137.83.160
 Deny from 91.144.190.35
 Deny from 83.233.165.88
 Deny from 86.35.12.14
 Deny from 24.182.45.28
 Deny from 97.74.24.41
 Deny from 24.182.45.26
 Deny from 211.206.123.177
 Deny from 213.215.116.99
 Deny from 188.40.89.203
 Deny from 65.55.207.
 Deny from 71.95.178.74
 Deny from 98.189.159.150
 Deny from 174.143.3.188
 Deny from 66.96.248.69
 Deny from 71.235.77.152
 Deny from 67.36.185.44
 Deny from 65.242.250.130
 Deny from 194.8.75.
 Deny from 188.26.51.239
 Deny from 118.208.240.173
 Deny from 24.43.155.122
 Deny from 91.149.157.136
 Deny from 88.0.172.95
 Deny from 66.82.9.92
 Deny from 66.63.167.50
 Deny from 208.99
 Deny from 64.219.110.207
 Deny from 98.189.159.153
 Deny from 174.127.132.10
 Deny from 67.185.43.239
 Deny from 83.246.164.78
 Deny from 213.227.252.26
 Deny from 91.213.121.24
 Deny from 96.243.186.28
 Deny from 67.142.164.34
 Deny from 173.58.132.100
 Deny from 59.160.160.9
 Deny from 67.225.242.171
 Deny from 71.34.43.102
 Deny from 67.205.45.142
 Deny from 77.49.61.248
 Deny from 79.174.64.184
 Deny from 207.241.228.162
 Deny from 204.12.192.135
 Deny from 218.24.170.133
 Deny from 200.90.216.146
 Deny from 86.18.88.15
 Deny from 212.225.185.11
 Deny from 76.115.45.61
 Deny from 213.37.57.113
 Deny from 192.117.105.105
 Deny from 69.45.51.98
 Deny from 72.193.217.97
 Deny from 115.133.252.31
 Deny from 117.196.229.254
 Deny from 117.196.234.101
 Deny from 117.196.236.41
 Deny from 77.49.57.214
 Deny from 71.95.178.68
 Deny from 92.233.3.91
 Deny from 76.25.146.62
 Deny from 66.25.140.85
 Deny from 79.103.230.53
 Deny from 76.65.178.130
 Deny from 41.129.5.121
 Deny from 84.40.30.37
 Deny from 110.45.143.142
 Deny from 66.221.63.33
 Deny from 121.254.228.146
 Deny from 222.236.47.182
 Deny from 118.129.170.49
 Deny from 88.191.94.188
 Deny from 62.141.56.136
 Deny from 174.120.219.160
 Deny from 67.222.152.66
 Deny from 92.240.42.10
 Deny from 174.142.75.205
 Deny from 91.142.208.158
 Deny from 64.22.96.66
 Deny from 78.86.185.224
 Deny from 91.205.96.19
 Deny from 202.70.54.115
 Deny from 213.167.96.196
 Deny from 195.117.223.98
 Deny from 85.17.211.164
 Deny from 213.93.38.160
</Limit>

I use this blacklist on all of my sites, which are mostly WordPress, Joomla, and hand-rolled. Just pop it into the root .htaccess file and done. These are some of the worst offenders, so it’s nice knowing that they’re denied access.

How to get on next year’s list

Be a lowlife scumbag who gets off on malicious activity. If you suck enough, you’re going to get caught and appear on a list somewhere. Makes it easy to build effective IP blacklists. But remember that things change quickly, so you should refresh your ban lists as they become available. If you are using my 2007 IP Blacklist, I recommend replacing it with this one.

I’m listening, go a little deeper..

This blacklist was built over the past couple of years. Each week I review and analyze my log files, looking for patterns, noting behavior, checking data, etc. Most of the time attacks are executed simultaneously from multiple unique IPs. It’s futile to chase these “zombie” IPs around, but there are plenty of autonomous machines acting stupid to make IP blocking worthwhile.

Why so bad?

Because these IPs were associated with some seriously messed up behavior. Scanning through thousands of error logs, you see a lot of nasty stuff. Most of it seems very deliberate, hit or miss kind of activity. Other requests are just plain evil. Then there are the relentless “DoS”-like attacks. But in every crop of logs, there are those nefarious IPs that are both relentless and evil.

I’m sold. Wrap it up with an example

For example, one IP in the blacklist was recorded on July 22nd, 2009, as hitting my server 4783 times with all sorts of evil scripted payload. Most of the malicious requests are now blocked in the upcoming 5G Blacklist, but the IP address was consistent throughout the attack, so we block it as well. That’s the kind of stuff we’re blocking with the 2010 IP Blacklist.

Plaintxt for EZ Updates

To make things easier, I’ve uploaded a plain-text version of the 2010 IP Blacklist. The text file contains the IP addresses only, each on its own line. I will try to keep this file updated with fresh data as it becomes available. I will also post some of my other blacklists in plaintxt format and keep those updated as well. Any of these files may be used in your own security/blacklist scripts as a source of data. It’s nice to automate this kind of stuff, but you still want to keep an eye on my feed for news of updates.

Thanks to Eric Marden for the “plaintxt” suggestion!

Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
36 responses
  1. Eric Marden July 6, 2010 @ 9:20 pm

    Any plans to release this list in a format that we can pull into a script? RSS feed, plaintxt file, etc? That way using this list of IPs can be kept uptodate or added to new servers quickly and automatedly.

  2. Eric Marden July 6, 2010 @ 9:20 pm

    P.S. – Thanks

  3. digideth July 6, 2010 @ 8:46 pm

    Thank You for taking the time to make & post this list.

    I am knew to being an admin for a small eCommerce site so I was wondering if you could post a walk through on what to look for in error logs?

    You are talking about the basic server log right? or am I missing the boat completely.

  4. Jeff Starr

    @digideth: I use different types of logs:

    • Apache server logs (just the basic server log)
    • 404 error logs (recording numerous parameters)
    • PHP error logs (very useful for cross-referencing)

    As well other custom jobs for miscellaneous stuff. I like the idea of posting a walk-through on error-log analysis. I have already posted several good articles describing some of the thinking and strategy behind log analyses and blacklisting. Here are two of my favorites:

    But most of that is pretty involved material. An easy walk-through post is a great idea. Thanks :)

  5. Jeff Starr

    @Eric Marden: Hey that’s an excellent idea. I’ll post a .txt file containing the list of IPs at:

    https://perishablepress.com/blacklist/ip.txt

    And then keep it updated in the future. I’ll also be adding some of my other blacklists as I get to them. Thanks for the idea :)

  6. Philippe @ HTML5 Débloque-notes July 6, 2010 @ 11:43 pm

    Thanks a lot Mr Starr.
    I protect my accesses with CrawlProtect too.
    Don’t know if you’ve heard of it, so this is the URI:
    http://www.crawlprotect.com/

  7. @jeff Thank You!

    Been a subscriber for awhile and have read both those posts so…

    Hopefully when you have the time, do a walk-through PLEASE!

    thanks again

  8. Ken the tech July 7, 2010 @ 3:47 am

    Thank you Jeff. This is really gold.

    Here another IP from which someone did hot-linking to my blog. In other words I’ve seen my whole website, identical on another domain. Even the comments.

    I’ve added right away into the .htaccess:

    deny from 74.53.120.242

    Thanks again, now I should be better protected :)

  9. Ken the tech July 7, 2010 @ 3:51 am

    Hey Jeff I almost forgot, can you please (if you have) add an email spam list so we can use it as a email filter?

    I was looking for so many times on Google for such lists but so far I never found one to be OK – too many common words in those lists so I had to clean up too much.

  10. if i may ask,
    how can you determine which IP should be blacklisted?
    is it mainly from the comments or mails ?

    thanks

  11. Jeff Starr

    @Ken the tech: About the closest thing I have to an email spam filter is a blacklist for the WordPress spam/blacklist settings in the Admin Discussion options. For emails, are you referring to server-sent (like for contact forms)? For regular emails, I think ISPs, hosts, and services like Gmail filter things well enough (if not too much). Would be happy to look into building one though :)

  12. Incredible useful. Thanks so much!!!

[ Comments are closed for this post ]