2010 IP Blacklist
Over the course of each year, I blacklist a considerable number of individual IP addresses. Every day, Perishable Press is hit with countless numbers of spammers, scrapers, crackers and all sorts of other hapless turds. Weekly examinations of my site’s error logs enable me to filter through the chaff and cherry-pick only the most heinous, nefarious attackers for blacklisting. Minor offenses are generally dismissed, but the evil bastards that insist on wasting resources running redundant automated scripts are immediately investigated via IP lookup and denied access via simple htaccess directive:
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 123.456.789
</LIMIT>Although many of the worst attacks happen in randomized, zombie-like fashion, I have found that individual IPs that are not blacklisted will return repeatedly until finally blocked. Yet, despite the short-term success enjoyed by denying access to the most malicious IPs, the long-term futility of such blacklisting reflects the temporary nature of this solution.
In other words, I have found that blocking individual IPs is useful only for limited periods of time. Thus, every year, I gather my code and flush the blacklist of all individually blocked IP addresses. I then start fresh, adding the worst villains to the list, blocking entire IP ranges if necessary, and referring to previous versions of my htaccess files to cross-check suspiciously familiar entities. Eventually, a new blacklist emerges and I share it at Perishable Press. Here is the current version for 2010..
2010 IP Blacklist, Featuring over 100 Blocked IPs
Here is my custom-built IP blacklist for 2010:
# 2010 IP BLACKLIST
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 208.120.202.98
Deny from 208.64.202.134
Deny from 217.218.166.14
Deny from 173.65.81.35
Deny from 77.21.46.241
Deny from 82.166.163.
Deny from 85.175.209.175
Deny from 212.107.136.66
Deny from 76.70.116.52
Deny from 70.106.192.200
Deny from 213.98.214.17
Deny from 114.58.253.56
Deny from 70.27.145.208
Deny from 208.99.193.10
Deny from 58.243.5.216
Deny from 146.115.72.39
Deny from 219.136.130.241
Deny from 65.208.151.
Deny from 222.73.173.11
Deny from 65.55.106.
Deny from 72.206.102.189
Deny from 99.159.41.74
Deny from 188.40.42.199
Deny from 195.10.218.132
Deny from 69.116.41.121
Deny from 84.220.96.39
Deny from 85.137.90.133
Deny from 85.137.83.160
Deny from 91.144.190.35
Deny from 83.233.165.88
Deny from 86.35.12.14
Deny from 24.182.45.28
Deny from 97.74.24.41
Deny from 24.182.45.26
Deny from 211.206.123.177
Deny from 213.215.116.99
Deny from 188.40.89.203
Deny from 65.55.207.
Deny from 71.95.178.74
Deny from 98.189.159.150
Deny from 174.143.3.188
Deny from 66.96.248.69
Deny from 71.235.77.152
Deny from 67.36.185.44
Deny from 65.242.250.130
Deny from 194.8.75.
Deny from 188.26.51.239
Deny from 118.208.240.173
Deny from 24.43.155.122
Deny from 91.149.157.136
Deny from 88.0.172.95
Deny from 66.82.9.92
Deny from 66.63.167.50
Deny from 208.99
Deny from 64.219.110.207
Deny from 98.189.159.153
Deny from 174.127.132.10
Deny from 67.185.43.239
Deny from 83.246.164.78
Deny from 213.227.252.26
Deny from 91.213.121.24
Deny from 96.243.186.28
Deny from 67.142.164.34
Deny from 173.58.132.100
Deny from 59.160.160.9
Deny from 67.225.242.171
Deny from 71.34.43.102
Deny from 67.205.45.142
Deny from 77.49.61.248
Deny from 79.174.64.184
Deny from 207.241.228.162
Deny from 204.12.192.135
Deny from 218.24.170.133
Deny from 200.90.216.146
Deny from 86.18.88.15
Deny from 212.225.185.11
Deny from 76.115.45.61
Deny from 213.37.57.113
Deny from 192.117.105.105
Deny from 69.45.51.98
Deny from 72.193.217.97
Deny from 115.133.252.31
Deny from 117.196.229.254
Deny from 117.196.234.101
Deny from 117.196.236.41
Deny from 77.49.57.214
Deny from 71.95.178.68
Deny from 92.233.3.91
Deny from 76.25.146.62
Deny from 66.25.140.85
Deny from 79.103.230.53
Deny from 76.65.178.130
Deny from 41.129.5.121
Deny from 84.40.30.37
Deny from 110.45.143.142
Deny from 66.221.63.33
Deny from 121.254.228.146
Deny from 222.236.47.182
Deny from 118.129.170.49
Deny from 88.191.94.188
Deny from 62.141.56.136
Deny from 174.120.219.160
Deny from 67.222.152.66
Deny from 92.240.42.10
Deny from 174.142.75.205
Deny from 91.142.208.158
Deny from 64.22.96.66
Deny from 78.86.185.224
Deny from 91.205.96.19
Deny from 202.70.54.115
Deny from 213.167.96.196
Deny from 195.117.223.98
Deny from 85.17.211.164
Deny from 213.93.38.160
</Limit>I use this blacklist on all of my sites, which are mostly WordPress, Joomla, and hand-rolled. Just pop it into the root .htaccess file and done. These are some of the worst offenders, so it’s nice knowing that they’re denied access.
How to get on next year’s list
Be a lowlife scumbag who gets off on malicious activity. If you suck enough, you’re going to get caught and appear on a list somewhere. Makes it easy to build effective IP blacklists. But remember that things change quickly, so you should refresh your ban lists as they become available. If you are using my 2007 IP Blacklist, I recommend replacing it with this one.
I’m listening, go a little deeper..
This blacklist was built over the past couple of years. Each week I review and analyze my log files, looking for patterns, noting behavior, checking data, etc. Most of the time attacks are executed simultaneously from multiple unique IPs. It’s futile to chase these “zombie” IPs around, but there are plenty of autonomous machines acting stupid to make IP blocking worthwhile.
Why so bad?
Because these IPs were associated with some seriously messed up behavior. Scanning through thousands of error logs, you see a lot of nasty stuff. Most of it seems very deliberate, hit or miss kind of activity. Other requests are just plain evil. Then there are the relentless “DoS”-like attacks. But in every crop of logs, there are those nefarious IPs that are both relentless and evil.
I’m sold. Wrap it up with an example
For example, one IP in the blacklist was recorded on July 22nd, 2009, as hitting my server 4783 times with all sorts of evil scripted payload. Most of the malicious requests are now blocked in the upcoming 5G Blacklist, but the IP address was consistent throughout the attack, so we block it as well. That’s the kind of stuff we’re blocking with the 2010 IP Blacklist.
Plaintxt for EZ Updates
To make things easier, I’ve uploaded a plain-text version of the 2010 IP Blacklist. The text file contains the IP addresses only, each on its own line. I will try to keep this file updated with fresh data as it becomes available. I will also post some of my other blacklists in plaintxt format and keep those updated as well. Any of these files may be used in your own security/blacklist scripts as a source of data. It’s nice to automate this kind of stuff, but you still want to keep an eye on my feed for news of updates.
Thanks to Eric Marden for the “plaintxt” suggestion!
36 responses to “2010 IP Blacklist”
Hi Micah, have you cross-referenced the visitor IPs with your server access/error logs and also with the blacklist? All three should match and correspond to some event in the logbok such as the “410 – Gone” error. Also keep in mind that some of these users are working from infested machines, so they may not be the only ones using it. I hope this helps!
Is it mandatory to write the line?
What about using fail2ban? Over time, would this not build the same list?
When I add this to my .htaccess file it breaks the site, no matter where I put it or whether or not I have any IPs listed. I’m adding this to the .htaccess in the root.
I was just curious to know if the list at https://perishablepress.com/blacklist/ip.txt is still being updated or not?
@jeff if the list is updated what is the method used to update the list. Is there a dynamic way by which the list can be updated? (looking for some magic!).
Great job.
Thanks.
Yes, I just updated that ip.txt file about a month ago, just haven’t a lot of time for doing more with it lately. I’ll be adding another block here soon with the latest batch of bad guys.
There are dynamic ways of setting up and using blacklists using PHP et al, but I hand-cultivate my lists for maximum freshness.
Hey Jeff,
Looking for a good spam blocker so once again am back at your site looking for answers..
I have an IP to add to your list. One blog in my muslitsite install is being hit with huge amounts of spam. We are catching it and it ends up marked spam but still eats up the database. He had 25,000 + spam comments, 1200+ pages of them! Within ten minutes of deleting, there were 10 more already there.
Almost all are coming from these IP’s
46.4.104.7346.4.114.846.4.107.7946.4.84.242You can see the pattern, multiple from each individual IP but all coming from 46.4.
Any help on adding this to htaccess mucho appreciated!
Hey Marty, this will work to block the entire lot of IPs:
<Limit GET POST PUT>Order Allow,DenyAllow from allDeny from 46.4</Limit>Just add to the root htaccess file and you’re all set. You could even get more specific to avoid blocking as many IPs as possible.
<Limit GET POST PUT>Order Allow,DenyAllow from allDeny from 46.4.1Deny from 46.4.8</Limit>And so forth. There are other ways to blacklist as well, just in case they start using a different IP address.
Good luck!
Thank you for the quick answer!
That seemed to solve it. For now at least. Added your whole IP list and 4g list as well. :)
Hi Jeff,
Do you have a good way of blocking incoming connections from proxy servers which don’t modify the HTTP headers? You posted an article before that relied on modified headers such as X_FORWARDED_FOR but sites such as quickprox.info simply forward the headers from the client’s browser verbatim.
urlblacklist.com has a decent blacklist but it’s over 65,000 domains and would be even more for IPs which don’t RDNS, such as the above example proxy. There must be a better way.
I was thinking of maybe blocking top level domains that ISPs don’t commonly use but web proxies do, such as .info, .biz, .cc and .tk. Any thoughts?
Something like this may help:
https://perishablepress.com/block-tough-proxies/
I would not advise blocking top-level domains, unless they’re really obscure ones that nobody cares about.
Also, I heart the
.bizTLD =)Thanks for the feedback :)
An example is .cc for the Cocos islands. Population 600, but over 450 known proxies there, and as it’s an Australian territory it’s most likely that any ISP that serves those 600 people would use either .com.au or .net rather than .cc. The same goes for .tk, which has a population of around 1500 but gives away thousands of free domains for redirection, or .li for Liechtenstein with a population of around 35,000. Many small islands, principalities and tax havens tend to fall into this list.
I highly doubt there are (m)any ISPs which rDNS their customers back to a .biz domain either. Same goes for .name and .info.
In fact out of the entire blacklist, around half seem to be on .info, so just blocking .info means blocking around half of the list, without affecting any real people at all.