2013 IP Blacklist

When time allows, I like to post my collections of the worst IP addresses for the current year. Certainly, there are pros and cons to using an IP blacklist. In general, IPs are easily spoofed, change frequently, and are therefore unreliable as a general security strategy. But as a short-term solution, IP blacklists serve as an excellent method for dealing with specific and/or ongoing threats and attacks.

For example, you may use a firewall to protect your site against malicious scanning, bad bots, and the typical evil request, but if your site specifically is targeted by an attacker, spammer, or troll, blocking by IP is a useful tool indeed. Sure it’s not going to block the savvy attacker who knows how to mask or change their IP, but the technique will stop less experienced script kiddies and make it more difficult in general for anyone trying to cause problems.

Case in point: as I was writing this article, I noticed some bozo scanning and probing all sorts of nonexistent resources on my PerishablePress.com domain. Checking the logs, it looks like most of the attacker’s ill requests were blocked by the 6G Blacklist (beta), but enough bad requests were getting through that I finally got tired of it and decided to block the fool. Because a static IP address was being used, it only took one line of code added to .htaccess to make it stop:

Deny from 91.121.149.203

A more complete example would look like this:

# block some IPs
<Limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from 91.121.149.203
	Deny from 111.222.333.44
	Deny from 555.444.333.22
</LIMIT>

As you can see, this syntax makes it easy to block as many IPs as you’d like, simply by appending a new Deny from directive to the Limit container. This is the basic format used in the 2013 IP Blacklist and the 2010 IP Blacklist.

Take home point is that IP blacklists (i.e., blocking requests by IP address) are meant for informational and reference purposes only. Any implementation of IP blacklisting should be considered temporary unless you have good reason to do otherwise. For example, I tend to leave IP blacklists such as this one in place for around a year, and then remove it and start from scratch. As much as things change on the Web, it’s just silly to try and protect your site by blocking specific IPs. Blocking ranges of IPs, however, is another story and may provide longer term protection against ongoing threats, but we’ll save that topic for another article. And with that said, let’s get on with it and check out the latest (2103) IP Blacklist..

The 2013 IP Blacklist

Hand-picked worst offenders from late 2012 thru August 2013:

<Limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from 208.50.101.
	Deny from 78.234.5.2
	Deny from 98.150.108.228
	Deny from 69.41.14.215
	Deny from 64.124.98.10
	Deny from 64.125.188.25
	Deny from 64.124.203.72
	Deny from 8.28.16.
	Deny from 91.121.
	Deny from 77.222.61.
	Deny from 74.63.250.
	Deny from 27.159.223.
	Deny from 94.23.
	Deny from 89.185.228.
	Deny from 95.87.220.
	Deny from 69.94.34.
	Deny from 221.132.34.
	Deny from 114.33.237.
	Deny from 184.169.163.
	Deny from 69.162.68.
	Deny from 91.102.118.
	Deny from 27.54.93.
	Deny from 198.57.208.
	Deny from 142.4.215.
	Deny from 79.142.67.
	Deny from 65.111.165.
	Deny from 69.175.78.
	Deny from 37.59.47.
	Deny from 201.10.113.
	Deny from 1.234.27.
	Deny from 123.30.50.
	Deny from 89.221.250.
	Deny from 202.43.169.
	Deny from 41.210.123.
	Deny from 173.54.107.
	Deny from 69.169.94.
	Deny from 188.165.
	Deny from 93.185.106.
	Deny from 118.98.223.
	Deny from 200.63.102.
	Deny from 84.127.22.
	Deny from 151.28.208.
	Deny from 176.194.133.
	Deny from 213.184.242.
	Deny from 27.153.229.
	Deny from 72.47.196.
	Deny from 109.199.242.214
	Deny from 208.27.69.9
	Deny from 86.83.234.160
	Deny from 103.3.223.91
	Deny from 81.149.190.176
	Deny from 213.125.223.202
	Deny from 46.120.100.248
	Deny from 188.49.63.110
	Deny from 199.229.249.187
	Deny from 37.77.162.130
	Deny from 80.192.66.108
	Deny from 84.25.70.100
	Deny from 37.221.160.158
	Deny from 209.140.28.124
	Deny from 212.227.18.17
	Deny from 178.119.213.35
	Deny from 85.246.12.149
	Deny from 91.236.116.119
	Deny from 81.157.96.215
	Deny from 213.100.101.109
	Deny from 112.198.77.40
	Deny from 216.38.8.177
	Deny from 204.45.133.74
	Deny from 71.245.243.98
	Deny from 212.227.18.17
	Deny from 188.223.209.72
	Deny from 109.255.36.134
	Deny from 86.19.152.228
	Deny from 71.6.203.27
	Deny from 184.168.116.128
	Deny from 151.27.123.198
	Deny from 65.55.24.237
	Deny from 81.144.138.34
	Deny from 111.73.46.4
	Deny from 186.222.83.11
	Deny from 60.234.45.151
	Deny from 82.170.182.160
	Deny from 82.169.246.22
	Deny from 64.14.78.96
	Deny from 86.156.146.50
	Deny from 85.59.38.177
	Deny from 81.144.138.34
	# added 2013/09/02
	Deny from 8.28.16.
	Deny from 27.159.233.63
	Deny from 50.9.101.245
	Deny from 61.189.22.137
	Deny from 64.124.203.
	Deny from 74.217.148.
	Deny from 78.85.18.135
	Deny from 89.31.
	Deny from 109.108.163.154
	Deny from 110.85.115.183
	Deny from 120.37.208.95
	Deny from 120.37.210.111
	Deny from 120.43.4.142
	Deny from 120.39.23.174
	Deny from 124.243.124.206
	Deny from 150.70.64.
	Deny from 150.70.75.
	Deny from 150.70.172.
	Deny from 174.127.133.
	Deny from 200.98.197.
	Deny from 204.13.66.21
	Deny from 207.241.226.91
	Deny from 208.50.101.
	Deny from 221.206.105.219
	Deny from 183.61.245.
	Deny from 190.199.229.235
	Deny from 207.241.237.
	Deny from 82.165.136.
</Limit>

Note that just because an IP address is included on this list, it doesn’t necessarily mean that the owner is responsible for any wrong doing (except perhaps a bit of ignorance). It’s quite common for attackers to use hijacked machines to do their evil bidding; and in many cases, the victim has absolutely no idea anything has happened.</note>

Got IPs?

Got a list of bad IPs that you would like to share? Drop a note in the comments or contact me to make it happen.

About the Author

Jeff Starr = Web Developer. Security Specialist. WordPress Buff.