When time allows, I like to post my collections of the worst IP addresses for the current year. Certainly, there are pros and cons to using an IP blacklist. In general, IPs are easily spoofed, change frequently, and are therefore unreliable as a general security strategy. But as a short-term solution, IP blacklists serve as an excellent method for dealing with specific and/or ongoing threats and attacks.
For example, you may use a firewall to protect your site against malicious scanning, bad bots, and the typical evil request, but if your site specifically is targeted by an attacker, spammer, or troll, blocking by IP is a useful tool indeed. Sure it’s not going to block the savvy attacker who knows how to mask or change their IP, but the technique will stop less experienced script kiddies and make it more difficult in general for anyone trying to cause problems.
Case in point: as I was writing this article, I noticed some bozo scanning and probing all sorts of nonexistent resources on my PerishablePress.com domain. Checking the logs, it looks like most of the attacker’s ill requests were blocked by the 6G Blacklist (beta), but enough bad requests were getting through that I finally got tired of it and decided to block the fool. Because a static IP address was being used, it only took one line of code added to .htaccess to make it stop:
Deny from 188.8.131.52
A more complete example would look like this:
# block some IPs <Limit GET POST PUT> Order Allow,Deny Allow from all Deny from 184.108.40.206 Deny from 111.222.333.44 Deny from 555.444.333.22 </LIMIT>
As you can see, this syntax makes it easy to block as many IPs as you’d like, simply by appending a new
Deny from directive to the
Limit container. This is the basic format used in the 2013 IP Blacklist and the 2010 IP Blacklist.
Take home point is that IP blacklists (i.e., blocking requests by IP address) are meant for informational and reference purposes only. Any implementation of IP blacklisting should be considered temporary unless you have good reason to do otherwise. For example, I tend to leave IP blacklists such as this one in place for around a year, and then remove it and start from scratch. As much as things change on the Web, it’s just silly to try and protect your site by blocking specific IPs. Blocking ranges of IPs, however, is another story and may provide longer term protection against ongoing threats, but we’ll save that topic for another article. And with that said, let’s get on with it and check out the latest (2103) IP Blacklist..
The 2013 IP Blacklist
Hand-picked worst offenders from late 2012 thru August 2013:
<Limit GET POST PUT> Order Allow,Deny Allow from all Deny from 208.50.101. Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 8.28.16. Deny from 91.121. Deny from 77.222.61. Deny from 74.63.250. Deny from 27.159.223. Deny from 94.23. Deny from 89.185.228. Deny from 95.87.220. Deny from 69.94.34. Deny from 221.132.34. Deny from 114.33.237. Deny from 184.169.163. Deny from 69.162.68. Deny from 91.102.118. Deny from 27.54.93. Deny from 198.57.208. Deny from 142.4.215. Deny from 79.142.67. Deny from 65.111.165. Deny from 69.175.78. Deny from 37.59.47. Deny from 201.10.113. Deny from 1.234.27. Deny from 123.30.50. Deny from 89.221.250. Deny from 202.43.169. Deny from 41.210.123. Deny from 173.54.107. Deny from 69.169.94. Deny from 188.165. Deny from 93.185.106. Deny from 118.98.223. Deny from 200.63.102. Deny from 84.127.22. Deny from 151.28.208. Deny from 176.194.133. Deny from 213.184.242. Deny from 27.153.229. Deny from 72.47.196. Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 # added 2013/09/02 Deny from 8.28.16. Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 64.124.203. Deny from 74.217.148. Deny from 126.96.36.199 Deny from 89.31. Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 150.70.64. Deny from 150.70.75. Deny from 150.70.172. Deny from 174.127.133. Deny from 200.98.197. Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 208.50.101. Deny from 18.104.22.168 Deny from 183.61.245. Deny from 22.214.171.124 Deny from 207.241.237. Deny from 82.165.136. </Limit>
Note that just because an IP address is included on this list, it doesn’t necessarily mean that the owner is responsible for any wrong doing (except perhaps a bit of ignorance). It’s quite common for attackers to use hijacked machines to do their evil bidding; and in many cases, the victim has absolutely no idea anything has happened.
Got a list of bad IPs that you would like to share? Drop a note in the comments or contact me to make it happen.