Worst IPs: 2016 Edition
A little late this year, but following tradition here is my list of the absolute worst IP addresses from 2016. All in nice numerical order for easy crunching. These IPs are associated with all sorts of malicious activity, including exploit scanning, email harvesting, brute-force login attacks, referrer spam, and everything in between. Really obnoxious stuff that degrades your site’s performance and potentially threatens security.
Word to the wise..
Blocking by IP address is not recommended unless you know what you are doing. I have explained numerous times the reasoning behind this, so I won’t waste our collective time repeating it all here. If you are new to the game, you can visit those links to learn more about when, where, and why to block IP addresses.
How I collect this information
Securing sites is a big part of what I do professionally. I’ve been researching web security for over 10 years. This ongoing research provides an abundance of useful data, including IP information associated with malicious requests. I use this data when writing tutorials, books, and when developing WordPress plugins. This article provides a snapshot of this research: a list of the top worst IPs of the previous year.
Please also read the notes following the next section.
The worst IP addresses from 2016
So without further ado, here is my collected list of really nasty IPs from last year:
The lists provided here at Perishable Press are for informational purposes only. I am not responsible for anything that happens once the code leaves this site. That said, this 2016 Bad-IP List is entirely open source and you can republish or use however you want for any purpose. Credit links and shouts out are appreciated, but not required.
It is important to understand that just because an IP address is associated with bad activity, it doesn’t imply that the owner or primary user of the IP has done anything wrong. In many cases, bad actors use hacked machines and devices to scan sites remotely, so the victim’s IP is associated with the activity instead of the perpetrator’s actual address.
So if you find a familiar IP on this list, don’t panic; but do investigate your machine (site, server, local device, whatever) for any security breaches. Chances are high that the machine using the IP is compromised. If this sounds like you, let me know and I’ll do my best to help out however possible.
Out of all the hundreds of bad IPs I encountered in 2016, there is a handful of especially horrible IPs that are absolutely worth blocking on any site:
Whoever/whatever is behind these four IPs are real scumbags, making endless requests for the stupidest resources imaginable in the entire history of exploit scanning. Who knows how much memory and bandwidth these idiots cumulatively have wasted in their vain pursuit of pointless vulnerabilities. Seriously, learn how to log your scans to avoid wasting everyone’s time and resources, including your own.
So to protect your site against these four losers (or maybe the same loser, I have no idea), convert the previous list of IPs into the following .htaccess snippet:
# block worst ips <Limit GET POST PUT> Order Allow,Deny Allow from All Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 </Limit>
Then add to your site’s .htaccess file, upload, and done. Moving on with my life..
How to block by IP address
If and when you need to block someone or something based on their IP address, .htaccess can do the job quite nicely. Here is an example:
# block some IPs <Limit GET POST PUT> Order Allow,Deny Allow from All Deny from 126.96.36.199 Deny from 111.222.333.44 Deny from 555.444.333.22 </Limit>
So to implement, you would paste that code into your site’s root .htaccess file. Then you would replace each of the three example IP addresses with real ones. Or remove whatever is not needed if you only want to block one or two. Or you can add more IPs by replicating the pattern, etc.
To add massive numbers of IPs to the list, you can use any good code/text editor and simply prepend “Deny from ” to each line in your list of bad IPs. Automation really is the only way to go for this sort of work; check out the useful online tools linked up in the next section.
By the way, here are some essential online tools for sorting massive lists of IP addresses:
Completely awesome that these time-saving tools are available for free online :)
Glad to see all the new posts, Jeff! Although I use CloudFlare to (hopefully) block some of the “bad traffic” out there on the net, I’ve also been refining my .htaccess for maximum security and spam request reduction. Do you feel like there’s a point where listing TOO many IPs in a site’s root .htaccess will affect performance? I’d imagine it takes the web server some time to cross check that list on every page load.
Just wanted to know your thoughts. :-)
Great question, but keep in mind that Apache is just checking the IP headers; it’s not “cross-checking” or anything like that. So blocking by IP is just as fast as any other technique, but you’re correct in thinking that too many directives can have an impact on performance. My own strategy is always to keep the content of .htaccess down to an absolute minimum.