[Dshield] Database of Known Malicious IP Address/IP Networks

Johannes Ullrich jullrich at euclidian.com
Wed Aug 28 15:17:31 GMT 2002

> I've been trying to use this list to do some antispam blocking and in
> addition to the duplicate entries, I have found that some entries in the
> various regional registries do not appear - for instance, a set of about
> six class-B networks in .CN aren't included in the .CN entries in this
> file.
> How is this list generated, and how frequently is it updated?

The list is a dump of our 'abuse contact' database. While the database
is updated constantly, this list is only dumped occasionally.

Records are added 'on demand', e.g. whenever I find one thats missing. 
Once in a while I run some automated scripts that try to fill in the 
holes. But it only adds complete records, and in particular in asia, 
many records do not have an email address.

Overlapping records are eliminated once in a while by a different
script. They are a bit more tricky. In many cases, you have a 
large ISP that owns a class B, and only some of the class C's in its
range are assigned to customers... So if we first add one of the
class C's, and later hit an IP that is outside of it but inside
the larger class B, we get an overlap (some of the newer scripts
I use correct that).

Overall, the list does take quite a bit of manual maintenance. We
also get email corrections from various ISPs. Maybe one of these days
I will setup an easy admin so we can have a couple volunteers help out
with maintaining the list ;-)...

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list