Deciding which blocklists to use

[terryr]

I have a small VPS that I run and am always looking at things I can do to make my system more secure as well as increase performance with my limited resources, two things that sometimes conflict. After a discussion the other day with a friend about blocklists, number of iptables rules and performance, I was curious about the number of IPs in the blocklists and decided to do a little analysis. Here's what I found out. I thought someone else might find this info useful.

Using the URLs from csf.blocklist, I downloaded all but Bogon and the Emerging Threats (dead link) blocklists. I extracted the IPs and CIDRs from each of the files and did a count of the entries in each list to get a sense of how many rules would be created if I enabled all of these in CSF.

Single IP lists (no CIDRs):
Autoshun 734
BFB 1,224
CIArmy 329
Honeypot 50
Maxmind 375
OpenBL 5,847
Tor 3,072
Total 11,631

CIDR lists (no single IPs):
DShield 20
SpamDrop 580
SpamEDrop 21
Total 621

So that's a total of 11,631 single IPs and 621 CIDRs. The CIDR lists alone represent 15,164,416 individual IPs.

I then looked at the number of duplicates in the blocklists. I combined the single IP lists and found there are 10694 unique IPs. So that’s 937 duplicates.

Then came the fun part, comparing the single IP lists to the CIDRs. After much use of prips and comm, comparing each single IP list to the CIDR lists, I found out that 92.3%, or 10,739 of the single IPs were already covered by the CIDR lists, leaving 892 single IPs, scattered about amongst the single IP blocklists.

This table shows the intersection of IPs in the single IP list versus the CIDR lists. For example, in Autoshun, 97% of the IPs in that list were already in the CIDR lists. Only 22 of the original 734 were unique to Autoshun.

Autoshun 97.0% (leaving 22 unique IPs)
BFB 91.6% (leaving 103 unique IPs)
CIArmy 96.7% (leaving 11 unique IPs)
Honeypot 90.0% (leaving 5 unique IPs)
MaxMind 55.5% (leaving 167 unique IPs)
OpenBL 93.9% (leaving 357 unique IPs)
Tor 92.6% (leaving 227 unique IPs)
Total 92.3% (leaving 892 unique IPs)

If I wanted to get those 892 unique IPs into CSF (assuming I did no filtering of the IP blocklists against the CIDRs or each other), I’d have to add all of the 11,631 IPs.

This was only an analysis of the IPs for a one-time download so I can’t say that this holds true for every single day. Even with this scripted, generating and comparing the CIDRs with the individual lists took quite a bit of time and processing power, so definitely not something you can do on a production server. For my purposes, deciding which blocklists I'm going to enable, I’m going to assume that these stats will hold relatively true over time.

I also compared the single IP blocklists to each other but that really didn’t reveal anything. The duplicate IPs were scattered all over. Honeypot, Tor and MaxMind had the fewest duplicate IPs (0, 1 and 5 respectively) between the individual IP blocklists.

I did find a list on OpenBL which is a list of all the IPs they have (over 65,000) that is date stamped by day of last attack from that IP. I filtered that list to get the most current IPs from 3, 4 and 5 days. While filtering by date certainly reduced the number of IPs from OpenBL down to under 1000, there was still over 80% duplication with the CIDR blocklists so I won't be going that right.

My conclusions (YMMV):

The CIDR lists are a must have as those lists covered over 92% of the IPs in the single IP lists.

Filtering out duplicate IPs from the individual duplicate IP lists wasn’t difficult but the ease of using CSF to manage the blocklists outweighs the possible duplication.

Filtering out duplicate IPs from the IP lists compared to the CIDR lists was time consuming and very resource intensive and not something I want to do on a daily basis on a production server, even though I now have it all pretty much scripted.

I’ve decided to use the CIDR lists (including BOGON) along with MaxMind because it had the least amount of duplication in the CIDR lists and the Honeypot list because it wasn’t duplicated in other individual IP lists and it’s the top 50 current attackers so it should be pretty timely.

I decided against using Tor. Although it had only one duplicate IP compared to the single IP blocklists, 92.6% of the Tor list was covered by the CIDR lists so for me, a gain of a couple of hundred IPs doesn’t justify adding over 3,000 rules.

I figure that if I use those 6, I’m down to 567 (4.9%) IPs not covered, or to put it another way, I’ve got about 95.1% of the bad actors on the single IP blocklists covered and over 11,000 less rules. Hopefully, LFD will pick up on those bad actors like it does with the others that aren’t on any of these lists yet.

Lest anyone from CSF think I’m criticising the blocklists included or the way blocklists are handled, I am not. I realise that the blocklists are provided as examples and CSF is not telling me to use those, and those alone, or even to use any or all of them. This was just an exercise using those examples in the file. I’m a huge fan of CSF and tout it any chance I get. It’s certainly made my life easier.

Terry

[TheTechGuide]

Thanks for your analysis of the block lists in CSF. I too had many of the same questions you answered about which blocklists to use and your analysis helped!

[sparkling]

Terry, thanks for that amazing analysis. I just hope you are still around? I'd like to know if you are still using the same concepts and methodology today. I was thinking exactly what you were thinking and so that is how I found this post.

I can't seem to be able to send you a PM so reply here. Thanks!

[terryr]

Yes, I'm still around. I still use this methodology so my blocklists are the same. I haven't conducted any additional analyses in a few months but I suspect that it continues to hold true as my numbers were roughly the same with subsequent analyses. The main point for me is that CIDR covers so many of the IPs in the other blocklists.

I did toy with the idea of downloading the single IP blocklists, deduping them and then comparing them to the CIDR list to whittle it down further and use that as a custom blocklist. I didn't because CSF "just works" and I like that.

Hope that's the info you were looking for.

Terry

[sparkling]

I agree with your conclusion that using SPAMDROP, ESPAMDROP, MAXMIND, DSHIELD and HONEYPOT are all that is needed. I decided to add in AUTOSHUN and BOGONS. With HONEYPOT you have to setup more than because the free RSS feeds just cover a small subset. Thanks again!