🔐 Why use a Firewall Block List? #
In this post on firewall block lists compared, we compare some commonly used firewall block lists. Firstly, we will answer the question why would you use a firewall block list. With that out of the way I will then show you some analysis I have done comparing block lists. I really wanted to know what each block list was bringing to the table, with out just blindly adding a handful without knowing what was in them. Also wondered how much overlap there is between popular firewall block lists so did some analysis on that. I will share the results later, further down this post. But to start, let's get back to the question on why use a block list.
A block list is one of the most important components of your firewall. Whether you are running LuLu on your MacOS desktop , pf on your cloud mail server or Pi-Hole on your local network. In any case, there are certain computers that are frequently used in malicious hacking. Obviously you want to keep your devices safe from these evildoers. A number of organisation collate lists of IP addresses of these computers. You can add those lists to your firewall. It can then block any connections into your firewall, which is useful to stop unethical hackers getting access to your home network or device. Another use is to stop outgoing connections to a block list address. This second case can be used to prevent a malware infected device (on your network) calling home.
😕 Which Block List is the Best? #
There are a lot of block lists out there. Some are designed to cover niches (Tor machines, machines attacking in the last 24 hours) others are more general umbrella ones. Others still are super lists, combining several different block lists. Exactly which ones you choose will depend, basically, on your threat model. For example you might have a local website about a facility in your area of no interest to people on the other side of the planet. In that case you could decide to use IP zone blocking lists (such as the IP deny country block ip lists ) to keep hackers from other countries out. Besides specific use cases, if you want general coverage use a number of lists. Read on for the analysis which looks at overlap in the lists.
🔥 Some Popular Firewall Block Lists #
| Name | CIDRs | IP Addresses |
|---|---|---|
| AlienVault | 1,561 | 1,595 |
| Binary Defense Ban List | 3,093 | 3,111 |
| CI Army | 14,058 | 15,000 |
| dan.me.uk torlist | 5,770 | 6,194 |
| Emerging Threats Compromised | 3,434 | 3,519 |
| Emerging Threats Firewall Block List | 1,168 | 19,795,678 |
| FireHOL Level 1 | 2,739 | 567,889,627 |
| FireHOL Level 2 | 19,641 | 34,029 |
| FireHOL Level 3 | 19,791 | 37,945 |
| Internet Storm Center DShield | 17 | 5,120 |
| Internet Storm Center Shodan | 33 | 35 |
| pgl.yoyo.org AdServers | 8,781 | 10,333 |
Classless Inter-Domain Routing (CIDR) is a notation for grouping contiguous ranges of IP addresses. Turning to the data themselves, there are a few thing to note here. The FireHOL lists combine other available online lists which explains why they are among the largest. We look at overlap between lists in the following section. The script I wrote for this analysis contracts IP lists where possible into the smallest number or sub-networks or CIDRs. Ultimately, this is helpful when you use a list in your firewall as you will have fewer entries to process and monitor.
The Internet Storm Center DShield list contains the top 20 attacking subnets over the last three days. The list above only includes 17 CIDRs since three of them can be merged into other subnets in the list.
You should also note this is just a snapshot of the lists. For the most part, the lists are updated daily. It is more than likely you could see different patterns if you download at a different time. The data were downloaded on 31 March 2021. .
🖥 Where Have these Numbers Come from? #
I wrote a short python script to generate the data. It has a couple of rough corners still, but I have open-sourced it. It is on the RodneyLab GitHub at github.com/rodneylab/blocklists . Eventually I will add more functionality. Please take a look and add some pull requests for features you would like to see. The next natural step is to output a single block list which can be used in LuLu, pf or another firewall.
📊 Firewall Block Lists Analysis #
There was considerable overlap between the some of the lists. This is expected, since some lists are super lists. The super lists are built by combining other available lists. Interestingly 90% or more of the addresses included in the Internet Storm Centre DShield list were in Emerging Threats Firewall Block List. Similarly 85%, 90% and 95% (respectively) of the Internet Storm Center DShield list entries were in the three FireHol lists. It would be interesting to monitor the Internet Storm Centre DShield list over an extended period to see how static its members are.
Also of note was the fact that 99.9% of the entries in the Emerging Threats Firewall Block List were in FireHOL Level 1 list. The FireHOL level 1 list I downloaded stated that it included Bambenek_c2, DShield,feodo, Fullbogons, SpamHaus_Drop, SpamHaus_EDrop, SSBL, Zeus_BadIPS and Ransomeware_RW though not specifically the Emerging Threats list. I would imagine the two share some sources for there to be such a large intersection. Regardless of the reason, the take away is that it is probably safe to use the larger (568 million IP) FireHOL Level 1 list and drop the Emerging Threats Firewall Block List.
Some Block Lists to Include #
Interestingly there was low correlation between the Emerging Threats Compromised list and the others, so it would make sense to keep this one. The pgl.yoyo.org list also had low correlation. It is an ad server list, so this is understandable as the other list tend to come at it from a security perspective. There was moderate overlap between the CI Army and FireHOL Level 3 lists. Here more than 80% of the CI Army entries were in the FireHOL list.
Also worth mentioning is the overlap between the Internet Storm Center Shodan list and both FireHOL Level 3 and CI Army. All three of the lists are relatively small ones, so you won't get much performance benefit excluding them.. Taking that into account, I would go for better be safe than sorry for these lists.
🧱 How to Use Block Lists #
With the firewall block lists compared, I wondered if have you not yet used block lists previously? For example, are you looking to add a block list into the macOS built-in pf firewall? Or are you a Linux user instead looking for some pointers on how to use ipset to implement a block list in iptables or nftables? Please let me know so I can give you some pointers or write a post. Just @ me on twitter.
🙏🏽 Firewall Block Lists Compared: Feedback #
I really do hope you have you found this firewall block lists compared post interesting as well as useful. In addition, I would love to know how you will use the analysis. Do you have some further ideas for improvements to the repo? Also, get in touch if you want to see other posts in this area. If you have found this post useful and can afford even a small contribution, please consider supporting me through Buy me a Coffee.
Finally, feel free to share the post on your social media accounts for all your followers who might find it useful. You can get in touch via @askRodney on Twitter and also askRodney on Telegram . Also, see further ways to get in touch with Rodney Lab. We post regularly on OpenBSD-centric content and online privacy as well as security. Also, subscribe to the newsletter to keep up-to-date with our latest projects.