🔐 Why use a Firewall Block List? #
In this post on firewall block lists compared, we compare some commonly used firewall block lists. Firstly, we will answer the question of why would you use a firewall block list. With that out of the way, I will then show you some analysis I have done comparing block lists. I really wanted to know what each block list was bringing to the table, without just blindly adding a handful without knowing what was in them. Also wondered how much overlap there is between popular firewall block lists so did some analysis on that. I will share the results later, further down this post. But to start, let's get back to the question on why use a block list.
A block list is one of the most important components of your firewall. Whether you are running LuLu on your macOS desktop , pf on your cloud mail server or Pi-Hole on your local network. In any case, there are certain computers that are frequently used in malicious hacking. Obviously, you want to keep your devices safe from these evildoers. A number of organization collate lists of IP addresses of these computers. You can add those lists to your firewall. It can then block any connections into your firewall, which is useful to stop unethical hackers getting access to your home network or device. Another use is to stop outgoing connections to a block list address. This second case can be used to prevent a malware infected device (on your network) calling home.
😕 Which Block List is the Best? #
There are a lot of block lists out there. Some are designed to cover niches (Tor machines, machines attacking in the last 24 hours) others are more general umbrella ones. Others still are super lists, combining several block lists. Exactly which ones you choose will depend, basically, on your threat model. For example, you might have a local website about a facility in your area of no interest to people on the other side of the planet. In that case, you could decide to use IP zone blocking lists (such as the IP deny country block IP lists ) to keep hackers from other countries out. Besides specific use cases, if you want general coverage, use a number of lists. Read on for the analysis which looks at overlap in the lists.
🔥 Some Popular Firewall Block Lists #
| Name | CIDRs | IP Addresses |
|---|---|---|
| AlienVault | 1,561 | 1,595 |
| Binary Defense Ban List | 3,093 | 3,111 |
| CI Army | 14,058 | 15,000 |
| dan.me.uk torlist | 5,770 | 6,194 |
| Emerging Threats Compromised | 3,434 | 3,519 |
| Emerging Threats Firewall Block List | 1,168 | 19,795,678 |
| FireHOL Level 1 | 2,739 | 567,889,627 |
| FireHOL Level 2 | 19,641 | 34,029 |
| FireHOL Level 3 | 19,791 | 37,945 |
| Internet Storm Center DShield | 17 | 5,120 |
| Internet Storm Center Shodan | 33 | 35 |
| pgl.yoyo.org AdServers | 8,781 | 10,333 |
Classless Inter-Domain Routing (CIDR) is a notation for grouping contiguous ranges of IP addresses. Turning to the data themselves, there are a few points to note here. The FireHOL lists combine other available online lists, which explains why they are among the largest. We look at overlap between lists in the following section. The script I wrote for this analysis contracts IP lists where possible into the smallest number or sub-networks or CIDRs. Ultimately, this is helpful when you use a list in your firewall, as you will have fewer entries to process and monitor.
The Internet Storm Center DShield list contains the top 20 attacking subnets over the last three days. The list above only includes 17 CIDRs since three of them can be merged into other subnets in the list.
You should also note this is just a snapshot of the lists. For the most part, the lists are updated daily. It is more than likely you could see different patterns if you download at a different time. The data were downloaded on 31 March 2021. .
🖥 Where Have these Numbers Come from? #
I wrote a short python script to generate the data. It has a couple of rough corners still, but I have open-sourced it. It is on the Rodney Lab GitHub at github.com/rodneylab/blocklists . Eventually I will add more functionality. Please take a look and add some pull requests for features you would like to see. The next natural step is to output a single block list which can be used in LuLu, pf or another firewall.
📊 Firewall Block Lists Analysis #
There was considerable overlap between some lists. This is expected, since a few of the lists are super lists, which combine other available lists. Interestingly, 90% or more of the addresses included in the Internet Storm Centre DShield list were in Emerging Threats Firewall Block List. Similarly, 85%, 90% and 95% (respectively) of the Internet Storm Center DShield list entries were in the three FireHol lists. It would be interesting to monitor the Internet Storm Centre DShield list over an extended period to see how static its members are.
Also of note was the fact that 99.9% of the entries in the Emerging Threats Firewall Block List were in FireHOL Level 1 list. The FireHOL level 1 list I downloaded stated that it included Bambenek_c2, DShield,feodo, Fullbogons, SpamHaus_Drop, SpamHaus_EDrop, SSBL, Zeus_BadIPS and Ransomeware_RW though not specifically the Emerging Threats list. I would imagine the two share some sources for there to be such a large intersection. Regardless of the reason, the takeaway is that it is probably safe to use the larger (568 million IP) FireHOL Level 1 list and drop the Emerging Threats Firewall Block List.
Some Block Lists to Include #
Interestingly, there was low correlation between the Emerging Threats Compromised list and the others, so it would make sense to keep this one. The pgl.yoyo.org list also had low correlation. It is an ad server list, so this is understandable, as the other list tend to come at it from a security perspective. There was moderate overlap between the CI Army and FireHOL Level 3 lists. Here, more than 80% of the CI Army entries were in the FireHOL list.
Also, worth mentioning is the overlap between the Internet Storm Center Shodan list and both FireHOL Level 3 and CI Army. All three of the lists are relatively small ones, so you won't get much performance benefit excluding them. Taking that into account, I would go for better be safe than sorry for these lists.
🧱 How to Use Block Lists #
With the firewall block lists compared, I wondered if have you not yet used block lists previously? For example, are you looking to add a block list into the macOS built-in pf firewall? Or are you a Linux user instead looking for some pointers on how to use ipset to implement a block list in iptables or nftables? Please let me know, so I can give you some pointers or write a post. Just @ me on Twitter.
🙏🏽 Firewall Block Lists Compared: Feedback #
I really do hope you have you found this firewall block lists compared post interesting as well as useful. In addition, I would love to know how you will use the analysis. Do you have some further ideas for improvements to the repo? Also, get in touch if you want to see other posts in this area. If you have found this post useful and can afford even a small contribution, please consider supporting me through Buy me a Coffee.
Finally, feel free to share the post on your social media accounts for all your followers who might find it useful. You can get in touch via @askRodney on Twitter and also askRodney on Telegram . Also, see further ways to get in touch with Rodney Lab. We post regularly on OpenBSD-centric content and online privacy as well as security. Also, subscribe to the newsletter to keep up-to-date with our latest projects.