This blogpost was authored by Thomas O’Hara(@bambino_thomas) on March 30th, 2020

The Attacker IP Prioritization Blacklists, or AIP Blacklists, are blacklists of IP addresses generated from the attacks made on the honeypots in our IoT lab by our AIP algorithm. These blacklists gradually forget IPs that stop attacking our honeypots using a special algorithm and are updated with new data captured from our honeypot network every 24 hours. They use a statistical sorting method that places IPs with more network traffic higher in the list than others.  Our blacklists are designed to be smaller and easier to process, making it especially fit for use in IoT devices that have small CPU’s and not much storage space. These three blacklists only list the IPs that have the most attacks connected with them, thus making it so that the majority of attacks are blocked while minimizing resource usage. There are three blacklists currently published daily in our public data sets. 

The contents of the three blacklists are as follows:

1. All-Time-Top-IPs: This blacklist is designed to prioritize the consistent and aggressive IPs from the data we collect, meaning if an IP attacks consistently, it will remain on the list.

2. all-time-New-IPs-prioritized: This blacklist is run on the same large data set that the first is run on, but with one key difference. This blacklist prioritizes new and aggressive IPs over consistent ones. In the case of the first blacklist, as long as an IP attacks every day, its score will increase over time. With this blacklist, the older an IP gets, whether it is attacking consistently or not, the more its score will decrease in order to make room for the daily IPs that are super aggressive.

3. Today-Top-IPs: This blacklist is designed to look at only the new IPs that are seen in the last 24 hours, and sort them according to how aggressive they are. So while the first two blacklists contain older IPs, this one only contains the newest ones.

See this blogpost for a more in-depth description of the algorithm.

If you are using our AIP blacklist from our datasets, here are some important updates. On April 13th, we will implement the following changes:

Blacklists names will be changed as follows:

All-Time-Top-IPs -> AIP_historical_blacklist_prioritized_by_repeated_attackers

all-time-New-IPs-prioritized -> AIP_historical_blacklist_prioritized_by_newest_attackers

Today-Top-IPs -> AIP_blacklist_for_IPs_seen_last_24_hours

From April 13th onward, the three daily blacklists will be found here: https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Todays-Blacklists/

and the historical blacklists will found here, https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/Historical-Ratings/