CINS Tops Blacklists

Wilson Chua
3 min readMar 11, 2023

Which Blocklist should we use to filter, drop and block cyber attacks? Obviously the one that can block the MOST attacks on our network. I looked at how many attackers’ IP addresses are listed in various blocklists. o far, CINS black list comes up on top:

But CINS outshines only in one aspect out of three common types of logs: Syslogs, WAF(modsec) logs and Mail Logs (Postfix).

For attacks or incidents from Syslogs (firewalls and routers), CINS Army blocklist was able to block 38.58% of all attacks. This goes up to 50% when all the other blocklists are combined:
(Blank means that the IP is not found in any of the BlockLists)

Syslogs show around 51% of attackers IP addresses could be blocked by the listed blocklists.

For attacks on web servers, GreenSnow blocklist came up on top with 7.73%:

For ModSec (WAF) logs, the stats are less impressive. It could only block around 15% of the attacks.

However, the effectiveness of blocklist goes down to a measely 4% (combined) when it comes to blocking attacks on mailservers:

for Postfix mail logs, the various block list can only block around 4.4% of the attacks.

Background:

Firewalls use blocklists to restrict access to certain websites, IP addresses, or domains. Blocklists are lists of addresses or domains that are known to be harmful or malicious. When a user tries to access a website from a source IP address that is on the blocklist, the firewall detects AND blocks the connection attempt. Thus this particular Attacker is prevented from ever connecting with the target/victim site.

In the above, we analyzed the blocklists from Blocklist.Net.ua, CINSArmy, Greensnow, UltimateHosts, Cruzit, BinaryDefense, Firehol, and MyIP.ms. We then performed a lookup/join/merge with each attackers’ IP address. If the IP address is found in the ‘blocklist’ table, we added the blocklist source (ie. CINS etc) to the log table. From the results above, we can see that depending on the type of attacks, some blocklists are more effective than others.

Blocklists are usually created by security companies, researchers, or system administrators. These lists are regularly updated to ensure that the firewall has the most up-to-date information about potentially harmful websites or IP addresses.

Care to Share?
If you also maintain your own blocklist, can we combine our blocklists? So we can preempt MORE attacks by including these blocklist IPs in our firewalls?

--

--