Evaluating IP Blacklists Effectiveness

TL;DR

This study assesses the real-world effectiveness of IP blacklists in detecting malicious activities across large networks, revealing limitations in their coverage and precision.

Contribution

It introduces a large-scale monitoring methodology and tools to evaluate blacklist performance without deploying honeypots.

Findings

Blacklists often miss malicious activities like scanning.

Many blacklists are tuned for precision, reducing detection rates.

The paper provides tools for blacklist evaluation without security risks.

Abstract

IP blacklists are widely used to increase network security by preventing communications with peers that have been marked as malicious. There are several commercial offerings as well as several free-of-charge blacklists maintained by volunteers on the web. Despite their wide adoption, the effectiveness of the different IP blacklists in real-world scenarios is still not clear. In this paper, we conduct a large-scale network monitoring study which provides insightful findings regarding the effectiveness of blacklists. The results collected over several hundred thousand IP hosts belonging to three distinct large production networks highlight that blacklists are often tuned for precision, with the result that many malicious activities, such as scanning, are completely undetected. The proposed instrumentation approach to detect IP scanning and suspicious activities is implemented with home-grown and open-source software. Our tools enable the creation of blacklists without the security risks posed by the deployment of honeypots.