Award Winning Content Management and Security Solutions

Frequently Asked Questions

Other Blacklists Are Not Designed to Protect You from Zero-hour Threats

What is a zero-hour blacklist?
We've all heard of zero-day exploits. These are new unknown vulnerabilities that hackers exploit before vendors and IT techs can protect against them.

Our Zero-hour blacklist focuses on a different type of danger, IP addresses with no history or reputation. Obviously, stopping bad-guys at the front door is preferable, but this is hard to do if their IP address has never been observed engaging in malicious activity.

We maintain a network of "Outpost Servers" that have only one job. That is to provide early warning of new bad actors as they probe the internet looking for vulnerable networks to exploit. Our outpost servers do not perform any other function, and their IP addresses have no DNS entries. There is no legitimate reason for anyone to be attempting to connect to these servers, resulting in an extremely high probability that they are nefarious in intent.

IP addresses and connection attempt details are immediately relayed to our central database for analysis and merged with data from our various Outpost locations. This allows us to publish highly accurate blacklists at 15 minute intervals to give our users the unprecedented ability to protect their networks from the absolute latest threats.
Why do I need THIS blacklist?
We add, on average, 150 never before seen addresses every hour. Additionally, every hour, we reactivate approximately 500 addresses we have seen before, but haven't seen in the wild for awhile. Over the course of the day, we add or elevate approximately 15,000 addresses.

Other lists generally publish once a day if that. Some only update once a week or longer. The biggest dangers are not from well known bad guys, they are from the ones who are active now and the new ones that have just appeared.
What is your false positive rate?
Zero. Every address we list has attempted to gain access to non-public services on our specialized outpost servers.
How do I get whitelisted?
We can whitelist addresses, ranges, or ASN numbers, however we are extremely careful about what we add to our whitelist exclusion list. Please visit the whitelisting page for full details.
How do you determine malicious intent?
We monitor various ports on our outpost servers that are not accessed accidentally. They are all popular attack surfaces that malicious actors would attempt to penetrate. In other words, they would not be there by mistake.
Can we submit reports of bad addresses?
No, sorry. If we do not observe malicious activity ourselves we will not list it.
How do you handle cases where a computer has been hijacked?
Unfortunately this can happen. As part of the analysis, we try to determine the ISP that owns the IP address. We maintain our own database of major ISPs and their IP allocations. Whenever possible, we notify them of offending addresses with dates and times and type of attack so that they can notify innocent hijacked abusers and identify users who are acting intentionally.

We don't remove addresses manually, but if the problem is corrected, the address will fall off the production list within 7 days or less.
How do you handle research organizations who regularly scan the internet for open ports?
We see a lot of these every day. While many claim they are legitimate, we will still list them. Our basic rule is that if they are attempting to access non-public services and they are not invited or authorized, they get listed and blocked. No exceptions.