Data-Shield IPv4 Blocklist is an additional layer of protection containing a list of IP addresses (version 4) whose activities have been detected as malicious.
This list is designed around the discipline of Deceptive Security based on intelligent behavioral analysis of malicious activities related to cybercrime.
Data-Shield IPv4 Blocklist contains the most recent data (IPv4 addresses) to provide an additional layer of security for your firewall and WAF instances.
- Protective layer: Data-Shield IPv4 Blocklist provides an additional layer of security to reduce the number and attack surface of your exposed assets (web applications, websites, DMZs, public IPs, etc.), reducing the recon phase and exposure of your data on platforms such as Shodan and similar.
- Open to the general public: Data-Shield IPv4 Blocklist is open to any user with a firewall, WAF and other similar protection mechanisms.
- Single origin: Data-Shield IPv4 Blocklist comes from a single source, processed by probes located around the world. Logs are centralized on a self-hosted HIDS/SIEM platform, secured via an open-source WAF.
- Easy integration into your firewall and WAF instances: This list can be easily integrated into most vendors as a single link (RAW) for standard recognition of the included data.
- Customizable based on vendor limitations: Some vendors have limited the number of IPv4 addresses per entry (per list) to prevent resource consumption overload. Data-Shield IPv4 Blocklist is designed to comply with this limitation by creating split lists.
- Data reliability (IPv4): Data-Shield IPv4 Blocklist provides high-quality, reliable data by minimizing false positives to avoid blocking legitimate exposed instances.
- Portability: The content of the Data-Shield IPv4 Blocklist can be used to enrich IoC data types on open source CTI platforms such as OpenCTI, MISP, and others.
- Frequency of updates: Data-Shield IPv4 Blocklist is updated every
24hours to maintain the most recent data in order to protect you as effectively as possible. - Data retention (IPv4 only): Data retention is limited to a maximum of
60days. This retention is mainly used to continuously monitor the activities of IPv4 addresses tagged as malicious, which have short lifespans but are likely to resurface. - Performance: Data-Shield IPv4 Blocklist is just as effective as those offered by other solutions and vendors.
- The GNU GPLv3 Licence: Data-Shield IPv4 Blocklist is licensed under GNU GPLv3.
- Data-Shield IPv4 Blocklist contains the latest data for blocking IPs generating malicious traffic and activities.
- Reduce noise by up to 50%, save time on incident response, reduce consumption of CPU, RAM, and other server resources.
- Block up to approximately 95% of malicious bot traffic in order to significantly reduce the load on servers in terms of resources.
- Automatic update of blocklists via GitHub, JSdelivr CDN, GitLab and Gitea Raw URLs.
Important
Data-Shield IPv4 Blocklist consists of 5 official lists that are updated every 24 hours. To ensure availability and resilience, two mirrors and an open-source CDN are put into production. Exhaustive lists of those that are put into production, followed by their uses and limitations:
Tip
GitHub Repository Official Link
| GitHub RAW URL | Source | Limitation |
|---|---|---|
| prod_data-shield_ipv4_blocklist.txt | Full | 110.000 IPs |
| prod_aa_data-shield_ipv4_blocklist.txt | Split A | 30.000 IPs |
| prod_ab_data-shield_ipv4_blocklist.txt | Split B | 30.000 IPs |
| prod_ac_data-shield_ipv4_blocklist.txt | Split C | 30.000 IPs |
| prod_ad_data-shield_ipv4_blocklist.txt | Split D | 30.000 IPs |
Tip
GitLab Repository Official Link
| GitLab RAW URL (Mirror) | Source | Limitation |
|---|---|---|
| prod_data-shield_ipv4_blocklist.txt | Full | 110.000 IPs |
| prod_aa_data-shield_ipv4_blocklist.txt | Split A | 30.000 IPs |
| prod_ab_data-shield_ipv4_blocklist.txt | Split B | 30.000 IPs |
| prod_ac_data-shield_ipv4_blocklist.txt | Split C | 30.000 IPs |
| prod_ad_data-shield_ipv4_blocklist.txt | Split D | 30.000 IPs |
Tip
CDN JSdelivr @Main Official Link
| CDN JSdelivr URL | Source | Limitation |
|---|---|---|
| prod_data-shield_ipv4_blocklist.txt | Full | 110.000 IPs |
| prod_aa_data-shield_ipv4_blocklist.txt | Split A | 30.000 IPs |
| prod_ab_data-shield_ipv4_blocklist.txt | Split B | 30.000 IPs |
| prod_ac_data-shield_ipv4_blocklist.txt | Split C | 30.000 IPs |
| prod_ad_data-shield_ipv4_blocklist.txt | Split D | 30.000 IPs |
Tip
Gitea Repository Official Link
| Gitea RAW URL (Mirror) | Source | Limitation |
|---|---|---|
| prod_data-shield_ipv4_blocklist.txt | Full | 110.000 IPs |
| prod_aa_data-shield_ipv4_blocklist.txt | Split A | 30.000 IPs |
| prod_ab_data-shield_ipv4_blocklist.txt | Split B | 30.000 IPs |
| prod_ac_data-shield_ipv4_blocklist.txt | Split C | 30.000 IPs |
| prod_ad_data-shield_ipv4_blocklist.txt | Split D | 30.000 IPs |
Important
The main firewall rule around Data-Shield IPv4 Blocklist lists is implemented as follows so that it is operational and effective in terms of blocking:
Tip
From the internet to the internal network (WAN to LAN 👉 Inbound Rules)
- Example (IPtables):
sudo iptables -A INPUT -s <IP_ADDRESS> -j DROP - Example (NFtables):
sudo nft add rule inet filter input ip saddr <IP_ADDRESS> drop
Caution
Do not integrate these flow rules in this direction (LAN to WAN 👉 Outbound Rules)
- Example (IPtables):
sudo iptables -A OUTPUT -d <IP_ADDRESS> -j DROP - Example (NFtables):
sudo nft add rule inet filter output ip daddr <IP_ADDRESS> drop
Note
To facilitate the integration of Data-Shield IPv4 Blocklist into firewall instances, here is a non-exhaustive list of some tutorials offered by vendors and the Cyber community:
| Vendors URL | Source | Limitation |
|---|---|---|
| Fortinet | Official guide | ≥ 100.000 IPs |
| Checkpoint | Manufacturer's guide | To Be Confirmed |
| Palo Alto | EDL Overview | To Be Confirmed |
| OPNsense | Slash-Root Guide (Julien Louis) | ≥ 100.000 IPs |
| Stormshield | Official video | To Be Confirmed |
| F5 BIG-IP | Official guide | To Be Confirmed |
| NFtables, IPtables | Duggy Tuxy tutorials | ≥ 100.000 IPs |
| NAS Synology | MyOwnServer website | ≥ 100.000 IPs |
Caution
Scripts must be used beforehand in pre-production or labs to avoid side effects (rules not adapted to the environment, etc.) in production.
- Coming soon...
Important
For compliance purposes, companies wishing to implement the Data-Shield IPv4 Blocklist can refer to the “ISO27001:2022, NIS2, and GDPR compliance model” documents, which are available and listed in the table below.
| Document URL | Language | Rights | ISO27001:2022, NIS2 and GDPR |
|---|---|---|---|
| EN_GRC_Compliance_Model_DataShield_IPv4_Blocklist.docx | English | R/W | ✅ |
| EN_GRC_Compliance_Model_DataShield_IPv4_Blocklist.pdf | English | R | ✅ |
| FR_Modele_GRC_DataShield_IPv4_Blocklist.docx | French | R/W | ✅ |
| FR_Modele_GRC_DataShield_IPv4_Blocklist.pdf | French | R | ✅ |
Note
These documents may be modified for adaptation purposes to ensure compliance under the best conditions for the implementation of the Data-Shield IPv4 Blocklist.
Tip
Simply download them, modify them according to your needs, and insert them into your GRC processes.
Note
Data-Shield IPv4 Blocklist requires time and funding. That is why it is important to appeal for donations so that it can be maintained over time and in the best possible conditions:
- Ko-Fi:
https://ko-fi.com/laurentmduggytuxy
Important
Data-Shield IPv4 Blocklist 2023-2025 by Duggy Tuxy (Laurent Minne) is under license
