Skip to content
/ risk-db Public

Abuse Reporting System & IP/Network/ASN Risk-Databases

Notifications You must be signed in to change notification settings

O-X-L/risk-db

Repository files navigation

Open IP, Network & ASN Risk-Databases

Lint

This project wants to help admins/systems flag large quantities of bad traffic.

Most generic attacks and bots originate from cloud-providers, datacenters or other providers with lax security.

By flagging clients originating from these sources you can achieve a nice security improvement.

The databases created from the gathered data will be and stay open-source!

If you (just) want to keep track of abusers internally - you could also host your dedicated instance of this app.

World Map Example ASN Chart Example

Contribute

Contributions like reporting issues, engaging in discussions or PRs are welcome!


Usage

You SHOULD NOT just drop any requests from these sources.

There might be legit users using a VPN that would match as false-positive.

You might want to flag traffic from those sources and restrict their access like:

  • Lower the rate-limits
  • Show (more) captcha's on forms
  • Lower lifetime of session cookies
  • Add that flag to your logs so you can use it to analyze the traffic
  • Deny access to administrative locations

Alternative Solutions

This project is still in an early stage.

You may also want to check out these projects: (not open/free data)


Download Databases

Database Updated At

Databases marked with the key all include all reports.

The ones marked with med (default) and high only include reports from reporters that have a certain level of reputation.

We recommend the use of our GeoIP-ASN Database and IPInfo ASN/Country Databases to get more IP-metadata

ASN

Networks

IPs

Limits:

  • Without token: 2 Downloads per IP & day
  • With token: 5 Downloads per IP & day

Tip:

You can use jq to easily filter the JSON data:

# Get flat list of ASN's
cat risk_asn_kind.json | jq 'keys[]'

# Get all networks with bad reputation
cat risk_net4_med.json | jq 'map_values(select(.reputation == "bad")) | keys[]'

# Only get ASN's that are flagged a certain kind
cat risk_asn_kind.json | jq 'map_values(select(.kind.scanner == true)) | keys[]' | tr -d '"' | sort
# or
cat risk_ip4_med.json | jq 'keys[] | map_values(select(.kind.hosting == true)) | keys[]' | tr -d '"' | sort

API

API Uptime

# check IP
curl https://risk.oxl.app/api/ip/<IP>
curl https://risk.oxl.app/api/ip/69.164.207.190

# check network
curl https://risk.oxl.app/api/net/<IP>
curl https://risk.oxl.app/api/net/205.210.31.48

# check ASN/ISP
curl https://risk.oxl.app/api/asn/<ASN>
curl https://risk.oxl.app/api/asn/16509

Limits:

  • Without token:

    • 500 Requests per IP & 10 min
    • 5000 Requests per IP & day
    • Anti-DOS
  • With token:

    • 5000 Requests per IP & 10 min
    • Anti-DOS

Report

API Uptime

You can use our reporting API to report IPs!

# data: "ip": "<IP>", "cat": "<CATEGORY>", "cmt": "<OPTIONAL COMMENT>"

# minimal example
curl -XPOST https://risk.oxl.app/api/report --data '{"ip": "1.1.1.1", "cat": "bot"}' -H 'Content-Type: application/json'

# your reporter-reputation will be better if you add a comment (should not exceed 100 characters)
curl -XPOST https://risk.oxl.app/api/report --data '{"ip": "1.1.1.1", "cat": "attack", "cmt": "Form abuse"}' -H 'Content-Type: application/json'

Available categories are: bot, probe, rate, attack, crawler, hosting, vpn, proxy

Limits:

  • Without token:

    • 500 Requests per IP & 10 min
    • 5000 Requests per IP & day
    • Anti-DOS
  • With token:

    • 5000 Requests per IP & 10 min
    • Anti-DOS

If you want to get a (free) token for your systems - feel free to contact us at: risk-db@oxl.at


Integrations

Report Script

A simple script that follows the content of a specific log-file and parses abuser information from it.

See: Report Script

Graylog

See: Graylog Alert Reporting

Fail2Ban

TBD


License

Databases

BSD-3-Clause

Free to use.

If you are nice, you can optionally mention that you use this IP data:

<p>IP address data powered by <a href="https://risk.oxl.app">OXL</a></p>

Scripts (this repository)

GPLv3