Target list and attributes.

Overview

Targets are the building blocks of ThreatSTOP policies. Targets group IOCs based on attributes such as threat type and severity.

There are four types of targets:

  • Original – only has one feed that is providing data
  • Manual – created from a Global list that is manually created by TS security team
  • Synthetic – created from multiple feeds, for example ADVANCED or BOTNETS
  • Geo – geographically based target lists. These are used to control communications to and from a particular geographic region

Targets are assigned one of 6 possible severity levels:

  • Severity 0 – No/Unknown Threat Level – Threat does not pose a significant risk of harm to your network. Typically used for whitelisting.
  • Severity 1 – Low Threat Level - Threat poses a low risk of harm to your network
  • Severity 2 – Low/Medium Threat Level - Threat poses a low-to-moderate risk of harm to your network
  • Severity 3 – Medium Threat Level - Threat poses a moderate risk of harm to your network
  • Severity 4 – Medium/High Threat Level - Threat poses a medium-to-high risk of harm to your network
  • Severity 5 – Highest Threat Level - Threat poses a very high risk of harm to your network

Target List

Target ListDescription
COMMUNITYBlocks BOT Scans, DOS, and SPAM. based on DShield Feeds.
ParasitesParasites, Hijackers and Spyware Domains. This is a very aggressive list that blocks ad-servers, and may block otherwise benign sites as a result.
CHINAIf you are not doing business with this major sources of cybercrime, it is best to block it entirely. It consist, with about 98% accuracy, of the IP addresses assigned to entities in the designated country. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
RUSSIAIf you are not doing business with this major sources of cybercrime, it is best to block it entirely. It consist, with about 98% accuracy, of the IP addresses assigned to entities in the designated country. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PhishTankSuspected phishes that are both online and valid, meaning "verified as a phish" by the members of PhishTank.
BogonsCymru Bogons list. Omits the RFC 1918 addresses.
ADVANCEDFor firewalls with larger capacity, this active threat list includes a deeper look into the currently active sources of malware, network attacks, fast-flux botnets, crime hosting networks, phishing and browser hijacking sites, and the current Cymru Bogon List.
UNIX SERVERThis active threat list adds a set of currently active SSH and Telnet login password brute force attackers. It also contains hosts that have been seen scanning for the Heartbleed OpenSSL bug. Any environment exposing these services should add this list.
BASICThe core ThreatSTOP service. The IP addresses on the BASIC active threat list are the worst current sources of attacks, spam, and malware, as well as currently active Botnet Command and Control servers. Connections from these addresses will be blocked, and if a system inside your network attempts to connect out to these addresses, it is most likely infected with malware and needs to be cleaned.
DShield Top 10Contains addresses from the DShield Top 10.
DShield Block ListContains the DShield Block List.
SSH CrackersList of hosts known to attempt brute force SSH attacks.
ShadowServerCommand & Control hosts from ShadowServer.
ChinaIP addresses known to be located in China. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
RussiaIP addresses know to be located in Russia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
DShield Top 4000Contains addresses from the DShield Top 4000.
Spamhaus DROPSpamhaus Don't Route Or Peer list.
DenyHostsHosts known to attempt brute force attacks on open SSH servers. Data is from the DenyHosts synchronization service. (Experimental)
ZeuSZeuS Command & Control servers (Command & Control (C&C)) and malicious hosts which are hosting ZeuS files. (Experimental)
BOTNETSThis blocker should be used on any firewall that has significant outbound traffic to the Internet from users behind it. This list contains known C&C addresses of major botnets such as ZeuS and is critical to stop the call home.
AutoshunList of IP Addresses that are collected from Snort IDS logs sent to a centralized server.
Malware Domain ListHosts known to host malware, includes multi-hosts where one host of hundreds is infected: this can result in "false positives," use with care.
TORExitA list of currently active TOR Exit nodes. This allows Server administrators to block access to their servers from anonymous users who are using TOR (https://www.torproject.org/) for anonymity. This list is approximately 1100 addresses long.
VOIP AbuseThe VOIP Abuse Blocklist (VABL) contains IP addresses that have been noted as attacking VOIP infrastructure such as IP PBXes.
BrazilIP addresses known to be located in Brazil. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
CubaIP addresses known to be located in Cuba. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Czech RepublicIP addresses known to be located in the Czech Republic. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
EstoniaIP addresses known to be located in Estonia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
GeorgiaIP addresses known to be located in Georgia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
IndiaIP addresses known to be located in India. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Islamic Republic of IranIP addresses known to be located in the Islamic Republic of Iran. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Democratic People's Republic of KoreaIP addresses known to be located in the Democratic People's Republic of Korea (North). This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
LithuaniaIP addresses known to be located in Lithuania. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
LatviaIP addresses known to be located in Latvia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Republic of MoldovaIP addresses known to be located in the Republic of Moldova. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PakistanIP addresses known to be located in Pakistan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
RomaniaIP addresses known to be located in Romania. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
SerbiaIP addresses known to be located in Serbia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
SomaliaIP addresses known to be located in Somalia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
UkraineIP addresses known to be located in the Ukraine. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
VenezuelaIP addresses known to be located in Venezuela. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
VietnamIP addresses known to be located in Vietnam. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
YemenIP addresses known to be located in Yemen. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Republic of KoreaIP addresses known to be located in the Republic of Korea. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Anonymous ProxiesIP addresses known to be anonymous proxies. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
AfghanistanIP addresses known to be located in Afghanistan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
BelarusIP addresses known to be located in Belarus. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Democratic Republic of the CongoIP addresses known to be located in the Democratic Republic of the Congo. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Côte d'IvoireIP addresses known to be located in Cote D'Ivoire. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
CyprusIP addresses known to be located in Cyprus. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
EritreaIP addresses known to be located in Eritrea. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
HaitiIP addresses known to be located in Haiti. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
LebanonIP addresses known to be located in Lebanon. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Sri LankaIP addresses known to be located in Sri Lanka. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
LiberiaIP addresses known to be located in Liberia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MyanmarIP addresses known to be located in Myanmar. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
RwandaIP addresses known to be located in Rwanda. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
SudanIP addresses known to be located in Sudan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Sierra LeoneIP addresses known to be located in Sierra Leone. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Syrian Arab RepublicIP addresses known to be located in the Syrian Arab Republic. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ZimbabweIP addresses known to be located in Zimbabwe. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Hong KongIP addresses known to be located in Hong Kong. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MacauIP addresses known to be located in Macau. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
IraqIP addresses known to be located in Iraq. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Libyan Arab JamahiriyaIP addresses known to be located in Libyan Arab Jamahiriya. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ITAR

Geographic block of all current ITAR countries as retrieved from the US State Department website. Currently this is:

Afghanistan, Belarus, Cuba, Cyprus, Eritrea, Fiji, Iran, Iraq, Cote d'Ivoire, Lebanon, Libya, North Korea, Syria, Vietnam, Myanmar, China, Haiti, Liberia, Rwanda, Somalia, Sri Lanka, Republic of the Sudan (Northern Sudan), Yemen, Zimbabwe, Venezuela, Democratic Republic of the Congo.

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

MODIFIED ITAR

A modified ITAR list containing countries that are generally suspected of industrial espionage and potentially other acts against US interests. Currently this list contains:

China, Brazil, Russia, India, Korea (both), Vietnam, Ukraine, Cuba, Czech Republic, Estonia, Georgia, Iran, Latvia, Lithuania, Moldova, Romania, Pakistan, Serbia, Somalia, Venezuela, Yemen

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

EASTERN EUROPE

Eastern European countries frequently seen as providing 'bullet-proof' hosting and otherwise frequently used as a base by cyber-criminals. Currently:

Russia, Ukraine, Romania, Latvia, Moldova.

Note that this is a VERY large list. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

OFAC EMBARGO

Countries that are embargoed under regulations from the Office of Foreign Assets Control (OFAC) division of the U.S. Department of the Treasury.

Currently: Cuba, Iran, Syria

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

PhishTank phishing DomainsPhishTank phishing Domains.
VOIPHONEY

The VOIP Honeynet is list of IP addreses that have attempted to abuse decoy VOIP servers/gateways to make fraudulent calls etc. Some data for this feed comes from our UK partner - Simwood.

This feed is currently experimental.

SinkholeA list of servers that are used by malware researchers and law enforcement organization to sinkhole botnets that have been taken down. This list primarily consists of sinkholes for the conficker botnet but other sinkhole types are included.
AlgeriaIP addresses known to be located in Algeria. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
BahrainIP addresses known to be located in Bahrain. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ComorosIP addresses known to be located in Comoros. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
DjiboutiIP addresses known to be located in Djibouti. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
EgyptIP addresses known to be located in Egypt. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
JordanIP addresses known to be located in Jordan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
kuwaitIP addresses known to be located in kuwait. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MauretaniaIP addresses known to be located in Mauretania. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MoroccoIP addresses known to be located in Morocco. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
OmanIP addresses known to be located in Oman. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Palestinian TerritoryIP addresses known to be located in Palestinian Territory. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
QatarIP addresses known to be located in Qatar. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Saudi ArabiaIP addresses known to be located in Saudi Arabia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
TunisiaIP addresses known to be located in Tunisia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
United Arab EmiratesIP addresses known to be located in United Arab Emirates. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Spamhaus EDROPSpamhaus Extended Don't Route or Peer List.
AlienVaultAlienVault Malware Droppers and Botnet C2 insfrastructure.
TaiwanIP addresses known to be located in Taiwan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
TSCritical General

ThreatSTOP Critical - General.

Addresses that ThreatSTOP has determined are a current active threat that are not in a specific feed. This may include malware droppers, botnet Command & Control (C&C) systems, DDoS drones and so on.

PINGDOMPingdom IP Addresses. If you are a subscriber to Pingdom these are not bad. On the other hand if you are not subscribing to pingdom then these can be used by malicious individuals to scan for vulnerabilities.
BelizeIP addresses known to be located in Belize. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Costa RicaIP addresses known to be located in Costa Rica. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
El SalvadorIP addresses known to be located in El Salvador. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
GuatamalaIP addresses known to be located in GUatamala. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
HondurasIP addresses known to be located in Honduras. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
NicaraguaIP addresses known to be located in Nicaragua. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MexicoIP addresses known to be located in Mexico. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PanamaIP addresses known to be located in Panama. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ArgentinaIP addresses known to be located in Argentina. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ColombiaIP addresses known to be located in Colombia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ChileIP addresses known to be located in Chile. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
EcuadorIP addresses known to be located in Ecuador. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
French GuianaIP addresses known to be located in French Guiana. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
GuyanaIP addresses known to be located in Guyana. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
ParaguayIP addresses known to be located in Paraguay. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PeruIP addresses known to be located in Peru. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
SurinameIP addresses known to be located in Suriname. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
UruguayIP addresses known to be located in Uruguay. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
LATIN AMERICA

All countries in the American Continents excluding the US and Canada. That is:

Belize, Costa Rica, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, French Guiana, Guyana, Paraguay, Peru, Suriname, Uruguay and Venezuela

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

PINGDOMPingdom IP Addresses. If you are a subscriber to Pingdom these are not bad. On the other hand if you are not subscribing to Pingdom then these can be used by malicious individuals to scan for vulnerabilities.
AlienvaultScanSpamList of IP Addresses and networks detected as scanning for vulnerabilities or sending spam by AlienVault's Open Threat Exchange program.
ThailandIP addresses known to be located in Thailand. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Ransomware IP addresses Command & Control (C&C) and distribution sites associated with Ransomware.

This target contains IP Addresses from Cryptolocker, CryptoWall, TeslaCrypt, Locky, TorrentLocker and others.
PONMOCUP BotnetPonmocup (aka Trojan.Milicenso) botnet droppers and Command & Control (C&C) systems. Ponmocup is a stealthy but large botnet that forces infected machines to adware sites and participate in clickfraud.
NEUTRINO Exploit KitDropper servers for the Neutrino and other exploit kits (successors to the Blackhole EK).
New Malware Domains (domain)Domains that serve malware of various sorts.
BoliviaIP addresses known to be located in Bolivia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
TSCritical DomainsDomains that ThreatSTOP has determined are a current active threat that are not in a specific feed.
Ransomware domainsCommand & Control (C&C) and distribution sites associated with Ransomware.

This target contains IP Addresses from Cryptolocker, CryptoWall, TeslaCrypt, Locky, TorrentLocker and others.
BAMITAL Botnet DomainsBamital Botnet Domains (sinkholed botnet).
Malware domains (original)Malware Domains as identified by malwaredomains.com.
DOM-ZEUSZeus Botnet Domains.
DOM-APT1Mandiant APT1 Domains.
PONMOCUP Botnet DomainsPonmocup Trojan Domains.
BOTNET DOMAINSBotnet Command & Control (C&C) domains from various sources. This target list contains all domain data that we know to be active C&C domains.
MALWARE DOMAINSDomains used as malware in various forms. This list is an addition to the Drive-by list of sites that are not quite as malicious but are still threats.
MINIMUM SANCTION COUNTRIES

A minimal list of the worst sanctioned countries. Currently:

Iran, North Korea, Cuba, Sudan, and Syria.

DNS TUNNELDNS Tunnel domains and Name Server IP addresses of public DNS VPN service providers.
PHISHING DOMAINSDomains used in phishing attacks. This list may contain false positives as phishing pages are frequently located on compromised but otherwise legitimate websites.
DNS TUNNELDNS Tunnel domains and Name Server IP addresses of public DNS VPN service providers.
ADVANCED-RUThis list is especially whitelisted with Russia specific domains/IP addresses. For firewalls with larger capacity, this active threat list includes a deeper look into the currently active sources of malware, network attacks, fast-flux botnets, crime hosting networks, phishing and browser hijacking sites, and the current Cymru Bogon List.
BASIC-RUThis list is especially whitelisted with Russia specific domains/IP addresses. The core ThreatSTOP service. The IP addresses on the BASIC active threat list are the worst current sources of attacks, spam, and malware, as well as currently active Botnet Command and Control servers. Connections from these addresses will be blocked, and if a system inside your network attempts to connect out to these addresses, it is most likely infected with malware and needs to be cleaned.
BOTNETS-RUThis list is especially whitelisted with Russia specific domains/IP addresses. This blocker should be used on any firewall that has significant outbound traffic to the Internet from users behind it. This list contains known Command & Control (C&C) addresses of major botnets such as ZeuS and is critical to stop the call home.
UNIX SERVER-RUThis list is especially whitelisted with Russia specific domains/IP addresses. This active threat list adds a set of currently active SSH and Telnet login password brute force attackers. It also contains hosts that have been seen scanning for the Heartbleed OpenSSL bug. Any environment exposing these services should add this list.
COMFOO botnet domainsCOMFOO Botnet Domains (sinkholed botnet).
GameOverZeus RU DomainsDomains used by the Game Over Zeus botnet to call home as a backup to its peer 2 peer infrastructure. Currently these domains are sinkholed but this may not always remain the case.
GOZ ACTIVE DOMAINSDomains in active use by the Gameover ZeuS botnet.
GOZ ACTIVE IPDomains in current use by the GameOver Zeus botnet.
BOTNET DGA DOMAINSCurrrenly valid domains generated by various malware families for Command & Control (C&C) communication. This is a very large list.
PUSHDO Botnet DomainsDomains used by the Pushdo botnet for Command & Control (C&C) communication.
Shell Shock AttackersList of hosts known to be actively seeking to exploit servers vulnerable to the bash vulnerability CVE-2014-6271.
FeodoFeodo (also known as Cridex or Bugat) and its successor Dridex are Trojans used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials.
DOM-FEODOFeodo Domains.
H323 gateway attackersAttackers of H323 gateways using spoofed ID. Please check with ThreatSTOP support before enabling.
FinshunList of IP Addresses that have been auto-blocked by a finiancial institution in the last week.
Emerging Threats Bad IP AddressesList of IP Addresses that have been determined bad by "Emerging Threats" researchers.
Dominican RepublicIP addresses known to be located in Dominican Republic. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
GrenadaIP addresses known to be located in Grenada. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
I2P Protocol SeedsSeeds of i2p anonymity protocol.
NIGERIAIf you are not doing business with this major sources of cybercrime, it is best to block it entirely. It consist, with about 98% accuracy, of the IP addresses assigned to entities in the designated country. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
NigeriaIP addresses known to be located in Nigeria. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Anonymous NetworksIP addresses known to be anonymous proxies, TOR exit nodes or I2P network seeds. This product includes GeoLite data created by MaxMind.
PHILIPPINESIf you are not doing business with this major sources of cybercrime, it is best to block it entirely. It consist, with about 98% accuracy, of the IP addresses assigned to entities in the designated country. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PhilippinesIP addresses known to be located in Philippines. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
DominicaIP addresses known to be located in Dominica. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
MS ISAC IPList of IP addresses associated with malware observed by MS-ISAC/CIS.
MS ISAC IP EXPList of IP addresses associated with malware observed by MS-ISAC/CIS.
DMSISACMalware Domains observed by MS-ISAC/CIS.
DMSISAC EXPMalware Domains observed by MS-ISAC/CIS.
Shifu Botnet DomainsDomain generated by the Shifu banking trojan.
Vulnerable to DDOS devices - NTP ServersVulnerable servers that might be used in a DDOS attack.
Vulnerable to DDOS devices - SNMP ServersVulnerable servers that might be used in a DDOS attack.

Vulnerable to DDOS devices - SSDP Servers

Vulnerable servers that might be used in a DDOS attack.
Vulnerable to DDOS devices - Open resolversVulnerable servers that might be used in a DDOS attack.
Drones that participated in attacks in the last 24 hoursDrones that might be used in a DDOS attack.
TSCritical Ransomware IP AddressesAddresses that the ThreatSTOP security team has determined are current and active ransomware Command & Control (C&C) or distribution sites.
TSCritical Ransomware DomainsDomains that the ThreatSTOP security team has determined are current and active ransomware Command & Control (C&C) or distribution sites.
BurundiIP addresses know to be located in Burundi. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Central African RepublicIP addresses know to be located in the Central African Republic. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
KyrgyzstanIP addresses know to be located in Kyrgyzstan. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
BulgariaIP addresses know to be located in Bulgaria. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
HungaryIP addresses know to be located in Hungary. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
PolandIP addresses know to be located in Poland. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
SlovakiaIP addresses know to be located in Slovakia. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
TurkeyIP addresses know to be located in Turkey. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
AnchorFree and HotSpotShield VPN servicesVirtual Private Network (VPN) providers that provide anonymization and firewall bypassing services. Included in this list: Hotspotshield and Anchorfree.
MontenegroIP addresses know to be located in Montenegro. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
China ccTLDThe top level domain for China (*.cn).
China ccTLDThe top level domain for China (*.cn).
Ethiopia ccTLDThe top level domain for Ethiopia (*.et).
Ethiopia ccTLDThe top level domain for Ethiopia (*.et).
Moldova ccTLDThe top level domain for Moldova (*.md).
Moldova ccTLDThe top level domain for Moldova (*.md).
Nigeria ccTLDThe top level domain for Nigeria (*.ng).
Nigeria ccTLDThe top level domain for Nigeria (*.ng).
Russia ccTLDThe top level domain for Russia (*.ru).
Russia ccTLDThe top level domain for Russia (*.ru).
Eastern Europe ccTLDsAll top-level domains (TLDs) that belong to countries in Eastern Europe: Belarus (*.by), Bulgaria (*.bg), Czech Republic (*.cz), Estonia (*.ee), Hungary (*.hu), Latvia (*.lv), Lithuania (*.lt), Moldova (*.md), Poland (*.pl), Romania (*.ro), Russia (*.ru), Slovakia (*.sk), Turkey (*.tr), and Ukraine (*.ua).
ITAR Countries ccTLDsAll top-level domains (TLDs) that belong to countries on the ITAR list: Afghanistan (*.af), Belarus (*.by), Myanmar (*.mm), Central African Republic (*.cf), China (*.cn), Côte d’Ivoire (*.ci), Cuba (*.cu), Cyprus (*.cy), Democratic Republic of the Congo (*.cg), Eritrea (*.er), Fiji (*.fj), Haiti (*.ht), Iran (*.ir), Iraq (*.iq), Kyrgyzstan (*.kg), Lebanon (*.lb), Liberia (*.lr), Libya (*.ly), North Korea (*.kp), Republic of the Sudan (*.sd), Russia (*.ru), Rwanda (*.rw), Somalia (*.so), Sri Lanka, Sudan (*.ss), Syria (*.sy), Venezuela (*.ve), Vietnam (*.vn), Yemen (*.ye), and Zimbabwe (*.zw).
A minimal list of the worst sanctioned countries ccTLDsA minimal list of the worst sanctioned countries top-level domains (TLDs): North Korea (*.kp), Sudan (*.sd), Cuba (*.cu), Iran (*.ir), Syria (*.sy).

Modified ITAR Countries ccTLDs

All top-level domains (TLDs) that belong to countries that are generally suspected of industrial espionage and potentially other acts against US interests: China (*.cn), Brazil (*.br), Russia (*.ru), India (*.in), North Korea (*.kp), South Korea (*.kr), Vietnam (*.vn), Ukraine (*.ua), Cuba (*.cu), Czech Republic (*.cz), Estonia (*.ee), Georgia (*.ge), Iran (*.ir), Latvia (*.lv), Lithuania (*.lt), Moldova (*.md), Romania (*.ro), Pakistan (*.pk), Serbia (*.rs), Somalia (*.so), Venezuela (*.ve), Yemen (*.ye).

OFAC Countries ccTLDs

All top-level Domains (TLDs) that belong to countries on the OFAC list: Belarus (*.by), Burundi (*.bi), Central African Republic (*.cf), Cote d'Ivoire (*.ci), Cuba (*.cu), Democratic Republic of the Congo (*.cd), Iran (*.ir), Iraq (*.iq), Lebanon (*.lb), Libya, Montenegro (*.me), Myanmar (*.mm), North Korea (*.kp), Russia (*.ru), Serbia (*.rs), Somalia (*.so), South Sudan (*.ss), Sudan (*.sd), Syria (*.sy), Ukraine (*ua), Venezuela (*.ve), Yemen (*.ye), Zimbabwe (*.zw).

office_365_ip

A list of web services IP addresses for Microsoft Office 365 as provided by Microsoft.

office_365_dom

A list of web service Domains for Microsoft Office 365 as provided by Microsoft.