Repository files navigation

This project wants to help admins/systems flag large quantities of bad traffic.

Most generic attacks and bots originate fromcloud-providers, datacenters and other threat-actors.

By flagging clients originating from these sources you can achieve a nice security improvement.

The databases created from the gathered data will be and stay open-source!

If you (just) want to keep track of abusers internally - you could also host your dedicated instance ofthis app.

You can find basic visualization examples for the latest data here:www.risk.oxl.app

You can find simple IP-/Network-/ASN-Lists here:O-X-L/risk-db-lists

If the raw report-data could be useful for a project of yours - please contact us at:risk-db@oxl.at

Contributions likereporting issues,engaging in discussions orPRs are welcome!

See also:Contributing

YouSHOULD NOT just drop any requests from these sources.

There might be legit users using a VPN that would match as false-positive.

You might want toflag traffic from those sources and restrict their access like:

• Lower the rate-limits
• Show (more) captcha's on forms
• Lower lifetime of session cookies
• Add that flag to your logs so you can use it to analyze the traffic
• Deny access to administrative locations

Be aware that we cannot verify if reports are false-positives. We currently only keep track of simple reporter-reputation metrics.

ASN:JSON (Example)

Networks:IPv4,IPv6 (Example)

IPs:IPv4 JSON,IPv4 MMDB,IPv6 JSON,IPv6 MMDB (Examples:JSON,MMDB)

# Get flat list of ASN'scat risk_asn_kind.json| jq'keys[]'# Get all networks with bad reputationcat risk_net4_med.json| jq'map_values(select(.reputation == "bad")) | keys[]'# Only get ASN's that are flagged a certain kindcat risk_asn_kind.json| jq -r'map_values(select(.kind.scanner == true)) | to_entries[] | {asn: .key, name: .value.info.org.name}'# orcat risk_ip4_med.json| jq -r'map_values(select(.kind.hosting == true)) | to_entries[] | {asn: .key, name: .value.info.org.name}'

Download Limits:

• Without token: 2 Downloads per IP & day
• With token: 5 Downloads per IP & day

Swagger API-Docs

• ASN Lists:Hosting,VPN,Crawler,Scanner,ISP (extending lists dynamically is still under development..)
• IP Lookup
• Network Lookup
• ASN Lookup

# check IPcurl https://risk.oxl.app/api/ip/<IP>curl https://risk.oxl.app/api/ip/69.164.207.190# check networkcurl https://risk.oxl.app/api/net/<IP>curl https://risk.oxl.app/api/net/205.210.31.48# check ASN/ISPcurl https://risk.oxl.app/api/asn/<ASN>curl https://risk.oxl.app/api/asn/16509

API Limits:

You can also query IPs via DNS:

# check if IP '38.207.157.50' was reportednslookup 50.157.207.38.ip.dnsbl.risk.oxl.app# check if IP '2604:2dc0:205:e400::' was reportednslookup 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.e.5.0.2.0.0.c.d.2.4.0.6.2.ip.dnsbl.risk.oxl.app# or you can use the scriptpip install dnspythonpython3 src/riskdb/dnsbl/query_ip.py 1.2.3.4python3 src/riskdb/dnsbl/query_ip.py 2604:2dc0:205:e400::

Query Limits: 60/min & 10k/day

For details see:src/riskdb/dnsbl anddnsbl-server

You can use our reporting API to report IPs!

# data: "ip": "<IP>", "cat": "<CATEGORY>", "cmt": "<OPTIONAL COMMENT>", "ua": "<OPTIONAL HTTP USER-AGENT>", "ja4": "<OPTIONAL JA4-CLIENT-FINGERPRINT>"# minimal examplecurl -XPOST https://risk.oxl.app/api/report --data'{"ip": "1.1.1.1", "cat": "bot"}' -H'Content-Type: application/json'# the reports legitimacy will be better if you add a some information (should not exceed 100 characters)curl -XPOST https://risk.oxl.app/api/report --data'{"ip": "1.1.1.1", "cat": "attack", "cmt": "Form abuse"}' -H'Content-Type: application/json'## or user-agentcurl -XPOST https://risk.oxl.app/api/report --data'{"ip": "1.1.1.1", "cat": "attack", "ua": "curl/7.6.1"}' -H'Content-Type: application/json'## or even JA4 client-fingerprintcurl -XPOST https://risk.oxl.app/api/report --data'{"ip": "1.1.1.1", "cat": "attack", "ua": "curl/7.6.1", "ja4": "t13d3112h2_e8f1e7e78f70_9c4a419d3a15"}' -H'Content-Type: application/json'

Available categories are:bot, probe, rate, attack, crawler, spam, malware, hosting, vpn, proxy

Limits:

If you want to get a (free) token for your systems - feel free to contact us at:risk-db@oxl.at

A simple script that follows the content of a specific log-file and parses abuser information from it.

See:Report Script

See:Graylog Alert Reporting

TBD

This project is still in an early stage.

You may also want to check out these projects: (not open/free data)

• CrowdSec
• AbuseIP-DB
• IPInfo Privacy-DB
• nitefood/asn CLI-Tools

BSD-3-Clause

Free to use.

If you are nice, you canoptionally mention that you use this IP data:

<p>IP address data powered by<ahref="https://risk.oxl.app">OXL</a></p>

GPLv3