The Extended Botnet Controller List is now available via the Spamhaus Intelligence API

Don’t know what SIA is?

Until recently, our limited access methods restricted how organizations could use our IP and domain reputation data. Our engineers have developed an API that makes it easy to integrate Spamhaus’ intelligence into your existing systems to address this situation.

SIA doesn’t just return a basic binary response as to whether a resource is listed or not; it is enriched with additional metadata providing deeper insights to help speed up investigations and accelerate reporting.

What is the extended Botnet Controller List (eBCL)?

This dataset contains single IPv4 addresses used by miscreants to control infected devices, otherwise known as Botnet Command and Controllers, C&Cs, or C2s.

At its heart, the eBCL is a “drop all traffic” list detailing the worst of the worse. By this, we mean that a network should not try to connect to these IP addresses under any circumstances, nor should it accept inbound traffic from them.

It will come as no surprise that given its specific focus, the eBCL is much smaller in size than that of the extended eXploits Blocklists:

• eBCL total entries – 300 – 2,000 (approx.)
• eBCL new entries per 24 hours – 25-50

The eBCL contains the following metadata for each listing, where available: ipaddress, botname, seen, firstseen, listed, valid-until, dstport, asn, lat, lon, cc, protocol, urls, domains, samples. See our technical documentation for a detailed explanation of these.

How can the eBCL be used?

Different organizations will have different use cases for this data. However, here are some ideas our team has come up with on how this data may assist.

Vetting and monitoring IP space
There are numerous situations where it is necessary to monitor or vet IP space:

• Where new IP space is purchased, this API can check if this space hosts Botnet C&Cs.
• If new hosted solutions are being considered, the range can be checked to ensure Botnet C&Cs are not operating in the neighborhood.
• Aid investigations for network operators – if customers have botnet controllers in their IP space, are they 1. Legitimate or 2. Are their systems compromised, and remediation is required across their entire IP space?

Security

Where it’s not possible to install the BCL on a router table, you can use the eBCL via SIA to query against incoming and outgoing traffic to block connections to listed Botnet C&Cs.

How do you access the eBCL?

You can sign up here if you’d like to trial this data via SIA. Alternatively, for those who would like an opportunity to experiment with our data over an extended period, sign up for our free Developer License, which gives six months of access to these datasets without any charge.