Blocked?See Live ThreatsCommunity
Customer Portal Login
Spamhaus Technology and abuse.ch Logo
Solutions
Data
Email & Network
Cyber Threat Intelligence
Resources
About
Back to Previous Page

Blog

Border Gateway Protocol (BGP) - the datasets

Posted on
April 04, 2023 Author
Spamhaus Technology Team Read time
2 mins

Border Gateway ProtocolEdge ProtectionNetwork security

In this guide

IntroductionWhich datasets are included?Highly Malicious Networks (Do Not Route or Peer, DROP)Botnet C2 IPs (Botnet Controller List)Edge protection with BGP
Introduction

Introduction

BGP delivers real time threat intelligence, allowing you to block connections from malicious IP addresses at the network edge, utilizing your existing routers or firewalls.

Configuring your router to peer with the Spamhaus BGP router only takes minutes. Once connected to the Spamhaus datasets, your network will automatically block communications with botnet command-and-control (C&C) servers.

Which datasets are included?

Here is an overview of each dataset included:

Highly Malicious Networks (Do Not Route or Peer, DROP)

This dataset detects the worst of the worst IP traffic - it is an advisory to “drop all traffic” from these IPs. It seeks out activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking and exploit attempts, authentication attacks to discover working access credentials, harvesting, DDoS attacks, and spam campaigns. Any traffic from your network to an IP listed in this dataset will likely be a user responding to a phishing email or a device infected with botnet malware.

Botnet C2 IPs (Botnet Controller List)

This dataset is an advisory “drop all traffic” list of individual IPv4 addresses (/32 only) that are actively hosting botnet C&C servers used to control infected computers (bots). It incorporates threat intelligence from abuse.ch, one of Spamhaus’ trusted partners, and is designed to be used at the network edge to stop any infected devices on your network from communicating with a botnet C&C.

The IPs are divided into two categories:

  • Dedicated – IPs used exclusively to host their botnet C&C infrastructure on dedicated hosts, which serve no other purpose than controlling botnets.

  • Compromised – IPs belonging to compromised devices (often on residential internet connections) that have been repurposed to host botnet C&C infrastructure. These operators rely entirely on direct IP communication rather than domain names, bypassing protections such as DNS firewalls. This dataset closes a significant gap in network defenses by protecting against malicious traffic to compromised hosts acting as botnet C&C servers.

The status of botnet controller IPs are frequently re-evaluated to ensure only active controllers are listed.

Edge protection with BGP

Block malicious traffic at your network edge using existing hardware and stop infected devices communicating with botnet C&C servers.

Additional details about Spamhaus’ BGP and how to get started with a 30-day free trial can be found here.

Related Resources

Border Gateway ProtocolEdge ProtectionNetwork security
Spamhaus | abuse.ch Logo

Solutions

Email & NetworkEmail ProtectionEmail ComplianceDNS ProtectionEdge ProtectionCyber Threat IntelligenceThreat Intelligence EnrichmentThreat HuntingAll Solutions

Data

Malware IntelligencePhishingSpamInsight & ClassificationHistorical ContextAll Data

Email & Network

About Email & NetworkEmail ProtectionEmail ComplianceDNS ProtectionEdge Protection

Cyber Threat Intelligence

About Cyber Threat IntelligenceThreat Intelligence EnrichmentThreat Hunting

Resources

Resource CenterEventsCommunityMalware DigestBotnet Threat MapCompromised IP StatisticsFAQsStatus Page

About Us

About SpamhausSpamhaus-abuse.ch Alliance
Spamhaus | abuse.ch Logo
XLinkedInYouTube
Privacy PolicyCookie PolicyTerms and Conditions
Uicons by Flaticon