After ~1 week running, the bot IPs API already has information ~47K distinct IPs. I continue to add more data sources/honey pots to keep on increasing that number.
You can check any IP with a GET request on antoinevastel.com/bots/ip/72.210 (modify the IP by the one you want to check)
Conversation
Replying to
Interesting work Antoine. Do you plan to provide more context about the type of malicious activity observed from the IPs? Are these web attackers or does it also include SSH bots and compromised devices serving as a part of botnets?
1
1
Replying to
Sure, for the moment I store everything in files so it's difficult to provide more context. However, I plan to migrate to a DB, which will make it easier to provide more context.
1
1
To answer your other questions, it does include infected IPs used by botnets, ssh bots, active free proxies (as well as other malicious activity collected through honeypots)
All the IPs for which I have information are IPs for which I either received malicious traffic on my honeypots or IPs for which I was able to route bot traffic through (proxies).
Thus, I'm 100% sure these are IPs used by bots.
1
1
In the future I'd like to add the context to the API response so that people can take more fine grain decision (currently there's only the last date the IP was flagged as malicious)
1