Open Risky IP & ASN Database

WARNING: This project is not yet in a usable state!

This project wants to help admins flag large quantities of bad traffic.

Most generic attacks and bots originate from cloud-providers, datacenters or other providers with lax security.

By flagging clients originating from these sources you can achieve a nice security improvement.

The databases created from the gathered data will be and stay open-source!

See also: bad-asn-list

---

Contribute

Contributions like reporting issues, engaging in discussions or PRs are welcome!

---

Usage

You SHOULD NOT just drop any requests from these sources.

There might be legit users using a VPN that would match as false-positive.

You might want to flag traffic from those sources and restrict their access like:

• Lower the rate-limits
• Show (more) captcha's on forms
• Lower lifetime of session cookies
• Add that flag to your logs so you can use it to analyze the traffic
• Deny access to administrative locations

---

Alternative Solutions

This project is still in an early stage.

You may also want to check out these projects: (not open/free data)

• CrowdSec
• AbuseIP-DB
• IPInfo Privacy-DB

---

Download Databases

Databases marked with the key all include all reports.

The ones marked with med and high only include reports from reporters that have a certain level of reputation.

We recommend the use of our GeoIP-ASN Database and IPInfo ASN/Country Databases to get more IP-metadata

ASN

• Reports of ASN in JSON-format / Med / High

• Reports of filtered ASN in JSON-format (only the ones tagged as hosting-, proxy- or vpn-providers)

IPs

• Reports of IPv4 in JSON-format / Med / High

• Reports of IPv4 in MMDB-format / Med / High

• Reports of IPv6 in JSON-format / Med / High

• Reports of IPv6 in MMDB-format / Med / High

Limits:

• Without token: 2 Downloads per IP & day
• With token: 10 Downloads per IP & day

---

API

# check IP
curl https://risk.oxl.app/api/ip/<IP>
## example
curl https://risk.oxl.app/api/ip/1.1.1.1

# check ASN/ISP
curl https://risk.oxl.app/api/asn/<ASN>
## example
curl https://risk.oxl.app/api/asn/24940

Limits:

• 100 Requests per IP & 10 min
• 1000 Requests per IP & day

---

Report

You can use our reporting API to report IPs!

# data: "ip": "<IP>", "cat": "<CATEGORY>", "cmt": "<OPTIONAL COMMENT>"

# minimal example
curl -XPOST https://risk.oxl.app/api/report --data '{"ip": "1.1.1.1", "cat": "bot"}' -H 'Content-Type: application/json'

# your reporter-reputation will be better if you add a comment (should not exceed 100 characters)
curl -XPOST https://risk.oxl.app/api/report --data '{"ip": "1.1.1.1", "cat": "attack", "cmt": "Form abuse"}' -H 'Content-Type: application/json'

Available categories are: bot, probe, rate, attack, crawler, hosting, vpn, proxy

Limits:

• Without token

  • 500 Requests per IP & 10 min
  • 5000 Requests per IP & day

• With token

  • Only Anti-DOS

---

Integrations

Report Script

A simple script that follows the content of a specific log-file and parses abuser information from it.

See: Report Script

Fail2Ban

TBD

---

License

Databases

BSD-3-Clause

Free to use.

If you are nice, you can optionally mention that you use this IP data:

<p>IP address data powered by <a href="https://risk.oxl.app">OXL</a></p>

---

Scripts (this repository)

GPLv3