Known BotNet IP Addresses
This page lists IP addresses identified as part of known botnets, based on activity logged by our firewalls.
⚠️ Service Temporarily Unavailable
Last Updated: June 3, 2025
IP list removed: November 11, 2025
The botnet IP list has been removed and is no longer being updated while we overhaul our detection and listing system. There are several issues with our current approach:
- Many listed IPs are transient and belong to rented servers or cloud providers
- Our 1-year removal timeline is too long for dynamic IP assignments
- False positives from legitimate services using shared infrastructure
For System Administrators: If you were using our list (updated between 2024-2025), we strongly recommend removing ALL IPs that originated from this page from your blocklists, as many may now belong to legitimate services. Consider implementing more dynamic threat intelligence feeds or rate-limiting approaches instead of static IP blocking.
For Automated Scripts: This page no longer contains IP addresses. Please update your scripts to stop polling this resource.
We are working on a new system with improved accuracy and shorter retention periods. Check back for updates.
Criteria for Listing
An IP is listed if it meets any of the following criteria:
- Engages in brute force attacks on RDP, SSH, or other secure service ports.
- Makes over 3 SSH attempts within 24 hours (3 password tries per connection).
- Attempts RDP connections more than 10 times in 24 hours.
- Continues such activities for over 3 days within a 30-day span.
Removal from List
An IP is removed if no related traffic is detected for 1 year.
Note: We are reviewing this policy as part of our system overhaul.
Logs Consulted
The following logs are consulted to identify botnet-related activities:
- Logs from routers and IDS/IPS.
- Windows Server Event logs.
- Linux system kernel messages.
- MySQL database logs.
- Other logs gathered using SysLog and AWS CloudWatch.
Note to Admins
As an operational security measure, systems must prioritize dropping all traffic from these IPs (i.e., before processing any rules that permit connections).
For quick reference, use this command to dump Security events from Windows Server machines into a file for later analysis:
Get-WinEvent -LogName 'Security' | Where-Object {$_.Id -eq 4625} | Format-List | Out-File
{YourFilePath}\{DateTime}.log -Verbose
