By far the most common question from prospects is, “where do you get your shunlist”. The answer is that we bake it ourselves on our own servers.
Other common questions:
Where do you get the raw data/ingredients for the shunlist?
The answer is that we harvest the data ourselves from our own listening posts and from our Security Labs computers that are constantly tracking malware and botnets.
Do you use publicly available blacklists as an input?
The answer is no. We do use publicly available data sources for QC or corroboration of certain findings, but we do not use them as raw ingredients because we do not know how they were gathered or prepared and cannot vouch for the accuracy of externally produced content.
What makes the RiskAnalytics ShunList better than other blacklists on the Internet?
Most of the publicly and commercially available blacklists use the AutoShun as one of their sources. Security researchers consistently refer to AutoShun as an authoritative source. We are extremely conservative about putting IP addresses on the ShunList. With so many network managers and security professionals depending on the accuracy and efficacy of the ShunList, we take our responsibility very seriously.
Some blacklists boast about having millions of bad addresses. Why are the RiskAnalytics ShunLists typically under a million IP addresses?
At RiskAnalytics, we are committed to accuracy. Huge bloated lists contain lots of collateral damage and are not being pruned as threats change. We strive to keep our lists clean of bloat and to work with ISPs and website owners to remove IP addresses from the ShunList as soon as the offending IP range has been cleaned. Bottom feeding blacklist aggregators accumulate historical bad address lists knowing that big numbers will attract attention to their sites and services. At RiskAnalytics security is our business, with no drive-by advertising.
How effective is Ip shunning as a defensive measure?
For inbound attackers and scanners, each exposed Ip address on an unprotected network will be subjected to about 3400 reconnaissance probes per hour. By interrupting the reconnaissance portion of the attack sequence, the follow-on exploit never happens. For inbound brute force attacks (the most common type of external attack) we block thousands of attacks per hour in real world settings. For outbound traffic (phishing, drive-by malware, browser exploitation, malvertising) we block several hundred thousand phishing and malware related attempts every day.