the most comprehensive feed we have ever provided


near-realtime monitoring


full list of IP addresses


full XML Schema


An hourly XML feed of every IP address that is part of over 3,000 botnets we are tracking (controllers and infected clients) plus five further categories of malicious activity. Along with every Command and Control IP address (C2) for IRC-based, HTTP-based, and P2P-based botnets, there is also a full list of IP addresses known to have communicated with the C2 in the last 60 minutes.

Other categories of potentially compromised devices like routers, darknet visitors, and abused proxies are also provided, forming the most comprehensive feed we have ever provided. The Reputation Feed contains botnet controller and infection data from the Botnet Analysis and Reporting System (BARS), a unique system that enables visibility into botnets that normally evade monitoring.

And finally, we also operate a number of sinkhole efforts that contribute additional bot families like Conficker to the feed.

Entries included that indicate the type of malicious behavior observed:

IP used to control botnets
IP was observed talking with a known botnet C&C
IP was observed scanning dark IP space for vulnerable hosts
IP was observed being used as a proxy to connect to the public Internet
IP is a router that was observed being used as a proxy


Frequently Asked Questions

This is designed to be a lightweight, near-real time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include:
  • Banks checking for infected customers at sign-on
  • Companies pro-actively monitoring for exfiltration of data via bots
  • ISPs checking for infected customers and other abuse
  • Vendors importing data for enterprise appliances
This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).

As part of the XML schema for this report, each controller and bot has been assigned a “confidence” value, which is a range of 0-100, with 100 being the highest confidence rating. The data in this feed is derived from one or more methods.

The confidence value entry depends on the method of collection and analysis. The intention is that partners determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision making capability we prefer to give you a confidence value to assist you. You may decide that some threats are important, and others are not. This score will help you along the way.

Our REPUTATION FEED includes a 30-day money back guarantee