the most comprehensive feed we have ever provided


near-realtime monitoring


full list of IP addresses


full XML Schema


Along with every Command and Control IP address (C2) for botnets we track, the feed contains IP addresses that have communicated with a C2, a honeypot, or sinkhole we operate. Other example categories of malicious behavior include darknet scans, abused proxies, openresolvers, and IPs hosting phishing sites. Using our global network of darknets, sensors, and sinkholes we formed the most comprehensive feed we have ever produced.

The Reputation Feed is updated hourly and contains an aggregate of the last 24 hours of activity.

Every IP in the feed receives an individual reputation score using several different categories of patterns observed over the past 30 days. The key used to calculate the score is included in the feed and can be used to reconstruct the behavior patterns observed for each individual IP in the feed.

Reputation key patterns include:

  • Number of days in feed
  • IP observed in other categories
  • Number of events in same category
  • Detection type
  • Controller behavior:
    • Non standard port
    • # Controllers on same IP
    • DDoS activity
    • SSL usage
    • Malicious IPs in /24

Frequently Asked Questions

This is designed to be a lightweight, near-real time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include:
  • Banks checking for infected customers at sign-on
  • Companies pro-actively monitoring for exfiltration of data via bots
  • ISPs checking for infected customers and other abuse
  • Vendors importing data for enterprise appliances
This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).

As part of the XML schema for this report, each IP has been assigned a “reputation” value derived from various methods. The key used to calculate this value is included in the feed.

The intention is that clients determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision making capability, we prefer to give you a reputation value to assist you. You may decide that some threats are important, and others are not. This value will help you along the way.

Ready for the world's best REPUTATION FEED?