Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

1.4 Million Attacks in 24 Hours: 32% Blocked by the New Blacklist

This entry was posted in Research, Wordfence, WordPress Security on March 16, 2017 by Mark Maunder   24 Replies

Last Friday we quietly launched a new Premium feature in Wordfence: A real-time IP blacklist that completely blocks known malicious IPs from accessing your website. On Monday we did a second release with a few improvements. Then we announced the blacklist on Tuesday this week.

Today we took a first look at data showing how many attacks the real-time blacklist is blocking each day on our Premium customer websites – and the data is incredible.

First we generated a chart showing all attacks that have been blocked by the real-time blacklist since the initial Friday release. Here’s what it looks like:

 

As I mentioned in our Tuesday announcement, we are releasing IPs to the blacklist in stages as we bring this feature into production over the coming weeks. Last Thursday we added 100 malicious IPs that are generating a large number of attacks and it had the immediate effect of blocking over 160,000 attacks per day on our Premium customer websites.

After Thursday we gradually grew the list and occasionally removed IPs. This is what the changes to the blacklist looked like over the next few days:

As you can see we are constantly removing and adding new IPs to the list. As we bring the blacklist online the list total is slowly growing and is currently hovering around 400 IPs. You can see the effect these changes are having in the chart above as the number of daily attacks the list is blocking is gradually increasing for our Wordfence Premium customers.

Zero false positives!

What is incredibly reassuring is that out of this huge volume of attacks, we have only had 4 reports that appeared to be false positives. Two of them were for the same IP address which is a very badly behaved Ukrainian IP that is definitely not a false positive. We investigated the reports and found that the customer sites were misconfigured which caused the false positive reports.

We haven’t had a single legitimate false positive report which is great news. It means that our algorithms for determining which IPs should be on the blacklist are working perfectly.

Measuring the blacklist efficacy

Blocking a malicious IP outright is far better than only blocking the malicious requests from that IP address. This is because we don’t want a malicious IP to learn anything at all about our customer websites that could help them attack the site. Ideally, the target website should be completely inaccessible to a malicious IP so they can’t perform reconnaissance before an attack to learn more about their target.

We wanted to measure what percentage of attacks on our customer sites are being blocked by the blacklist at this point, even though the list is still relatively small. To generate this report, we looked at the data from the past 24 hours and only considered sites that have been running the newest version of Wordfence Premium for the full 24 hours with the blacklist enabled.

During the period we saw a total of 1,415,330 attacks on the sites that we analyzed. If we break this out into it’s component parts, that is 107,956 attacks blocked by the firewall, 845,591 brute force attacks blocked by Wordfence and 461,783 attacks from IPs on the new blacklist were blocked.

That means that 32.6% of attacks on these sites in 24 hours were blocked by the new IP blacklist! The rest were blocked by the Wordfence firewall and brute force protection.

That is incredible considering the blacklist is only 399 IPs right now.

The reason we’re seeing this is because attacks on WordPress sites are a long tail. A small number of IPs generate a huge number of attacks and a large number of IPs each generate a much smaller number of attacks. So when we blacklist the top 399 IPs, we see this effect where a large number of attacks are stopped.

Our goal is of course to block all malicious IPs or get as close to that as possible. The effectiveness of an attacker is not always directly proportional to the number of attacks they launch. So we need to block the low volume attackers too and we will do just that as we expand the blacklist over the coming days and weeks.

Conclusion

This data is incredibly exciting because it demonstrates how effective the new Wordfence Premium blacklist is at completely blocking known malicious IPs from consuming resources and from accessing anything on our customer WordPress websites.

As always I will be around to reply to your questions and comments below. I hope you’re as excited about this new feature as we are. This is beginning to feel like we have completely changed the game on anyone attacking WordPress!

Did you enjoy this post? Share it!


4.33 (24 votes) Your rating:

24 Comments on "1.4 Million Attacks in 24 Hours: 32% Blocked by the New Blacklist"

Mark March 16, 2017 at 10:02 am • Reply

Bravo! Keep up the good work.

opinions March 16, 2017 at 10:09 am • Reply

Good news, it'll be terrific when your BL has 10,000 bad IPs on it! The great bot shutdown of 2017! Watch them scramble for new IPs to use, it'll be amazing. And perhaps I won't have to country block Ukraine? That'll feel strange.

MG March 16, 2017 at 10:13 am • Reply

So, will this blacklist functionality eventually migrate to non-Premium users (as such thigns tend to go; rolling out to Premium first and then eventually to Standard / Free)? One would think that everyone could benefit from automatically stopping the worst offenders...

Mark Maunder March 16, 2017 at 11:07 am • Reply

Hi MG,

We currently have no plans to release this to free users. Running the platform to analyze attacks and turn it into threat intelligence, paying our analysts to actually do that work and running the operational side of this comes at a significant cost. I'd love to give it away for free but unfortunately that's not feasible.

Mark.

rgudonis March 16, 2017 at 10:14 am • Reply

I have my own personal blacklist that focuses on IP ranges, user-agents, and hostnames. This, on top of the Wordfence blacklist will keep my sites super-secure. Thank you, team.

Tony March 16, 2017 at 10:33 am • Reply

Wow, you guys are smart to be doing this. It's crowdsourcing, essentially. Together, we can all benefit.

I'm glad we're on the pro version and we're encouraging more of our website design clients to do the same.

Cristian Balan March 21, 2017 at 7:59 am • Reply

"all" premium

Rich Johnson March 16, 2017 at 11:01 am • Reply

That's amazing. Good work guys!

Manuel March 16, 2017 at 11:33 am • Reply

Well done guys. Again, thanks for making WordPress a safer platform!

Mark Maunder March 16, 2017 at 11:35 am • Reply

Thanks Manuel.

Jim Martin March 16, 2017 at 11:53 am • Reply

We have about 50 client websites for which we've loaded Wordfence's Premium version. Adding in Wordfence is one of the easiest decisions we have to make whenever we build a new client website, and with one of the most gratifying results. Based on your efforts to help all of us sleep better at night and keep out the bad actors, we haven't had a single client opt-out of using Wordfence when we submit our proposals. You and your team deserve a lot of credit for your efforts.

Chief Digital Officer
Scottsdale, AZ

Mark Maunder March 16, 2017 at 12:12 pm • Reply

Thanks very much Jim. That means a lot.

opinions March 16, 2017 at 3:56 pm • Reply

In the interest of educating us users, why not just use existing blacklists, such as those that this website checks:

http://ipindetail.com/ip-blacklist-checker/119.9.73.110.html

Thanks for all.

Mark Maunder March 16, 2017 at 4:39 pm • Reply

Those are lists of IP addresses that are generating spam and that you should blacklist on your email server. The Wordfence blacklist is a list of IP addresses that are hacking into WordPress sites either via complex attacks or brute force.

Our blacklist wouldn't be much good to stop spam because we don't track which IPs send spam. Similarly those blacklists are no good at stopping WordPress attacks because they are just lists of IPs that are known to generate spam.

Mark.

Shawn March 16, 2017 at 4:27 pm • Reply

With such a large impact, even initially, where do you see this going? As someone already stated, "Watch them scramble for new IPs to use, it'll be amazing. " Which may happen, but doesn't that cause further headaches for someone else? With WP running a significant percentage of websites out there, I doubt the bad guys will sit idle. Obviously, you aren't going to layout your master plan here publically, just curious if you guys discussed it, that's all. I'm a proud supporter of WordFence, have been for many years and I love seeing the continue work and dedication by you and the rest of the staff.

Mark Maunder March 16, 2017 at 4:42 pm • Reply

Hi Shawn,

We've been in the threat intelligence business for some time now with the Threat Defense Feed and the capabilities we've had to bring online to enable malware analysis and the attack analysis we do. These have resulted in the large number of malware signatures and firewall rules we have and which are constantly growing. This is no different. Malicious IPs are just another IOC (indicator of compromise) - just another kind of threat intelligence. We have already brought online the capabilities we need to develop and grow this list. The only reason we are rolling it out slowly is as a risk management strategy.

Mark.

Craig Hesser March 17, 2017 at 6:27 am • Reply

I suppose I am asking for the impossible, but all the IP's on the black lists are "known" bad actors. That means that someone was already the guinea pig and "got bit". Is there any way to predict and block bad actors in advance?

Mark Maunder March 17, 2017 at 10:02 am • Reply

We're working on that.

Mark.

opinions March 17, 2017 at 7:14 am • Reply

Mark, thanks so much for explaining those black lists, I was always confused by that. It's confusing because I'll get attacked by an IP, check it on those spam blacklists, and the IP will be listed, so I suppose some IPs are used for both spamming and vulnerability attacks?

In any case, I'm looking forward to your IP BL growing to encompass thousands of IPs, that'll make a dent, for sure.

Mark Maunder March 17, 2017 at 10:03 am • Reply

Yes, some IPs are used for a variety of malicious purposes.

Mark.

Hans Fransen March 18, 2017 at 7:42 am • Reply

As the founder of a Foundation working in the field of bereavement my initial thinking was about working with people and not dealing with websites and cyber security. However, you guys are making it relatively easy for us for protecting our sites and at the same time you are teaching us what's important in cyber security and what not. I love reading your posts that are written in a way that even dummies can comprehend.

Please continue with the good work.
Hans

Grindlay March 20, 2017 at 1:41 pm • Reply

Can you give some indication of the performance impact of using the BL - presumably there is an overhead to checking some 300-or-so IPs on a per-request basis ?

Mark Maunder March 21, 2017 at 8:57 am • Reply

There's none. It's incredibly fast. We're doing a local check using hash prefixes which is very fast and you won't notice any performance impact.

Lucy Baker April 1, 2017 at 11:52 pm • Reply

My IP has been blocked by a news site, and mine is definitely not a malicious address!

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.