Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Staying Ahead of WordPress Attackers with the Real-Time IP Blacklist

This entry was posted in Wordfence, WordPress Security on September 19, 2017 by Dan Moen   12 Replies

WordPress sites are under constant attack by criminals around the world. It is unnerving to see them at work, looking for security vulnerabilities to exploit and trying thousands of passwords. And when they are successful, they inflict pain in the form of lost revenue, damaged reputation and clean-up expenses. It’s no wonder that Wordfence users love our blocking features. There’s nothing more satisfying than taking direct action against an evil adversary.

We like blocking the bad guys too. That’s why we added a real-time IP blacklist for our Premium customers in March. In today’s post we do a deep dive on how the blacklist works. We also find out whether keeping an eye on Live Traffic and Monthly Attack Reports and blocking all the bad guys yourself is a viable alternative to the real-time blacklist. Let’s take a look!

Real-Time IP Blacklist Stats for August 2017

For our deep dive we took a look at all of the changes to the blacklist for August 2017 and sliced and diced it for you. The blacklist is updated in real-time using algorithms we have developed that run on our Big Data platform. IPs can be added and removed multiple times during the month, so in the numbers below we included each add and remove in our counts.

537,951 IPs Added in August

During the month an average of 17,353 IPs were added to the blacklist each day. That’s over 12 per minute, so if you were to attempt to do this manually you would need to block an IP roughly every 5 seconds. And the IP Blacklist doesn’t sleep, you would need to find a few partners to work with you in shifts, as the updates are happening 7 days a week at all times of the day. And forget about holidays and vacations, the blacklist never stops working.

This chart shows the number of IPs added by day for the month of August. As you can see, the number of additions dropped off sharply starting on August 27th. As we reported in the August WordPress Attack Report, we saw a dramatic drop-off in brute force attacks on the 27th and blacklist additions essentially mirrored that change.

545,340 IPs Removed in August

When we talk about blocking attackers, we almost always talk about adding new IPs to our list. If you’re managing a small list of IPs by hand, that’s probably not going to get you in much trouble. But when you’re managing a big list that’s used by thousands of site-owners worldwide you need to be really careful to remove IPs when they stop attacking. This is especially important because we know that attackers like to use compromised routers to attack WordPress sites, which we wrote about back in April. As soon as it’s clear that an IP has stopped attacking, we immediately remove it from the blacklist.

In August an average of 17,591 IPs were removed from the blacklist each day. It’s no coincidence that is almost the same as the average number of additions, which was 17,353. Attackers are well aware that IP blacklists exist, so they cycle through IPs quickly in an attempt to evade them. That’s why IP blacklists need to be managed in real-time, blocking the bad guys as quickly as possible when they start attacking.

The chart below shows the number of IPs removed by day for the month of August. There was a big drop-off in volume beginning on the 28th, the day after we saw volume drop for additions.

How Long Do IPs Remain on the list?

To answer this question we looked at IPs that were removed from the list during the month of August and calculated how many days they had been on the list at the time of removal. IPs that were on the list for less than 24 hours are in the “0” row.

As you can see, a small percentage of IPs spend more than 24 hours on the list. It’s clear that attackers cycle through IPs quickly, most likely because they become much less effective after a day or two of use. The longest an IP was was on the list was 150 days. We also looked at time on the blacklist by number of hours and learned that the average time an IP address spends on the blacklist is just 10 hours.

Do Attackers Reuse IPs?

For this question we counted the total number of times IPs were added to the list during the month. It turns out that while attackers do re-use IPs, they don’t as often as you might think. Over two-thirds of the time IPs were added to the blacklist just once.

Which Countries Dominate the Blacklist?

Unlike the list of most active countries in our Monthly Attack Reports, which ranks countries based on total attacks, this list looks at the total number IPs that were added to the blacklist during the month for each country. The results might surprise you.

Russia, the United States and Ukraine consistently dominate the top 3 in our Monthly Attack Reports. From this view, India and Brazil are at the top. In our monthly attack report, India and Brazil are generally towards the bottom of the top 10. Another surprise is that in this view, Ukraine isn’t even in the top 25.

What this indicates is that India and Brazil see significantly more IPs being added and removed from our blacklist throughout the month. This indicates malicious activity that uses a larger number of IP addresses and that switches IP addresses frequently. This kind of activity is usually seen when attackers are using a botnet – a large number of machines that they control and use to launch a coordinated attack.

The algorithm that we use to identify malicious IPs and add them to the blacklist includes logic that detects IPs that are part of a botnet and are engaging in a coordinated attack. These can be very hard to detect manually because each individual IP address only generates a small number of attacks on target websites.

Which Organizations Do The IPs Belong To?

By looking at the top 25 organizations that our newly blacklisted IPs belonged to in August we see a lot of the same telecom companies that we referenced in our post in April where we talked about the home router botnet attacking WordPress sites. Attackers clearly view vulnerable home routers as an attractive source of new IP addresses to launch attacks from.

Conclusion

While the blocking features in Wordfence are very popular and useful, the Real-time IP Blacklist feature included with Wordfence Premium is much more effective at protecting your site. Attackers are aware that IPs are eventually blocked so they cycle through them very quickly. For just $99 per year, which works out to just 27 cents a day, we’ll do the IP blocking for you.

Did you enjoy this post? Share it!


4.60 (10 votes) Your rating:

12 Comments on "Staying Ahead of WordPress Attackers with the Real-Time IP Blacklist"

Joe September 19, 2017 at 9:38 am • Reply

I wish the big players in the web industry would learn from you guys. The blacklists managed by microsoft are ridiculous. They need real time monitoring for their RBL's.

Rafael September 19, 2017 at 10:09 am • Reply

@joe Microsoft has blacklists? Where? As far as I know M$ shows up on blacklists lol.

Maria September 19, 2017 at 11:30 am • Reply

I am confused, don't hackers use things like Tor to mask their malicious behavior with randomly generated IPs? Or is that why most IPs do not stay in the black list for very long?

Anyway, great article.

Dan Moen September 19, 2017 at 11:37 am • Reply

Hi Maria, some attacks do come in via Tor or VPNs, but it's a very small percentage of total attacks.

youbrandinc September 19, 2017 at 11:47 am • Reply

As usual a great write up on what is happening behind the scenes. I agree 100% what Joe says above.

christer September 19, 2017 at 12:54 pm • Reply

With that many blocked IPs, what is the performance impact ?

Dan Moen September 19, 2017 at 1:04 pm • Reply

There should be no performance impact. Check out the section titled "Will this slow down my site?" in this article for the details.

christer September 19, 2017 at 1:24 pm • Reply

OK, thanks. I will start using it on one of the sites I manage.

Paul September 19, 2017 at 3:10 pm • Reply

Instead of blocking each or a block of IPs, is there a way I can block the browser that is being used?? I have noticed it is the same browser that is being used by each bot.

Dan Moen September 19, 2017 at 3:18 pm • Reply

Hi Paul, our advanced blocking feature lets you block based on the user agent (the string that identifies the browser). Here is a link to the documentation: https://docs.wordfence.com/en/Advanced_Blocking.

Sara September 19, 2017 at 3:14 pm • Reply

I agree that they are obtaining more IP addresses after they are black listed. For example: I block range xxx.xxx to zzz.zzz which contains 135 IP numbers.

The next time I see the same IP or similar in that range and block it again, when I do a search I find they've added an IP address of 1 more to 136 IP's.

It looks like they've purchased or are using an additional IP in that range that was added. I have seen this many times in the past few months.
But I am finding they are still coming even though I block the range and the networks. Wordfence does block them but they keep coming at us.

Dan Moen September 19, 2017 at 3:20 pm • Reply

It sounds like our real-time IP blacklist might be a good solution for you. :-)

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.