Since 2012 (before Threat Intelligence was cool) we’ve published a public list of malicious IP addresses for the community. It goes by many names: CINS Army, CI Army, CINS … In any case, over 10,000 users (these days those ‘users’ are automated tools, scripts, and open source projects) now download the list regularly, for use in their firewalls, IPSes, SEIMs, and other network security tools.

And today, the list is getting a bit of a facelift. Up until today, we published a subset of our Sentinels’ threat intelligence feed, which could range in size from, say, 5,000 IP addresses up to (at its peak earlier this year) over 70,000. (Thanks, Mirai!) The new list is based on a slightly different algorithm that should accomplish two goals:

• First, it will provide a more accurate, diverse, and ‘interesting’ list of malicious IPs, which will make it more effective at stopping bad guys
• Second, we’re capping the list to include the top 15,000 ‘worst’ malicious IPs. This will keep the size of the list consistent, making scripting and automating the use of this threat intelligence easier and more predictable.

The vast majority of the IPs from our previous list also appear on this list, but you’ll also find a host of new IPs and ranges, as well. And, the list will continue to be updated hourly, keeping this information fresh and relevant. Feel free to download it as often as you like.

The list is available in its old-school text file format here: http://cinsscore.com/list/ci-badguys.txt

It’s also available as a tarball, which contains several formats, including both STIX/TAXII and IPS rules. Get it here: https://cinsarmy.com/list-download/