IP blacklists are widely used to increase network security by preventing communications with peers that have been marked as malicious. There are several commercial offerings as well as several free-of-charge blacklists maintained by volunteers on the web. Despite their wide adoption, the effectiveness of the different IP blacklists in real-world scenarios is still not clear. In this paper, we conduct a large-scale network monitoring study which provides insightful findings regarding the effectiveness of blacklists. The results collected over several hundred thousand IP hosts belonging to three distinct large production networks highlight that blacklists are often tuned for precision, with the result that many malicious activities, such as scanning, are completely undetected. The proposed instrumentation approach to detect IP scanning and suspicious activities is implemented with home-grown and open-source software. Our tools enable the creation of blacklists without the security risks posed by the deployment of honeypots.

翻译：IP黑名单被广泛用于增强网络安全，通过阻止与标记为恶意的主机进行通信。目前存在多种商业解决方案以及由志愿者维护的免费黑名单。尽管被广泛采用，但在实际场景中不同IP黑名单的有效性仍不明确。本文开展了一项大规模网络监控研究，提供了关于黑名单有效性的深刻发现。针对属于三个不同大型生产网络的数十万IP主机收集的结果表明，黑名单常为追求精确性而调整，导致许多恶意活动（如扫描）完全未被检测到。我们提出的用于检测IP扫描及可疑活动的仪器化方法采用自主开发的开源软件实现。我们的工具能够在无需部署蜜罐带来的安全风险的情况下创建黑名单。