Please, do not use or report to AbuseIPDB
AbuseIPDB is “an IP address blacklist for webmasters and sysadmins to report IP addresses engaging in abusive behavior on their networks, or check the report history of any IP”.
However, unlike www.BlockList.de, AbuseIPDB is useless for a couple of reasons:
- To (automatically) access the blocklist, account registration is required. You can argue that this is not an issue at all, furthermore it is for preventing service abuse. Nevertheless, neither www.BlockList.de nor Spamhaus require sign-up to be able to use their DNSBL service (www.BlockList.de, Spamhaus).
- Hosting-provider (system administrator responsible for handling abuse complaints) cannot see complaints submitted to AbuseIPDB unless their restricted API is used. Unlike www.BlockList.de, AbuseIPDB, since their start back in early 2010’s, haven’t ever notified responsible abuse contacts for any of the received reports.
We (www.BlockList.de) report more than 70,000 attacks every 12 hours in real time using Whois (abuse-mailbox, abuse@, security@, email, remarks), the Ripe-Abuse-Finder, and the contact-database from abusix.com so we may find the abuse-address assigned to the offending host. Our reports are based on X-Arf (Network Abuse Reporting 2.0), so the abuse-department of the provider for the attacking host may parse our reports automatically.
- Their restricted API?
Standard | Webmaster | Supporter | Basic Subscription | Premium Subscription | |
---|---|---|---|---|---|
check | 1000 | 3000 | 5000 | 10000 | 50000 |
reports | 100 | 500 | 1000 | 5000 | 25000 |
blacklist | 5 | 10 | 20 | 100 | 500 |
report | 1000 | 3000 | 1000 | 10000 | 50000 |
check-block | 100 | 250 | 500 | 1000 | 5000 |
bulk-report | 5 | 10 | 20 | 100 | 500 |
clear-address | 5 | 10 | 20 | 100 | 500 |
- As a reporter, you are restricted from contributing too much (unlike at collaborative CrowdSec),
- As a hosting-provider (or a system administrator of an enterprise with few of publicly facing systems), you are restricted from checking your IP addresses for any reports too much or too efficiently:
Check-Block Limits
field | Standard | Basic Subscription | Premium Subscription |
---|---|---|---|
network | Up to /24 | Up to /20 | Up to /16 |
maxAgeInDays | Up to 30 | Up to 60 | Up to 365 |
(IPv6 lookup restrictions are not mentioned for some reason.)
Given the above, without paid subscription, at the most you can lookup 500x /24 IPv4 prefixes once a day and 5000x single IPv4/IPv6 addresses. If you need to increase the precision of your alert system to, lets say, 1 hour, you can only lookup 20x /24 IPv4 prefixes and 208x single IPv4/IPv6 addresses.
Those restrictions may sound pretty reasonable, however I found this limitations too intrusive and purely financially-driven. In this case, both reporters and abused devices owners are charged for using this service. I understand that they really require funds to be operating, however these practices make me wonder why AbuseIPDB is still so goddamn popular despite their policy, given the variety of alternatives? Gosh, there is even multiple ways (1, 2) to make Fail2ban send abuse complaints directly to the hosting-providers without intermediaries like AbuseIPDB!