Overview
The Aggressive IP Distribution (AID) List is a list of IP addresses that have been seen aggressively attacking campus hosts in an attempt to exploit known security weaknesses. The data is taken from both campus-run Intrusion Detection Systems (IDS) and various systems on campus and published for local administrators to help protect campus electronic systems from network-based attacks.
The AID list helps to secure campus systems using two approaches blocking attacks on campus systems (proactive approach) or detecting and responding to previous attacks (reactive approach).
In a proactive approach, local administrators use the IP addresses to configure host.deny or firewall block lists on their individual machines. If an IP address is added to a firewall rule preventing its access to a system prior to the attacker getting to that address then the attacker would be blocked even before it had a chance to guess the first password. Further, subscribers can use the timestamp to establish their own aging policy (perhaps only block a host if it has been seen in the last 48 hours). In this scenario, the IP address should also be used reactively in case the aggressor was not blocked prior to attacking this system.
When used reactively, local administrators can download the same IP address list and compare that IP list to any successful logins on their system. This would allow departments to quickly identify accounts that had been compromised and deactivate that account pending further review. Like the proactive approach, the timestamps and protocol information can be used to make their comparison more efficient.
Who Benefits
Local system administrators working to protect campus information systems from electronic attacks can benefit from this service.
How to Get Started
Please contact aid-list@security.berkeley.edu to receive an API key and instructions for accessing the list.
Service Details and Additional Information
The AID list is not a comprehensive list of IP addresses seen attacking the campus, but rather is a selection that we feel can be blocked safely with minimal impact. Inclusion in this list is based upon Intrusion Detection signatures with low false positive rates, and which can be readily defended against with network blocks or detected in system logs.
AID List API Documentation
AID List API documentation pages with sample requests and responses for each supported API call