Aggressive IP Distribution (AID) List

Aggressive IP Distribution (AID) List



What We Do

The Aggressive IP Distribution (AID) list is a list of IP addresses that Information Security and Policy (ISP) has seen aggressively attacking campus hosts in an attempt to exploit known security weaknesses. The data for this list is taken from both campus-run Intrusion Detection Systems (IDS) and various systems on campus. The list is then published so that it can be used by local administrators to help protect campus electronic systems from network baesd attacks

Why We Do It

The AID list helps to secure campus systems using two approaches. Depending on the needs of local system administrators, the list can be used to block attacks on campus systems (proactive approach), or to detect and respond to previous attacks (reactive approach).

In a proactive approach, local administrators would use the IP addresses to configure host.deny or firewall block lists on their individual machines. In this scenario, if an IP addresses is added to a firewall rule preventing its access to a system prior to the attacker getting to that addresses then the attacker would be blocked even before it had a chance to guess the first password. Further, subscribers can use the timestamp to establish their own aging policy (perhaps only block a host if it has been seen in the last 48 hours). In this scenario, the IP address should also be used reactively in case the aggressor was not blocked prior to attacking this system.

When used reactively, local administrators can download the same IP address list and compare that IP list to any successful logins on their system. This would allow departments to quickly identify accounts that had been compromised and deactivate that account pending further review. Like the proactive approach, the timestamps and protocol information can be used to make their comparison more efficient.

Who Benefits

Local system administrators working to protect campus information systems from electronic attacks can benefit from this service.

How to Get Started

Please contact aid-list@security.berkeley.edu to receive an API key and instructions for accessing the list.

Service Details and Additional Information

The AID list is not a comprehensive list of IP addresses seen attacking the campus, but rather is a selection that we feel can be blocked safely with minimal impact. Inclusion in this list is based upon Intrusion Detection signatures with low false positive rates, and which can be readily defended against with network blocks or detected in system logs.

Service category