Botnet Controller List (BCL) | Botnet C&C datasets

About the Data

The Spamhaus Botnet Controller List (BCL) is a specialized, advisory "drop all traffic" list. It consists of IP addresses that are actively used by cybercriminals to control malware-infected computers (bots). This is a high-confidence list, with false positives being extremely rare, to block as much high-risk, malicious traffic as possible.

Policy statement

The BCL exclusively lists active botnet command and control (C&C) servers, operated by cybercriminals for the sole purpose of managing and controlling bots. It does not list individual bot IPs; these datapoints are provided in the Exploits Blocklist (XBL) dataset.

Listing only single IPv4 addresses, the BCL does not contain any subnets or CIDR prefixes larger than /32.

Benefits of this data

Providing perimeter protection against the worst of the worst connections, this dataset usually contains between 500 and 2000 listings, with up to 50 new entries every 24 hours. The BCL dataset will prevent infected computers within your network from communicating with external botnet C&C server(s), and receiving instructions and malware updates.

No inbound or outbound network connections should be made to these IP addresses under any circumstances. For this reason, BCL is most commonly consumed as a BGP feed coming to your edge routers or firewalls as discussed below, however other formats are also available.

How it works

When installed in a router's DENY table, the BCL will prevent any communication between that router and the IPs on the list. If installed on all routers for a network, all communications between botnet controllers and any bots on that network are blocked. The same applies for firewalls like Cisco and Fortinet.

The result is botnet operators are unable to contact any bots on that network, and therefore cannot receive stolen information, or give those bots instructions. By this, BCL prevents loss of sensitive information that can be used in identity theft or for encryption as part of a ransomware attack. It also means bots on that network are prevented from performing outbound tasks that may be linked to criminal activity or spamming.

Accessing this data

For more commercially-focused solutions, this data, also including botnet C&Cs hosted on compromised systems, can be accessed via our partner Spamhaus Technology in several formats:

As a plain text file, via DNS lookups (limited to dedicated C&Cs).
Via BGP Firewall feeds - for use with routers and firewalls.
As Response Policy Zones with DNS Firewall - for use with mainstream DNS resolvers.
And through an API returning extended information about the nature of each listing - for organizations working in the security arena.

Removal

If your IP is listed on the Botnet Controller List, you should visit: https://check.spamhaus.org. This will take you to our IP and Domain Reputation Checker for more information, and the only place where BCL removals are handled.

FAQs

- The BCL’s primary objective is to avoid ‘false positives’ while blocking as much malicious traffic as possible.
  - BCL false positives are extremely rare.
  - Since BCL is a subset of SBL, every BCL listing is based on an investigation by one of the Spamhaus SBL team members.
  - BCL does not contain any automated listings: all listings on BCL have been issued and reviewed by a human.
- The Botnet Controller List (BCL) is updated in real time.
- To find out more information regarding access to the BCL please complete the contact form on Spamhaus Technology’s website.
- BCL is available in different formats, such as a rule file for various Intrusion Detection Systems (IDS)/ Intrusion Prevention Systems (IPS). It is also available in a plain-text file, in CSV, as a Response Policy Zone (RPZ) and via the Spamhaus BGP Feed (BGPf).
  Specific instructions for implementation will depend on what use case you have; such questions should be referred to the device documentation or vendor.
  Is there a difference between the BCL and the BGPf?
  The Spamhaus BGP feed (BGPf) is just a different delivery method for the BCL.
- What is the Spamhaus Botnet Controller List (BCL)?
  - It is an advisory “drop all traffic” list consisting of single IPv4 addresses that are used by cybercriminals to control infected computers (bots).
  - BCL does not contain any subnets or CIDR prefixes larger than /32.
  - BCL listings are made according to policies outlined in BCL Listing Criteria.
  What is the purpose of BCL?
  The main purpose of BCL is to block malicious traffic at the network edge.
  - BCL can be used in several different types of devices, from firewalls to intrusion detection systems (IDS/IPS) and many other security appliances.
  - BCL can also be used passively – for example, by checking the log files of web proxies, firewalls or any other security devices to detect botnet-generated traffic in your network.