ELLIO Threat Lists
ELLIO Threat Lists are managed, continuously updated IP feeds you can include
or exclude in any EDL Deployment. Browse them at
platform.ellio.tech/dashboard/edl-blocklists.
There are two families of lists:
- ELLIO Blocklists - the core threat-IP feeds curated from the ELLIO Deception Network.
- RECON Blocklists - per-provider reconnaissance scanner IP lists.
Each list shows a live IP count, a "changed N minutes ago" timestamp, and a sparkline of recent size changes.
ELLIO Blocklists
The flagship feeds. Pick one as the backbone of your EDL.
| List | Size (typical) | Description | When to use |
|---|---|---|---|
| ELLIO Threat List MAX | ~660,000 IPs | Flagship ingress blocklist. Active malicious activity across the Deception Network, excluding the IPs that appear in RECON Blocklists. | Default for production ingress blocking. |
| ELLIO Threat List RDP | ~60,000 IPs | Active RDP/VNC threat and scanner IPs targeting remote-access services. | Anywhere you expose RDP, VNC, or other remote-access ports to the internet. |
| ELLIO Threat List 250K | 250,000 IPs | Top 250,000 threat IPs extracted from MAX. | Use when 660K is too large for your firewall but you want broad coverage. |
| ELLIO Threat List 100K | 100,000 IPs | Top 100,000 threat IPs. | Use on resource-constrained firewalls (Sophos, ntopng, smaller pfSense). |
The 100K and 250K lists are strict subsets of MAX, ranked by recency and risk. Pick the largest list your firewall comfortably handles.
RECON Blocklists
Curated lists of scanner IPs from well-known providers. Use them by excluding to keep beneficial scanners reachable, or by including if you specifically don't want their traffic.
| List | Typical size | Operator |
|---|---|---|
| Censys Scanner IPs | ~600,000 IPs | censys.io - internet-wide scanning. |
| Shodan Scanner IPs | ~400 IPs | shodan.io. |
| Shadowserver Scanner IPs | ~1,200 IPs | Shadowserver Foundation research. |
| BinaryEdge Scanner IPs | ~2,300 IPs | binaryedge.io. |
| BufferOver Scanner IPs | ~50 IPs | bufferover.run. |
| Cortex Xpanse | ~4,600 IPs | Palo Alto Cortex Xpanse attack-surface scanning. |
| Driftnet Scanner IPs | ~800 IPs | driftnet.io. |
| InfraWatch Scanner IPs | ~1,400 IPs | InfraWatch research. |
| Internet Census Scanner IPs | ~1,200 IPs | Internet-wide measurement projects. |
| InternetTL Scanner IPs | ~250 IPs | InternetTL. |
| LeakIX Scanner IPs | ~80 IPs | leakix.net. |
| NetScout Scanner IPs | ~500 IPs | NetScout ATLAS. |
| Nokia Deepfield Scanner IPs | ~300 IPs | Nokia Deepfield Internet Security. |
| Rapid7 Scanner IPs | ~600 IPs | Rapid7 Project Sonar. |
| Stretchoid Scanner IPs | ~2,000 IPs | Stretchoid. |
Sizes shift as the operators rotate IPs and add or remove infrastructure.
Picking the right combination
The most common production recipe:
- Include ELLIO Threat List MAX (or 250K / 100K based on firewall capacity).
- Exclude the RECON lists for scanners you trust (Shadowserver, Rapid7, your own attack-surface tooling) so they reach you.
- Include the RECON lists for scanners you don't (whichever ones don't add value for you).
- Exclude any Common Business Services your stack depends on (CDN, M365, Google Workspace).
- Include your own IP Rulesets for hand-curated additions.
Why MAX excludes RECON IPs
MAX is designed for ingress blocking, where false positives matter. Most research scanners are technically "promiscuous" rather than malicious - blocking them by default would block legitimate scanning of your own attack surface, including by tools you may have paid for.
By keeping scanner IPs in dedicated RECON lists, MAX stays high-precision and you keep explicit control over each scanner's policy.
See also
- Common Business Services - the other curated atlas you compose with Threat Lists.
- Include / exclude logic - how MAX's exclusions interact with your own.
- EDL Deployment lifecycle - where you actually pick lists.