Why Stack Instead of Picking One?
No single IP blocklist covers every threat category. A VPN-specific feed like ThreatListPro catches credential stuffing bots. A reputation list like Spamhaus DROP blocks entire hijacked networks. An aggregator like IPsum catches general scanners seen across multiple honeypots. Each addresses a different layer of the threat landscape.
The mistake most administrators make is either using one giant aggregated list (high false positives, slow firewall performance) or using too many overlapping feeds (redundant entries, wasted resources). The solution is a curated stack of 3–5 complementary feeds chosen for minimal overlap and maximum coverage.
Complete Feed Comparison Table
| Feed | Best For | Update Freq | Size | Cost | False Positive Risk |
|---|---|---|---|---|---|
| ThreatListPro | VPN brute force, credential stuffing | Weekly | ~1,600 IPs | $9.99/mo | Near-zero |
| Spamhaus DROP | Hijacked networks, spam infrastructure | Daily | ~1,200 ranges | Free | Near-zero |
| Abuse.ch Feodo/SSLBL | Botnet C2, malicious SSL | Every 5 min | ~500–2,000 IPs | Free | Very low |
| IPsum Level 3 | General reputation (3+ source confidence) | Daily | ~5,000 IPs | Free | Low |
| CrowdSec | Real-time community detection | Near real-time | Varies | Free + premium | Low |
| Emerging Threats | Known attackers, compromised hosts | Daily | ~5,000 IPs | Free | Low–moderate |
| AbuseIPDB | Community-reported abuse (confidence scoring) | Continuous | Set by threshold | Free + API | Moderate (needs threshold >80%) |
| FireHOL Level 1 | Conservative general blocking | Daily | ~15,000 IPs | Free | Low |
| FireHOL Level 3 | Aggressive broad blocking | Daily | 100,000+ IPs | Free | High |
| Cisco Talos | Broad threat reputation | Daily | ~10,000 IPs | Free | Low–moderate |
Recommended Stack Tiers
Tier 1: Minimal (Highest ROI)
The two-feed stack that covers the most dangerous traffic with no performance overhead and virtually no false positives. Recommended for every environment, from home labs to enterprise networks.
- ThreatListPro — Blocks ~1,600 IPs confirmed to be actively attacking VPN portals (GlobalProtect, FortiGate SSL-VPN, Cisco AnyConnect). The only feed in this stack specifically targeting VPN credential stuffing and password spraying.
- Spamhaus DROP / EDROP — Blocks ~1,200 hijacked IP ranges used by spammers, botnets, and cybercriminals. These are entire network blocks, not individual IPs, so the coverage is broader than the number suggests.
Total entries: Under 3,000. Overlap: Near-zero (different threat categories). False positives: Effectively zero. Cost: $9.99/month (Spamhaus DROP is free).
Tier 2: Balanced (Production-Grade)
Adds botnet infrastructure blocking and broad reputation scoring. Appropriate for production networks running exposed services beyond VPN (web servers, mail, SSH, RDP).
- Everything in Tier 1, plus:
- Abuse.ch Feodo + SSLBL — Botnet command-and-control servers and malicious SSL certificates. Updated every 5 minutes. High-signal, low-noise, and widely trusted by the security community.
- IPsum Level 3 — IPs that appear on 3 or more independent threat feeds. The confidence filter removes noise that individual feeds contain. Updated daily from the stamparm/ipsum GitHub project.
- CrowdSec (optional) — Deploys an agent that detects attacks in real time and shares signals across a community network. Excellent for catching new attackers before they appear on any blocklist. Requires agent installation.
Total entries: Under 10,000. Cost: $9.99/month (all others are free). Operational overhead: Low (CrowdSec adds agent management).
Tier 3: Enterprise (High-Security)
Full-stack threat intelligence with vendor-native feeds, geographic restrictions, and automated response. Requires a SOC, SIEM, or security automation platform.
- Everything in Tier 2, plus:
- Vendor-native intelligence — Palo Alto Unit 42 feeds (built into PAN-OS with Threat Prevention license), Cisco Talos Intelligence, or equivalent. Highly curated with contextual attribution.
- GeoIP blocking — Restrict VPN access to countries where your organization operates. Eliminates 60–80% of foreign attack traffic. Built into most firewalls at no extra cost.
- SIEM-driven auto-tagging — Use Splunk, Microsoft Sentinel, or Palo Alto Cortex XSIAM to correlate login failures across users and IPs. Auto-tag offending IPs into Dynamic Address Groups (DAGs) for escalating blocks (1h, 24h, 7d, 30d).
What NOT to Stack
Certain feed combinations cause more problems than they solve:
- Multiple aggregated mega-lists (FireHOL Level 2 + Level 3 + Talos + IPsum) — Massive overlap, hundreds of thousands of entries, and false positives that trigger helpdesk tickets.
- ISC / SANS feeds without filtering — Reported by practitioners to include false positives including public DNS IPs. Use with caution or not at all.
- Ten free feeds "because they are free" — More feeds does not equal more security. A tight 3–5 feed stack with minimal overlap outperforms a 15-feed mess on every metric: accuracy, performance, and maintainability.
How to Deploy This Stack on Your Firewall
The specific steps depend on your firewall platform, but the pattern is the same everywhere:
- Create one EDL object per feed (each with its own URL and refresh interval)
- Create an address group containing all EDL objects
- Create a deny rule matching traffic from the address group
- Place the deny rule early in your security policy (before any allow rules for the affected zone)
- Commit and verify entries are loading
For platform-specific setup instructions, see our firewall guides:
- Palo Alto GlobalProtect EDL Setup
- FortiGate External Threat Feed
- pfSense pfBlockerNG Configuration
- OPNsense URL Table Alias
- Cisco AnyConnect Security Intelligence
- SonicWall Dynamic Block List
Frequently Asked Questions
How many IP blocklist feeds should I use on my firewall?
Most environments perform best with 2–5 feeds. A curated VPN-specific feed (ThreatListPro, ~1,600 IPs) plus a high-confidence reputation list (Spamhaus DROP, ~1,200 ranges) covers the most dangerous traffic. Add 1–3 more feeds only if you expose services beyond VPN.
Should I use ThreatListPro alongside CrowdSec?
Yes, they are complementary. ThreatListPro proactively blocks known VPN attackers via EDL. CrowdSec detects new attackers in real time via community signals. Together they provide both historical and real-time coverage with minimal overlap.
Is IPsum a good free alternative to a paid blocklist?
IPsum is an excellent free aggregator with confidence scoring (30+ sources). However, it is not VPN-specific. Stacking IPsum Level 3 with ThreatListPro gives both broad coverage and VPN-focused precision. They cover different threat categories.
What is the difference between ThreatListPro and Spamhaus DROP?
Spamhaus DROP lists hijacked IP ranges (entire /24+ blocks) used by spammers and botnets. ThreatListPro lists individual IPs confirmed to be attacking VPN portals. They cover completely different threat categories with almost no overlap, which is why stacking them is recommended.
Will stacking multiple blocklists slow down my firewall?
Not with a curated stack. The Tier 2 stack totals under 10,000 entries — well within the EDL capacity of even entry-level firewalls (PA-220: 50,000 limit). Problems only arise with aggressive aggregated lists containing hundreds of thousands of entries.