IP Hotlist¶
The IP Hotlist feed identifies high-risk IP addresses hosting hostile domains that are observed to be active within a 24-hour time window. This focused feed provides risk scores and enrichment data for IPs where more than 50% of hosted domains are high-risk and actively communicating.
Overview¶
This feed captures IP addresses that meet strict criteria for both risk level and recent activity, making it ideal for immediate blocking and threat response. The feed provides the same comprehensive enrichment data as the IP Risk feed, but filtered to show only the most dangerous and currently active infrastructure.
Use this feed when you need to:
- Build high-confidence IP block lists
- Identify currently active hostile infrastructure for immediate action
- Enhance SOC and Threat Intel workflows with IP-based enrichment
- Create custom network or endpoint block rules
- Triage IP-based alerts
- Monitor threat actor hosting infrastructure
- Detect and respond to active C2 servers
Inclusion criteria:
- More than 50% of domains on the IP have proximity score of 70+ OR Threat Profile score of 90+
- pDNS activity on malicious domains within 24 hours
Format: Gzip-compressed tab-separated (TSV) text file
Size: 40-50,000 IP addresses, ~1MB compressed
Requirements¶
You need the following to access Threat Feeds:
- An Enterprise Account with DomainTools, accessible at https://account.domaintools.com/my-account/
- Authentication credentials (API key for header authentication, or API username and key for HMAC or open key authentication)
- A way to interact with a REST API delivered through AWS CloudFront
Obtain your API credentials from your group's API administrator. API administrators can manage their API keys at https://research.domaintools.com, selecting the drop-down account menu and choosing API admin.
For assistance, contact enterprisesupport@domaintools.com.
Authentication¶
You can authenticate to the IP Hotlist API using three different methods. Choose the method that best fits your security requirements and technical environment.
API key (header) authentication¶
Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.
Required header:
X-Api-Key: YOUR_API_KEY
Example:
HMAC authentication¶
HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with a SHA1 HMAC digest derived from your API secret, providing integrity and authenticity without exposing credentials directly in the request.
This method is recommended for systems where authentication credentials shouldn't be stored in plain text or included directly in request URLs.
DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm.
Required query parameters:
api_username: Your DomainTools API usernamesignature: HMAC-SHA1 signature ofapi_username + timestamp + uri_pathtimestamp: Current UTC timestamp in ISO 8601 format (for example,2025-06-01T15:30:00Z)
Constructing the HMAC signature:
URI path must include API version
The uri_path parameter must include the API version prefix. For example, use /v1/feed/nod/ not /feed/nod/.
Example Python signing function:
import hmac
import hashlib
def sign(api_username, api_key, timestamp, uri):
params = f"{api_username}{timestamp}{uri}"
return hmac.new(api_key.encode("utf-8"), params.encode("utf-8"), hashlib.sha1).hexdigest()
HMAC timestamp requirements
The timestamp parameter in HMAC authentication must be current (within a few minutes of the server time). The timestamps shown in these examples are static for demonstration purposes. In production, generate a fresh timestamp for each request using your system's current time in ISO 8601 UTC format (e.g., 2025-01-06T15:30:00Z).
Example:
curl 'https://api.domaintools.com/v1/download/daily_ip_hotlist/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE×tamp=2025-01-06T15:30:00Z'
Open key authentication¶
This is the easiest authentication scheme to implement, but also the least secure. Each request contains the full API key and API username as query parameters. We recommend using API key header authentication or HMAC authentication instead.
If you're unsure about your authentication options, contact enterprisesupport@domaintools.com.
Required query parameters:
api_username: Your API usernameapi_key: Your API key
Example:
curl 'https://api.domaintools.com/v1/download/daily_ip_hotlist/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'
Daily Download API¶
The Daily Download API provides access to IP Hotlist data through temporary AWS S3 file links. The feed is updated daily with high-risk, actively communicating IPs.
Base URL¶
Parameters¶
The Daily Download API supports standard download parameters:
api_username¶
Type: string (required for HMAC and open key auth)
Your DomainTools API username
api_key¶
Type: string (required for open key auth)
Your DomainTools API key
signature¶
Type: string (required for HMAC auth)
HMAC signature of your request
timestamp¶
Type: string (required for HMAC auth)
Current timestamp for HMAC authentication in ISO 8601 format
limit¶
Type: integer (optional)
Limit the list of signed files. Ordering of files is always descending, so the latest files are first.
page¶
Type: integer (optional)
Select which page of results are returned. Pages begin at 0 with latest results.
Response structure¶
The API returns a JSON response with signed URLs for downloadable files:
download_name (string): The feed identifier (daily_ip_hotlist)
files (array): List of downloadable file entries
Each file object contains:
| Field | Type | Description |
|---|---|---|
name |
string | File path |
last_modified |
string | Last modified date in ISO 8601 format |
etag |
string | Entity tag (hash of the file) |
size |
integer | Size in bytes |
url |
string | Signed AWS CloudFront download URL (valid for 12 hours) |
Response codes¶
| Code | Status | Description |
|---|---|---|
200 |
OK | The request was successful |
400 |
Bad request | Invalid request parameters |
401 |
Unauthorized | Missing or invalid authentication |
403 |
Forbidden | Insufficient permissions |
404 |
No data to download | No files available |
File naming¶
The feed provides a single file:
This file contains high-risk IP addresses with recent malicious activity, updated daily.
File contents¶
The TSV file contains the following fields (tab-separated, one IP per line):
IP and infrastructure fields¶
| Field | Description |
|---|---|
ip |
IP address that has www/apex domains pointing to it |
asn |
The IP's ASN (autonomous system number, routing provider) |
organization |
Organization associated with IP range based on geo data |
city |
City based on IP geo data |
region |
Region based on IP geo data |
country |
Country based on IP geo data |
latitude |
Geographic coordinates |
longitude |
Geographic coordinates |
Domain activity metrics¶
| Field | Description |
|---|---|
pdns_resolutions |
Number of domains seen on the IP in the last 24 hours |
bad_pdns_resolutions |
Number of confirmed bad domains seen on the IP in the last 24 hours |
total_domains |
Total number of domains seen on this IP in the last 7 days |
zerolist_domains |
Number of zero-listed domains seen on this IP |
zerolist_ip |
Indicates if this IP is zero-listed (e.g., CDN) |
Threat intelligence metrics¶
| Field | Description |
|---|---|
third_party_threats |
Number of domains on IP confirmed with any threat on a third-party intel feed |
allthreats_combined_count |
Number of confirmed or predicted domains on third-party intel feed or threat profile |
allthreats_combined_percent |
Percentage of domains that are confirmed or predicted malicious |
all_threats_percent |
Percentage of domains including all threat types |
Combined threat predictions¶
| Field | Description |
|---|---|
malicious_combined_phishing_percent |
Percentage of domains confirmed or predicted as phishing |
combined_malware_percent |
Percentage of domains confirmed or predicted as malware |
combined_spam_percent |
Percentage of domains confirmed or predicted as spam |
Confirmed malicious threats¶
| Field | Description |
|---|---|
malicious_phishing |
Number of malicious phishing domains on third-party intel feeds |
malicious_malware |
Number of malicious malware domains on third-party intel feeds |
malicious_spam |
Number of malicious spam domains on third-party intel feeds |
percent_phishing |
Percentage of domains that are confirmed phishing |
percent_malware |
Percentage of domains that are confirmed malware |
percent_spam |
Percentage of domains that are confirmed spam |
Compromised threats¶
| Field | Description |
|---|---|
compromised_phishing |
Number of compromised phishing domains on third-party intel feeds |
compromised_malware |
Number of compromised malware domains on third-party intel feeds |
compromised_spam |
Number of compromised spam domains on third-party intel feeds |
Predicted threats¶
| Field | Description |
|---|---|
predicted_phishing |
Number of domains (with no confirmed threat) predicted as phishing |
predicted_malware |
Number of domains (with no confirmed threat) predicted as malware |
predicted_spam |
Number of domains (with no confirmed threat) predicted as spam |
Examples¶
List available files:
Download the file:
# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
'https://api.domaintools.com/v1/download/daily_ip_hotlist/' > files.json
# Download the file
curl -o ip_hotlist.gz "$(jq -r '.response.files[0].url' files.json)"
# Decompress and view
gunzip ip_hotlist.gz
head ip_hotlist
Parse TSV data:
# View first 10 IPs with their threat percentages
gunzip -c ip_hotlist.gz | head -10 | cut -f1,6,7,8,9
Filter for specific threat types:
# Find IPs with high phishing percentage (field 7)
gunzip -c ip_hotlist.gz | awk -F'\t' '$7 > 50 {print $1, $7}' | head -20