When it comes to protecting your applications from DDoS floods and CC (Challenge Collapsar) attacks, SafeLine WAF allows you to plug in curated IP blacklists directly. One useful community-driven project is the GitHub Ban-Hacker-IP-Plan, which maintains a growing list of IPv4 addresses tied to malicious traffic.
This article shows how to integrate that blacklist into SafeLine WAF to harden your defenses.
What is Ban-Hacker-IP-Plan?
Ban-Hacker-IP-Plan is a GitHub project that collects known attacker IPs, mostly:
- DDoS sources (distributed denial-of-service)
- CC attack sources (common flood patterns)
The list is regularly updated and shared publicly, making it a great feed for SafeLine WAF’s custom rule sets.
Why use it with SafeLine WAF?
SafeLine WAF (by Chaitin Tech) lets you:
- Build IP-based blacklists and whitelists
- Enforce rules across multiple services
- Mitigate volumetric and layer-7 attacks before they hit your apps
By ingesting GitHub’s Ban-Hacker-IP-Plan list, you cut down noise from repeat offenders and improve resource availability for legit users.
Rule definition
Here’s an example of how the SafeLine rule is structured:
- Rule Type: Denylist
-
Name:
2025-5-25 (Ban-Hacker-IP-Plan) - Condition: Source IP equals any of the listed addresses
-
SafeLine Version: Compatible with
7.3.0and newer
Example entry
Source IP =
1.15.47.213, 111.224.213.179, 111.225.152.202, 113.215.189.126,
113.223.212.153, 113.223.213.179, 113.223.214.125, 113.223.214.237, ...
The full list (as of 2025-05-25) contains 100+ IPv4 addresses associated with active attacks.
How to apply in SafeLine (Step-by-step)
- Open your SafeLine dashboard → Web ACL management.
-
Create a new rule group → type
Denylist. -
Name it:
Ban-Hacker-IP-Plan. - Add condition → “Source IP equals” → paste in the IP list.
-
Action →
Block. - Attach rule group → to your site/app’s policy.
- Save & deploy.
Security best practices (Extra layer)
- Auto-update: Sync Ban-Hacker-IP-Plan from GitHub periodically.
- Layering: Use rate limiting + geo-blocking alongside IP bans.
- Monitor false positives: Ensure no critical partner IPs are caught.
- Combine lists: Merge with threat intel feeds (AbuseIPDB, Spamhaus, etc.).
TL;DR
SafeLine WAF can easily integrate community IP blacklists like GitHub’s Ban-Hacker-IP-Plan. By blocking these known DDoS and CC attacker IPs at the edge, you reduce load on your servers and improve uptime.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)