SIP IP blacklist
A SIP IP blacklist that only contains VoIP attackers.
Pull blacklist.txt or stream JSON from GET /v1/threats. Every IP is verified against live honeypot telemetry, not recycled from unrelated abuse categories.
Static blocklists go stale in hours
Fraud crews rotate infrastructure constantly. A monthly updated DROP list cannot keep pace with SIP scanners that appear, exploit, and vanish within a day. You need a feed that refreshes as attacks happen.
Live blacklist from honeypot hits
SipRadar publishes high-confidence attacker IPs minutes after our honeypots record malicious SIP behavior. Filter by minimum threat score, country, or port before you block.
How SipRadar helps
Plain-text export
GET /v1/blacklist.txt returns one IP per line, ideal for cron jobs, nftables sets, and simple shell scripts.
JSON threat stream
GET /v1/threats returns structured events with timestamp, geo, user-agent, port, and threat score for richer automation.
Per-IP reputation lookup
Check any address with GET /v1/ip/{address} before you block. Useful for investigating log entries and carrier complaints.
Fail2Ban-ready
Copy our jail and filter examples from the API docs to ban attackers automatically when they hit your edge.
Drop into Fail2Ban or iptables
Schedule a cron pull of blacklist.txt, or point Fail2Ban at our API for dynamic bans. Kamailio users can load the feed into dispatcher or permissions modules.
FAQ
Frequently asked questions
Common questions about SIP IP blacklist and how SipRadar fits your VoIP security stack.
Ask a question →Continuously. Honeypot events stream in real time; paid API tiers receive immediate updates. Community tier uses a 48-hour delayed snapshot.