ASN-Blocklist

[Mun]

In regards to this thread:

I have built a PHP applet that pulls data from bgp.he.net once a week and builds a block list for a few different ASNs. The block lists currently come in the form of:

Nginx deny conf file.

htaccess

iptables commands and all in a text format.

ipset commands and all in a text format.

RAW IP list.

Currently the ASNs that are being processed are:


$asns[] = 'AS6079'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
You can check it out here: https://cdn.content-network.net/tools/asn-blocklist/


https://cdn.content-network.net/tools/asn-blocklist/
I am looking for suggestions on file formats / configs that you would like to have built for as well. I need an example file and what the best way of building it would be. I.e. best practices.

I am also looking for suggested ASNs that should be watched and the reason why they should be blocked. Like Mass Spam, SSH brute Forces, et cetera.

Anyways, let me know how you like it!

Mun

EDIT: UPDATE: Checkout this handy tool to block via ASN: https://www.enjen.net/asn-blocklist/

 

[TruvisT]

This is very nice! Throw theses IP up at the firewall level to keep spam out.

 

[Aldryic C'boas]

Why are you including our ASN on a blocklist populated with known spam points, @Mun?

 

[Mun]

Why are you including our ASN on a blocklist populated with known spam points, @Mun?

edit: I added frantech to the list, as to why you would use it is beyond me, but I know we have some CC lovers around here/there and I think they may like blocking Frantech for the simple reason they can.

 

[SkylarM]

Why are you including our ASN on a blocklist populated with known spam points, @Mun?

Everyone should fear the stampede of Ponies.

 

[Aldryic C'boas]

So why didn't you add other hosts that don't get along with CC?  Why are we just randomly thrown in with a batch of spam points with no real justification?

That's fairly akin to me publishing a list of known scammers/frauders, and including you "just incase someone wanted to block you".  Even though you're listed by *default*.

 

[Mun]

So why didn't you add other hosts that don't get along with CC?  Why are we just randomly thrown in with a batch of spam points with no real justification?

I know mtwiscool wanted it. He said you spam him with good advice all the time.

 

[Aldryic C'boas]

Oh, you're still sore over some personal issue.  Sad to see that you have to resort to adding a company's ASN on a very misleading blocklist as being blocked be default due to your personal vendetta.

 

[Mun]

Oh, you're still sore over some personal issue.  Sad to see that you have to resort to adding a company's ASN on a very misleading blocklist as being blocked be default due to your personal vendetta.

ROFL, I'm not mad at all, and no where have I suggested people use all the block lists, it is funny how badly you are reacting to this. I did it for laughs and giggles, but since you are pouting so bad about it Ill remove it.

Ohh Aldryic.

 

[Aldryic C'boas]

Any reasonable company would react the same way to someone listing them alongside known dirty entities.  As I said before, it would be the same as me releasing a list of known scammers, and including you in said list "for giggles".

 

[Mun]

Any reasonable company would react the same way to someone listing them alongside known dirty entities.  As I said before, it would be the same as me releasing a list of known scammers, and including you in said list "for giggles".

Rolls eyes, ohh aldryic. Its ok, pats you on the head, everything will be ok in a little bit. Ohh look a new mtwiscool thread, go get it!

 

[Aldryic C'boas]

Your trolling needs a good bit of work.  Just so you're aware - when you try too hard, as you're doing now?  It only makes it all the more obvious how desperate, how badly you need me to react in order to justify whatever... thing you have going on.  Only makes yourself look bad, kiddo.

 

[Mun]

Your trolling needs a good bit of work.  Just so you're aware - when you try too hard, as you're doing now?  It only makes it all the more obvious how desperate, how badly you need me to react in order to justify whatever... thing you have going on.  Only makes yourself look bad, kiddo.

100% worth it.

 

[mojeda]

The way I see this "project" now, is that someone can block your ASN for shits-n-giggles.

My suggestion, open source it and allow people to develop their own list of blocked ASNs.

 

[SkylarM]

Why is B2net missing from this?!

 

[drmike]

$asns[] = 'AS6079'; // Colocrossing

Unsure if you made a typo @Mun or what.

ColoCrossing =  AS36352

http://bgp.he.net/AS36352

-------------------------------------------------------------------

So if you just are scraping BGP.HE.NET, you are likely:

1. Missing IPs allocated to entity (where such hasn't been routed yet but issued to such) or such IPs have been recently issued.

2. You may or may not be including upstream allocated IPs - like datacenters who issue blocks to a provider or a backbone provider/upstream that does.

3. There are likely IPs ported to said networks, that are not IP's that such company owns or controls.  Rather as we are seeing more and more, people are making IP arrangements elsewhere and porting their rented/leased IPs to other network.  These people are often proactive and not part of the silly mess (likely porting due to silly mess on such networks).

Know we have gone back and forth about collateral innocent providers downstream getting dinged.  Banning ASNs blindly like this will cause such wrong dingings.   I see a need for these sorts of tools and I THANK YOU for creating such.  Big picture I think we need some feature enhancements to re-parse/sub parse things to eliminate various things, provide for whitelisting, etc.

 

[DomainBop]

My suggestions would be long time favorites:

Ecatel AS29073 - the only people in the world who define "free speech" as warez, botnets, DDoS, and kiddieporn

Ubiquity / Nobis Tech AS15003 -spam

Psychz Networks AS40676 -evil attack bots

Hostnoc AS21788 - spam, comment spammers

Hostkey AS57043 -home to many Russian bots, attackers

 

[Mun]

CC fixed, Im not sure what happened there at all and I am confused on how I got it.....

You are very much right, blocking full ASN's is very very tricky. Yes I know some hosts will be in collateral damage, and that is why: http://cdn.content-network.net/tools/cc-blocklist/ the CC-blocklist was made, which is only allocations with "colocrossing" in the name.

I honestly doubt anyone will actually use the list or files. Sorta why I was joking with Aldryic, as you really need to understand that you are blocking a whole chunk of the internet with a blanket when their is good and bad. Frankly anyone stupid enough to just take my lists and use them without looking deserves getting slightly smacked by it.

$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI

 

[Mun]

My suggestions would be long time favorites:

Ecatel AS29073 - the only people in the world who define "free speech" as warez, botnets, DDoS, and kiddieporn

Ubiquity / Nobis Tech AS15003 -spam

Psychz Networks AS40676 -evil attack bots

Hostnoc AS21788 - spam, comment spammers

Hostkey AS57043 -home to many Russian bots, attackers

Added, thank you!

$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI

 

[drmike]

Really is a good need for this sort of stuff @Mun.  Making the scripts "flexible" for users to self generate blocklists based on their whims would do a ton of good.  Whims might be only where company name matched or entire ASN.  Might include whitelist concept too.  Seems like a lot, but really isn't.

I recommend an option to include the TOP 10 Spamhaus shit-company-networks:

http://www.spamhaus.org/statistics/networks/

Catch there, is that said script would need to parse such, locate ASN relationship.