ASN-Blocklist

Discussion in 'Hosting Talk & Reviews' started by Mun, Aug 2, 2014.

  1. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    In regards to this thread:

    I have built a PHP applet that pulls data from bgp.he.net once a week and builds a block list for a few different ASNs. The block lists currently come in the form of:

    Nginx deny conf file.

    htaccess

    iptables commands and all in a text format.

    ipset commands and all in a text format.

    RAW IP list.

    Currently the ASNs that are being processed are:


    $asns[] = 'AS6079'; // Colocrossing
    $asns[] = 'AS16276'; // OVH
    $asns[] = 'AS32097'; // WSI
    You can check it out here: https://cdn.content-network.net/tools/asn-blocklist/


    https://cdn.content-network.net/tools/asn-blocklist/
    I am looking for suggestions on file formats / configs that you would like to have built for as well. I need an example file and what the best way of building it would be. I.e. best practices.

    I am also looking for suggested ASNs that should be watched and the reason why they should be blocked. Like Mass Spam, SSH brute Forces, et cetera.

    Anyways, let me know how you like it!

    Mun

    EDIT: UPDATE: Checkout this handy tool to block via ASN: https://www.enjen.net/asn-blocklist/
     
    Last edited by a moderator: Aug 24, 2014
    TruvisT likes this.
  2. TruvisT

    TruvisT Server Management Specialist Verified Provider

    398
    144
    May 16, 2013
    This is very nice! Throw theses IP up at the firewall level to keep spam out.
     
  3. Aldryic C'boas

    Aldryic C'boas The Pony

    2,313
    2,652
    Apr 18, 2013
    Aldryic
    Why are you including our ASN on a blocklist populated with known spam points, @Mun?
     
  4. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    edit: I added frantech to the list, as to why you would use it is beyond me, but I know we have some CC lovers around here/there and I think they may like blocking Frantech for the simple reason they can.
     
    RLT likes this.
  5. SkylarM

    SkylarM Well-Known Member Verified Provider

    975
    419
    May 15, 2013
    Everyone should fear the stampede of Ponies.
     
    RLT likes this.
  6. Aldryic C'boas

    Aldryic C'boas The Pony

    2,313
    2,652
    Apr 18, 2013
    Aldryic
    So why didn't you add other hosts that don't get along with CC?  Why are we just randomly thrown in with a batch of spam points with no real justification?

    That's fairly akin to me publishing a list of known scammers/frauders, and including you "just incase someone wanted to block you".  Even though you're listed by *default*.
     
    Last edited by a moderator: Aug 2, 2014
    RLT likes this.
  7. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    I know mtwiscool wanted it. He said you spam him with good advice all the time.
     
    RLT, switsys and drmike like this.
  8. Aldryic C'boas

    Aldryic C'boas The Pony

    2,313
    2,652
    Apr 18, 2013
    Aldryic
    Oh, you're still sore over some personal issue.  Sad to see that you have to resort to adding a company's ASN on a very misleading blocklist as being blocked be default due to your personal vendetta.
     
  9. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    ROFL, I'm not mad at all, and no where have I suggested people use all the block lists, it is funny how badly you are reacting to this. I did it for laughs and giggles, but since you are pouting so bad about it Ill remove it.

    Ohh Aldryic.
     
  10. Aldryic C'boas

    Aldryic C'boas The Pony

    2,313
    2,652
    Apr 18, 2013
    Aldryic
    Any reasonable company would react the same way to someone listing them alongside known dirty entities.  As I said before, it would be the same as me releasing a list of known scammers, and including you in said list "for giggles".
     
  11. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    Rolls eyes, ohh aldryic. Its ok, pats you on the head, everything will be ok in a little bit. Ohh look a new mtwiscool thread, go get it!
     
  12. Aldryic C'boas

    Aldryic C'boas The Pony

    2,313
    2,652
    Apr 18, 2013
    Aldryic
    Your trolling needs a good bit of work.  Just so you're aware - when you try too hard, as you're doing now?  It only makes it all the more obvious how desperate, how badly you need me to react in order to justify whatever... thing you have going on.  Only makes yourself look bad, kiddo.
     
  13. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    100% worth it.
     
  14. mojeda

    mojeda New Member

    347
    183
    May 14, 2013
    The way I see this "project" now, is that someone can block your ASN for shits-n-giggles.

    My suggestion, open source it and allow people to develop their own list of blocked ASNs.
     
  15. SkylarM

    SkylarM Well-Known Member Verified Provider

    975
    419
    May 15, 2013
    Why is B2net missing from this?!
     
    Kris likes this.
  16. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    $asns[] = 'AS6079'; // Colocrossing

    Unsure if you made a typo @Mun or what.

    ColoCrossing =  AS36352

    http://bgp.he.net/AS36352

    -------------------------------------------------------------------

    So if you just are scraping BGP.HE.NET, you are likely:

    1. Missing IPs allocated to entity (where such hasn't been routed yet but issued to such) or such IPs have been recently issued.

    2. You may or may not be including upstream allocated IPs - like datacenters who issue blocks to a provider or a backbone provider/upstream that does.

    3. There are likely IPs ported to said networks, that are not IP's that such company owns or controls.  Rather as we are seeing more and more, people are making IP arrangements elsewhere and porting their rented/leased IPs to other network.  These people are often proactive and not part of the silly mess (likely porting due to silly mess on such networks).

    Know we have gone back and forth about collateral innocent providers downstream getting dinged.  Banning ASNs blindly like this will cause such wrong dingings.   I see a need for these sorts of tools and I THANK YOU for creating such.  Big picture I think we need some feature enhancements to re-parse/sub parse things to eliminate various things, provide for whitelisting, etc.
     
  17. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    My suggestions would be long time favorites:

    Ecatel AS29073 - the only people in the world who define "free speech" as warez, botnets, DDoS, and kiddieporn

    Ubiquity / Nobis Tech AS15003 -spam

    Psychz Networks AS40676 -evil attack bots

    Hostnoc AS21788 - spam, comment spammers

    Hostkey AS57043 -home to many Russian bots, attackers
     
    RLT and Kris like this.
  18. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    CC fixed, Im not sure what happened there at all and I am confused on how I got it.....

    You are very much right, blocking full ASN's is very very tricky. Yes I know some hosts will be in collateral damage, and that is why: http://cdn.content-network.net/tools/cc-blocklist/ the CC-blocklist was made, which is only allocations with "colocrossing" in the name.

    I honestly doubt anyone will actually use the list or files. Sorta why I was joking with Aldryic, as you really need to understand that you are blocking a whole chunk of the internet with a blanket when their is good and bad. Frankly anyone stupid enough to just take my lists and use them without looking deserves getting slightly smacked by it.

    Code:
    $asns[] = 'AS54290'; // Hostwinds
    $asns[] = 'AS33387'; //datashack
    $asns[] = 'AS36352'; // Colocrossing
    $asns[] = 'AS16276'; // OVH
    $asns[] = 'AS32097'; // WSI
    
    
     
    Kris and drmike like this.
  19. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    Added, thank you!

    Code:
    $asns[] = 'AS29073'; // ecatel
    $asns[] = 'AS15003'; //Nobis Tech
    $asns[] = 'AS40676'; // psychz
    $asns[] = 'AS21788'; //burst
    $asns[] = 'AS57043'; //hostkey
    $asns[] = 'AS54290'; // Hostwinds
    $asns[] = 'AS33387'; //datashack
    $asns[] = 'AS36352'; // Colocrossing
    $asns[] = 'AS16276'; // OVH
    $asns[] = 'AS32097'; // WSI
     
    drmike likes this.
  20. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Really is a good need for this sort of stuff @Mun.  Making the scripts "flexible" for users to self generate blocklists based on their whims would do a ton of good.  Whims might be only where company name matched or entire ASN.  Might include whitelist concept too.  Seems like a lot, but really isn't.

    I recommend an option to include the TOP 10 Spamhaus shit-company-networks:

    http://www.spamhaus.org/statistics/networks/

    Catch there, is that said script would need to parse such, locate ASN relationship.