amuck-landowner

ASN-Blocklist

Mun

Never Forget
Really is a good need for this sort of stuff @Mun.  Making the scripts "flexible" for users to self generate blocklists based on their whims would do a ton of good.  Whims might be only where company name matched or entire ASN.  Might include whitelist concept too.  Seems like a lot, but really isn't.

I recommend an option to include the TOP 10 Spamhaus shit-company-networks:

http://www.spamhaus.org/statistics/networks/

Catch there, is that said script would need to parse such, locate ASN relationship.
I honestly don't mind making it flexible so people can make it for any ASN, the problem is people will cause it to eventually to get blocked because of too many lookups. I actually would like to make a block list for every ASN. Currently though I am just doing what people suggest, and yes I want suggestions for what ever reason you may like.

Ill add those top 10 to the list as soon as I can find their ASNs. ("i'm going to do it manually for now").
 

drmike

100% Tier-1 Gogent
I honestly don't mind making it flexible so people can make it for any ASN, the problem is people will cause it to eventually to get blocked because of too many lookups. I actually would like to make a block list for every ASN. Currently though I am just doing what people suggest, and yes I want suggestions for what ever reason you may like.

Ill add those top 10 to the list as soon as I can find their ASNs. ("i'm going to do it manually for now").
Trick here to limit ban/block is to cache priors and keep them for 24 hours I'd say.  If the tool still gets blocked then other methods to work around. 

I use BGP.HE.NET quite a bit and haven't been blocked or CAPTCHA'd yet...
 

Mun

Never Forget
$asns[] = 'AS29073'; // ecatel
$asns[] = 'AS15003'; //Nobis Tech
$asns[] = 'AS40676'; // psychz
$asns[] = 'AS21788'; //burst
$asns[] = 'AS57043'; //hostkey
$asns[] = 'AS54290'; // Hostwinds
$asns[] = 'AS33387'; //datashack
$asns[] = 'AS36352'; // Colocrossing
$asns[] = 'AS16276'; // OVH
$asns[] = 'AS32097'; // WSI
$asns[] = 'AS17676'; // Softbank.co.jp
$asns[] = 'AS4134'; // Chinanet-hb
$asns[] = 'AS4808'; // Unicom
$asns[] = 'AS10013'; // DTI.ad.jp
$asns[] = 'AS23818'; // Jet.ne.jp
$asns[] = 'AS33028'; // vexxhost.com
$asns[] = 'AS4725'; // Softbank
$asns[] = 'AS29761'; // quadranet
$asns[] = 'AS62638'; // Query Foundry

Current List
 
Last edited by a moderator:

DomainBop

Dormant VPSB Pathogen
I recommend an option to include the TOP 10 Spamhaus shit-company-networks:

http://www.spamhaus.org/statistics/networks/
I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.
 

Mun

Never Forget
I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.
I'm leaving that up to the individual. It is their server, they should know and understand what they are doing with a block list.

Also anyone willing to make me a readme file for how this stuff works, and words of caution.
 

Mun

Never Forget
Does Ipset and iptables support ipv6 anywhere? If not I will add a special line to ignore IPv6 addresses so they won't be put in the config files for iptables or ipset.

Mun
 

drmike

100% Tier-1 Gogent
I probably wouldn't block the majority of the companies on the Top 10 list because most of them are giant telecoms/ISPs and you'll end up blocking half of an entire country (or in the case of Softbank which also owns 80% of Sprint in the US, multiple countries).  Blocking Softbank or China Telecom/China Unicom is like blocking Verizon or Comcast: you'll be blocking a lot of residential users and enterprise level businesses.
definitely going to need ***** WARNING ***** to go slapped in the readme file Mun needs/wants- should come up in directory where files are and also commented at the top of the block lists.

I talked with geniuses about best approach for blocking these ranges and such being portable and fast.

Conclusion is that iptables and ipset (faster and better) aren't available notably on OVZ containers (usually).

Sub-blocking like in Nginx for instance is downstream in the stack, so still letting stuff in the front door.

The solution and supposedly really fast, is to use route blackhole.


Example:  ip route add blackhole 23.249.160.128/25
That *should* work on KVM, OVZ, dedis, etc.  without any special modules.  Please add this block method @Mun to your scripts.
 

DomainBop

Dormant VPSB Pathogen
Mun's list seems to be causing a bit of butthurt on LET :p

Alex Vial: "So your going to use LET to advertise a way to try to block CC, including LET. Brilliant."

Jon Biloh: "Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam."
 

drmike

100% Tier-1 Gogent
And, using BGP.HE.NET will result in a mega ton of overhead as blocking the tiny chunks they spit out to customers.  This is lots of overhead and will get ugly with HUGE networks or collectively.

I said about ARIN and the direct route of issuance based large block, ehh blocking.

This is what is in CC's hands.  I haven't vetted to make sure everything is in there / included in these larger blocks, but ARIN is supposedly brass tacks serious about ASN = account = your stuff in one pile:

http://whois.arin.net/rest/org/VGS-9/nets

(thanks to fellow that sent that my way)

Looking up other ASNs well, if they aren't on ARIN issuance, would be going to ARIN counterparts abroad - more complexity.

But as you see, tidy list there and includes the upstream issued blocks (which CC lately has begun to soil with spammers - see ServerCentral).
 

drmike

100% Tier-1 Gogent
Mun's list seems to be causing a bit of butthurt on LET :p

Alex Vial: "So your going to use LET to advertise a way to try to block CC, including LET. Brilliant."

Jon Biloh: "Might want to add quadranet and query foundry to the list, both have been in the top five for months at sender base for spam."
Fuck Jon Biloh, he shoots his cannon at companies who he is asshurt with or by.

He's dipping on Quadranet - probably owes  invoices / back cashola.  Can't deliver ordered servers in LAX at CC in over 2 MONTHS.  Can't issue clean IPs there period. I know CC can't afford the Quadranet house blend BW cause he went fucking ghetto BW with Zayo single homed outbound and a nick of nLayer mixed with Zayo on the inbound.

As for Vial, fuck him too.   They used LET as a corruption vector to bash competitors for how long now?   They lied their ass off for a year plus.

No fucking where on LET or LEB does it say or declare who owns the hog pit.  Closest we get is a GRAPHIC that says it is HOSTED BY COLOCROSSING.   No About information, no privacy information, no DMCA address info, nothing.  Still deceiving the casual reader on LET / LEB they are.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
and while I am f'boming CC,  I think it's shit naming your customer a spammer like Biloh just did supposedly in public and fingering QueryFoundry.

Fact is, I looked at QF recently,  they have a lot of outgoing email (likely a legit customer).  There have been some Spamhaus entries back to them (today I think 2+).  

I am inclined to believe QF is running legit customer with outbound email or I would have papered them into a hole a month back.

I'll let the QueryFoundry folks defend themselves.  Paging @concerto49.
 
Last edited by a moderator:

MannDude

Just a dude
vpsBoard Founder
Moderator
No fucking where on LET or LEB does it say or declare who owns the hog pit.  Closest we get is a GRAPHIC that says it is HOSTED BY COLOCROSSING.   No About information, no privacy information, no DMCA address info, nothing.  Still deceiving the casual reader on LET / LEB they are.
http://lowendbox.com/about/ == "LowEndBox is part of the VSNX family. We appreciate your feedback, please don’t hesitate to let us know how we’re doing at our help desk."

As far as LET goes. Still no publicly visible claim.
 

drmike

100% Tier-1 Gogent
http://lowendbox.com/about/ == "LowEndBox is part of the VSNX family. We appreciate your feedback, please don’t hesitate to let us know how we’re doing at our help desk."

As far as LET goes. Still no publicly visible claim.
See that little chime in they did right there, that's sheer rubbish.

It's in a FAQ of sorts.  It is the very last line in paragraphs with the title of:

"Q. What information do you need to publish my offer?"

Further, there is zero link to VSNX there.  Where else is VSNX listed or known? Nowhere.

In Google, a search for VSNX =

VSNX - Velocity Servers Network Exchange
vsnx.net/

Get Quotes Results for VSN... - Symbol Lookup from Yahoo ...
finance.yahoo.com/q?s=VSNX

etc.

Which VSNX is it :) ?

You would THINK, that even if they were pretending to do this right, they'd create a HREF to their site.  And such site was actually current, correct, etc. And they'd link / mention such ON THEIR FOOTER.   Cause VSNX now within page says:

"The company's first brand, Velocity Servers, maintains its position as a market leader in the latency sensitive game hosting arena. Entering its sixth year of operations, Velocity's acute awareness for customer service and excellent performance ensures a firm grasp as one of the world's top five game server providers. First conceptualized in late 2005, Summit is the brain child of two Cisco Engineers."

Which is a bunch of lies.  Sixth year is likely ahh wrong, but they like to change year that they started.  Customer service, bahahaha.   Excellent performance - bahahaha.  Top 5 game server provider, WRONG. 

Two Cisco engineers?  Yeah never happened  Summit was one very smart fellow we have lingering here, but  Cisco engineer and someone else laying claim to such, come on. 
 

drmike

100% Tier-1 Gogent
@drmike

Like this: https://cdn.content-network.net/tools/asn-blocklist/AS36352/ip-route-blackhole.txt

Also, its hard to use ARIN like that, I would actually have to compute the masks in the script and a few other things. If I get get a raw list like:

0.0.0.0/10

1.1.1.0/20

5.5.5.0/24

it would be a lot easier to handle. Anything like that on ARIN?
The ip route blackhole list looks right and good.  I just downloaded one and tested :)  Look MOM, no more ColoCrossing.

So with ARIN:

http://whois.arin.net/rest/org/VGS-9/nets

There are links/URLs in that page :)

Within one: http://whois.arin.net/rest/net/NET-198-144-176-0-1.html

2nd line therein:

CIDR198.144.176.0/20

They have a proper REST interface for this supposedly. Unsure if that can help, or give better granular poking at the data.
 

Mun

Never Forget
The ip route blackhole list looks right and good.  I just downloaded one and tested :)  Look MOM, no more ColoCrossing.

So with ARIN:

http://whois.arin.net/rest/org/VGS-9/nets

There are links/URLs in that page :)

Within one: http://whois.arin.net/rest/net/NET-198-144-176-0-1.html

2nd line therein:

CIDR198.144.176.0/20

They have a proper REST interface for this supposedly. Unsure if that can help, or give better granular poking at the data.

Yeah, using that would take a ton of time as I would have to get each address space. Very very bandwidth consuming.... hmm rest would be nice.

I could possibly cache the results if I built a dynamic one. It wouldn't be too hard. I'm going to see what other people suggest and I might make it. Wouldn't be that hard.
 

drmike

100% Tier-1 Gogent
Yeah, using that would take a ton of time as I would have to get each address space. Very very bandwidth consuming.... hmm rest would be nice.

I could possibly cache the results if I built a dynamic one. It wouldn't be too hard. I'm going to see what other people suggest and I might make it. Wouldn't be that hard.
These are one time grabs.

If you grab the main records page at ARIN, you only have to parse it and look for ranges you don't yet have stored in database.  Then deal with those one off.

The ranges and blocks ARIN doles out aren't going away any time soon.  Only changes thereto are new blocks added.  So your need to hit all the sub-records is slim to none - if you develop it properly to save such and use such.
 
Top
amuck-landowner