Repeated Blacklisting / IP reputation

Tue Sep 8 19:21:34 UTC 2009

John Curran wrote:
>  On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
>
> > It seems simple and obvious that ARIN, RIPE, et. al. should
> > determine the blacklist state of a reclaimed IP group and ensure
> > that the IP group is usable before re-allocating it.
> >
> > When IPs are reclaimed, first check to see if the reclaimed IPs are
> >  on any readily checked RBL or private blacklist of major ISPs,
> > corporations, universities, etc.  If so, work with those groups to
> > get the blocks removed *prior* to reissuing the IPs to a new
> > entity. Before releasing the IPs to a new entity, double check that
> >  they are not being blocked (that any promises to remove them from
> > a blacklist were actually fulfilled).  Hold the IPs until you have
> > determined that they aren't overly encumbered with prior blacklist
> > blocks due to poor behavior of the previous entity.  (The same
> > should be done before allocating out of a new IP block, such as
> > when you release the first set of IPs in a new /8.)
>
>  In this case, it's not the RBL's that are the issue; the address
>  block in question isn't on them.  It's the ISP's and other firms
>  using manual copies rather than actually following best practices.

It's not that hard to make a list of the major ISPs, corporations, 
universities (entities with a large number of users), find willing 
contacts inside each organization (individual or role addresses you can 
email, and see if the email bounces, and who will reply if the email is 
received) and run some automated tests to see if the IPs are being 
blocked.  In your follow-up email to me, you said you check "dozens" of 
RBLs - that is clearly insufficient - probably by an order of magnitude 
- of the entities you should check with.  The number should be 
"hundreds".  A reasonably cluefull intern can provide you with a 
suitable list in short order, probably less than 1 day, and find 
suitable contacts inside each organization in a similar time frame - it 
might take a week total to build a list of ~500 entities and associated 
email addresses.  Because of employee turn-over the list will need to be 
updated, ~1-10 old addresses purged and replaced with new ones on a 
monthly basis.

> > Why isn't this being done now?
> >
> > Issuing reclaimed IPs is a lot like selling a used car, except that
> >  the buyer has no way to "examine" the state of the IPs you will
> > issue them beforehand.  Therefore it's up to you (ARIN, RIPE, et.
> > al.) to ensure that they are "just as good" as any other IP block.
> > It is shoddy business to take someone's money and then sneakily
> > give them tainted (used) goods and expect them to deal with
> > cleaning up the mess that the prior owner made, especially when you
> >  charge the same rate for untainted goods!
>
>  Not applicable in this case, as noted above.

What do you mean, "not applicable"?  You take the money and issue IPs.  
There is no way for the "buyer" to know before hand if the IPs are 
"tainted" (used) or new.  It is up to you (ARIN) to ensure that the 
goods (IPs) are suitable for the intended use.  My analogy is entirely 
applicable, and I'm amazed you think otherwise.

>  So, back to the question:  could someone explain why they've got
>  copies of the RBL's in their network which don't get updated on any
>  reasonable refresh interval? (weekly? monthly?)

The "why" really isn't at issue - it happens and it's going to keep 
happening.  The question is what are you (ARIN) going to do about it? 

Give me the serenity to accept the things I cannot change,
The courage to change the things I can,
And the wisdom to know the difference.

You (ARIN et. al.) don't have any ability to change the why.  What you 
can change is how you go about determining if an IP block is suitable 
for reallocation or not, and what steps you take to repair IP blocks 
that aren't suitable for reallocation.

jc - posted to NANOG since John indicated that he thought his reply to 
me was going to NANOG as well.