Repeated Blacklisting / IP reputation
ALanstein at FireEye.com
Thu Sep 10 02:18:34 UTC 2009
Along the same lines, I noticed that the worst Actor in recent memory (McColo - AS26780) stopped paying their bills to ARIN and their addresses have been returned to the pool.
It's my opinion that a very select number of CIDR blocks (another example being the ones belonging to Cernel/InternetPath/Atrivo/etc, if it were ever fully extinguished) are, and forever will be, completely toxic and unusable to any legitimate enterprise. Arguments could be made that industry blacklists can and should be more flexible, but from the considerably more innocuous case in this thread, that is apparently not the modus operandi
I'm curious to hear ARIN's thoughts, as well as the general NANOG populous, on whether you think it would be beneficial/possible to allocate the former blocks to $internetgoodguys (Shadowserver, Cymru, REN-ISAC, etc) for sinkholing and distribution of the data. /Many/ infected bots remain stranded post-McColo; large amounts of infection intelligence could easily be generated by such a move, and seemingly, would hurt no one.
Although I'm in favor of revocation of allocations, similar to what happens in the DNS space for "bad guys", this sort of move could obviously only happen if appropriate AUP sections were added into to the contracts (which I don't see happening). In the interm? This seems like a golden opportunity to gather some serious intel.
From: John Curran [jcurran at arin.net]
Sent: Tuesday, September 08, 2009 1:43 PM
To: nanog at nanog.org
Subject: Re: Repeated Blacklisting / IP reputation
It appears that we have a real operational problem, in that ARIN
does indeed reissue space that has been reclaimed/returned after
a hold-down period, and but it appears that even once they are
removed from the actual source RBL's, there are still ISP's who
are manually updating these and hence block traffic much longer
I'm sure there's an excellent reason why these addresses stay
blocked, but am unable to fathom what exactly that is...
Could some folks from the appropriate networks explain why
this is such a problem and/or suggest additional steps that
ARIN or the receipts should be taking to avoid this situation?
President and CEO
On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote:
> Tom Pipes wrote:
>> We obtained a direct assigned IP block 188.8.131.52/18 from ARIN in
>> 2008. This block has been cursed (for lack of a better word) since
>> we obtained it. It seems like every customer we have added has had
>> repeated issues with being blacklisted by DUL and the cable
>> carriers. (AOL, AT&T, Charter, etc). I understand there is a
>> process to getting removed, but it seems as if these IPs had been
>> used and abused by the previous owner. We have done our best to
>> ensure these blocks conform to RFC standards, including the proper
>> use of reverse DNS pointers.
>> I can resolve the issue very easily by moving these customers over
>> to our other direct assigned 184.108.40.206/19 block. In the last
>> year I have done this numerous times and have had no further issues
>> with them.
>> My question: Is there some way to clear the reputation of these
>> blocks up, or start over to prevent the amount of time we are
>> spending with each customer troubleshooting unnecessary RBL and
>> reputation blacklisting?
>> I have used every opportunity to use the automated removal links
>> from the SMTP rejections, and worked with the RBL operators
>> directly. Most of what I get are cynical responses and promises
>> that it will be fixed.
>> If there is any question, we perform inbound and outbound scanning
>> of all e-mail, even though we know that this appears to be
>> something more relating to the block itself.
>> Does anyone have any suggestions as to how we can clear this issue
>> up? Comments on or off list welcome.
>> --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pipes at t6mail.com
> Unfortunately, there is no real good way to get yourself completely
> delisted. We are experiencing that with a /18 we got from ARIN
> recently and it is basically the RBL's not updating or perhaps they
> are not checking the ownership of the ip's as compared to before.
> On some RBL's, we have IP addresses that have been listed since
> before the company I work for even existed. Amazing right?
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the NANOG