Repeated Blacklisting / IP reputation

Brandon Lehmann brandon at
Tue Sep 15 21:12:55 UTC 2009

I believe there is another side to that argument as well.

If I operate a regional ISP and request address space for dynamic  
address pools I am aware of a few things:

1) I am fully aware that there is a chance a customer's system could  
become infected and generate millions of malicious messages/packets/ 
2) I am also aware that it is possible that that one machine could  
have any number of IP addresses during the course of the week;  
therefore, it would be possible that they could 'contaminate' an  
entire /24
3) I know that if I'm made aware of the zombified machine that I'll  
disable access to the customer quickly; however, the damage has  
usually already been done.
4) Do I actually care if one of my dynamic address blocks are in a  
DNSBL? Not at all. They should be using my mail server anyways.

Should I have to go through and make sure that every single IP  
address/block is 'clean' before returning the allocation to ARIN? I  
can say with utmost confidence "I don't care" because I no longer  
need them. If my ability to receive new allocations required that I  
clean up a dynamic address block before receiving a new one I would  
take better care of my blocks; however, it may be cheaper just to  
keep the old block (null route it) and ask for another one.

The question becomes: Where do you draw the 'contamination' line? A  
network may be using a block well within what we would consider  
'reasonable' usage; however, the block may become 'unusable' for  
certain purposes. Should they too be denied further address space? If  
thats the case every broadband provider out there should be cut off  
because they're customers keep getting infected and are used to DDOS/ 
SPAM/Exploit our networks.

What I'm trying to say in a long-winded and round about way is simple  
--- The contamination doesn't always happen 'on purpose' or with any  
foresight and it may not be an entire block that is bad. Everyone is  
guilty at some point of having a few 'dirty' IPs on their network...  
and I'm sure all of us have left many dirty because god only knows  
where all it is blocked.

On Sep 15, 2009, at 4:23 PM, Valdis.Kletnieks at wrote:

> On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>>   Anyone that intentionally uses address space in a manner that they
>> know will cause it to become contaminated should be denied on any
>> further address space requests.
> You *do* realize that the people you're directing that paragraph at  
> are
> able to say with a totally straight face: "We're doing nothing  
> wrong and
> we have *no* idea why we end up in so many local block lists"?

More information about the NANOG mailing list