Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Internet ghost-towns: the blocked IPs where the bad guys used to live

Cory Doctorow at 3:33 am Fri, Nov 13, 2009

— FEATURED —

Book Review

The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
When a block of IP addresses or a collection of domain names becomes associated with bad action -- spamming, jabbering, denial-of-servicing -- various ad-hoc Internet groups will add it to a blacklist of "rogue IPs" or "badware domains" that are blocked at a very low level in the network.

The problem is that there doesn't seem to be any way to readily diffuse an "all clear" signal to everyone who follows along with this block, which means that gradually, the net is acquiring "slums" -- blocks of useful space that can't be occupied by legitimate users because someone bad once lived there and now no one will accept their traffic.

The Washington Post's Security Fix visits this question -- it's a compelling problem when you think of it. Bad actors will continue to move from blocked IPs to fresh ones, and if we never release the blocked sections, eventually we'll have shut down a very large chunk of IP space indeed.

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it's difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won't be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it..."

"What you'll find is some blacklists out there are derivatives of other lists, and it's hard to get those cleaned up," Bertier said, recalling a case last year in which a customer was given a swath of Internet addresses, only to find it was impossible to send e-mail from that space. "Typically in those cases, we'll work with the customers to get them new space and mark that allocation as something that really shouldn't be used for e-mail."

A year later: A look back at McColo (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • hancocks

    They should block those IP addresses, then unblock them, then block them again, then unblock them… pretty much at random.

    That way, they’ll be providing about the same level of service as my local ISP…sigh…

  • pelrun

    Sounds like the perfect method to motivate people to transition across to IPv6 :D

    • Agies

      Not really. IPv6 doesn’t provide any sort of real solution for this.

      • dculberson

        Just quantity. Yeah, eventually you’d run into the same problem – but it’ll be the next generation’s problem. ;-)

  • Halloween Jack

    Ironically, it seems like block lists are propagated, and persist, not unlike spam lists.

  • Antinous / Moderator

    Yeah, I’m looking at you, IPs that start with 58 or 59.

  • manicbassman

    shouldn’t be blocking IP addresses anyway… they should be blocking domain names and do a DNS lookup every day to get the latest IP for the domain…

    simple really… when you get an active spammer, then reverse DNS to get the domain, then add that domain to the blocklist… then everyday, repopulate a temporary IP list using DNS lookups of the blocked domains…

    I’m convinced some admins are just to lazy to write a simple script to run every day…

  • Todd Knarr

    #5: the problem is that DNS lookups are per-address or per-host, not per-domain. Certainly I can go from the address of the spamming host to it’s DNS name, and I can probably trim that to get just the domain, but from that there’s no way to reliably translate that into an IP address block. There’s in principle a way, if the spammer’s set up some special records correctly and accurately, but they probably didn’t. And it’s fairly easy for them to make the domain name resolve to an address that’s got nothing to do with the IP range they’re really coming from. So the only thing I’ve really got that I can use is the IP block containing the IP address of the host they used.

  • Anonymous

    I ran into this when I went with a low cost colo provider. It took a year to get my IP unblacklisted. and Many many attempts. Its like anti virus, the companys that run blacklists have better credence if there databases are larger. So they have little motivation to de-list an IP once they have it.

  • Anonymous

    With services like Ring Central and Google Voice, the same thing will happen with phone numbers. I’ve blocked a number of telemarketing phone numbers — years from now, when someone legit has the number, they will not be able to call me.

  • mdh

    They should ask urban planners for advice. Seriously.

  • Antinous / Moderator

    I’ve been gray-listed within the last two years, as have Xeni and David. And probably more of us that I don’t know about. I think that anyone who does a fair amount of online business will be accidentally (or vengefully) tagged enough times to have the occasional problem.

  • octopod

    not Argleton in lancashire then, meh.

  • codeman38

    I’ve even seen this happen on a more short-term basis: A hosting company has several clients who try running spambots. Within a day, the spammers’ accounts have already been cancelled by the host. But by that time, the IP block has already been added to several blacklists. It’s particularly bad when you’re dealing with a single SMTP server that’s shared between several web sites, as some hosting companies tend to do.

    • Anonymous

      Spam blacklists fail in one very specific way, and thats that spam scores need to reflect the user population density of a netblock. As there is no way of telling how many physical discrete people use a specific netblock to send email, there is no way of coming up with accurite spam scores and metrics.

      This is why webhosts, esp. ones with large mail clusters, get very very badly dinged as far as mail delivery. A webhost with 10,000 customers using it’s mail servers is most likely going to have worse of a spam score than a spam producing business with it’s own netblock (spam producing business != buisness of producing spam).

  • Anonymous

    @manicbassman: … and what happens when there is no reverse DNS? Nobody is under any obligation to set up an IP to name mapping.