Internet ghost-towns: the blocked IPs where the bad guys used to live

When a block of IP addresses or a collection of domain names becomes associated with bad action — spamming, jabbering, denial-of-servicing — various ad-hoc Internet groups will add it to a blacklist of "rogue IPs" or "badware domains" that are blocked at a very low level in the network.

The problem is that there doesn't seem to be any way to readily diffuse an "all clear" signal to everyone who follows along with this block, which means that gradually, the net is acquiring "slums" — blocks of useful space that can't be occupied by legitimate users because someone bad once lived there and now no one will accept their traffic.

The Washington Post's Security Fix visits this question — it's a compelling problem when you think of it. Bad actors will continue to move from blocked IPs to fresh ones, and if we never release the blocked sections, eventually we'll have shut down a very large chunk of IP space indeed.

"The problem is once an address block gets so polluted and absorbed into all these blocklists, it's difficult to get off all of them because there is no central blocking authority," said Paul Ferguson, an advanced threat researcher at Trend Micro. "That space won't be toxic for all time to come, but certainly it is going to be tainted for whoever ends up with it…"

"What you'll find is some blacklists out there are derivatives of other lists, and it's hard to get those cleaned up," Bertier said, recalling a case last year in which a customer was given a swath of Internet addresses, only to find it was impossible to send e-mail from that space. "Typically in those cases, we'll work with the customers to get them new space and mark that allocation as something that really shouldn't be used for e-mail."

A year later: A look back at McColo

(via /.)