[ale] Ouch, dang it.

Alex Carver agcarver+ale at acarver.net
Tue Jun 3 03:43:04 EDT 2025 

MIT had 18.0.0.0/8 and Stanford had 36.0.0.0/8 but both have returned a 
large portion of their allocated blocks some time ago. MIT dropped 
theirs to 18.0.0.0/11 and returned the rest of the block to ARIN in 
exchange for some other blocks[1]. Stanford returned the whole block and 
took at least five /16 blocks in exchange.[2]

MIT never had 23.0.0.0/8 but it is under control of ARIN and part of it 
is currently assigned to Akamai (23.0.0.0/12). The rest of it is 
assigned in large chunks to other places. That's why you'll see attacks 
from blocks inside 23.0.0.0/8. Plus there's a lot of reselling happening 
all over so it's even harder to tell sometimes where something is coming 
from. Some of the big blocks on the list for the 23.0.0.0/8 block 
(larger than /16 unless a big name):
23.0.0.0/12 Akamai
23.16.0.0/15 Telus
23.18.0.0/16 T-Mobile
23.20.0.0/14 Amazon Elastic Cloud
23.24.0.0/15 Comcast
23.30.0.0/15 Comcast
23.32.0.0/11, 23.64.0.0/14 Akamai
23.68.0.0/14 Comcast
23.72.0.0/13 Akamai
23.84.0.0/14 Charter
23.89.0.0/16 Cisco Webex
23.91.0.0/19 Amazon AWS
23.94.0.0/15 HostPapa
23.96.0.0/13 Microsoft
23.112.0.0/12 AT&T
23.143.0.0/24 Publix Super Markets (had to throw that in there being a 
home town thing)
23.192.0.0/11 Akamai
23.224.0.0/15 CloudRadium
23.228.0.0/18 McDonald's
23.240.0.0/14 Charter
23.244.0.0/15 Breezeline
23.246.0.0/18 Netflix


There's lots of small blocks sprinkled in there that I skipped some 
assigned to names in that list like other Amazons or smaller ISPs and 
several blocks are assigned to RIPE or APNIC.




Slowly the large chunks of IPv4 space is being reclaimed and sliced up 
into smaller segments that make more sense than full Class A, B, and C.


[1] https://kb.mit.edu/confluence/pages/viewpage.action?pageId=46301207
[2] https://csl.stanford.edu/~pal/cs144/2012-stanford-jfp-clean.pdf

On 2025-06-02 12:47, Bob Toxen via Ale wrote:
> You can browse the following to get a list of IPs from any country:
> 
>    http://www.ip2location.com/blockvisitorsbycountry.aspx
> 
> I just tried it and China had over 8000 entries.  There are lots
> of /24 and /23 that you probably could compress down to /16 and not
> care about blocking a few extra.
> 
> The most common countries (from memory) that bad actors come from are:
> 
>    China
>    Russia
>    Romania
>    Ukraine
>    Other Eastern European countries
>    S Korea
>    Brasil
> 
> Also, I find a lot of attacks from MIT's 23.0.0.0/8.  Just saying.
> 
> There is a high correlation with countries having lots of smart people
> who have poor economies.
> 
> Best regards,
> Bob Toxen, Retired from CTO
> Horizon Network Security
> 
> Author,
> "Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
> 2nd Ed., Prentice Hall, 848 pages, ISBN: 9780130464569.
> Also available in Japanese, Chinese, Czech, and Polish.
> 
> On Fri, May 30, 2025 at 11:18:56AM -0700, Alex Carver via Ale wrote:
>> I love ipset. It's hard to beat the ease of use and the quick update
>> capability. I have one ipset list that handles one-off events where I can
>> rapidly dump a single, troublesome IP inside so I can deal with stuff later.
>> Otherwise I just start blocking whole subnets.
>>
>> The largest set which is entirely CIDRs greater than /24 on one server is:
>>
>> Total lines in blocklist: 79779
>> Total IPv4s blocked: 789,568,787
>>
>> And that's IPs blocked after this non-overlapping set in the main firewall
>> which is primarily /16 or larger:
>>
>> Total lines in blocklist: 5451
>> Total IPv4s blocked: 353,610,636
>>
>> (I don't bother with IPv6 because I don't have it enabled.)
>>
>> Blocking huge chunks of the network cuts traffic down dramatically
>> especially as bots give up and instruct other bots not to bother. I don't
>> think I've truly lost any functionality, at least not that I've noticed over
>> many years of making ever larger block lists.
>>
>> On 2025-05-29 19:23, dj-Pfulio via Ale wrote:
>>> Ipset easily handles huge numbers of ips or subnets. My servers run older OSes, so I'm unsure how nft works with IPset.
>>>
>>> I have one system that blocks over 130,000 subnets using ipset.  It uses a single firewall rule for all those blocked subnets.  Quite a few are /8 for simplicity.
>>>
>>> On May 29, 2025 9:09:37 PM EDT, Ron via Ale <ale at ale.org> wrote:
>>>> Jim Kinney via Ale wrote on 2025-05-29 17:11:
>>>>
>>>>> Add a rule to send problem IP to a different internal port that has
>>>>> a VERY slow page load that is a redirect notice to DHS.
>>>>
>>>> I don't think that'll work, since:
>>>>
>>>> lollipopman691 via Ale wrote on 2025-05-29 15:31:
>>>>
>>>>> My last TWiki log has requests from about 70,000 ip addresses for
>>>>> that one TWiki page.
>>>> That's a *lot* of IP addresses. A virtual DDoS.
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> https://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list