RE: Repeated Blacklisting / IP reputation

["Alex Lanstein" <ALanstein () FireEye com>]

Along the same lines, I noticed that the worst Actor in recent memory (McColo - AS26780) stopped paying their bills to 
ARIN and their addresses have been returned to the pool.

It's my opinion that a very select number of CIDR blocks (another example being the ones belonging to 
Cernel/InternetPath/Atrivo/etc, if it were ever fully extinguished) are, and forever will be, completely toxic and 
unusable to any legitimate enterprise.  Arguments could be made that industry blacklists can and should be more 
flexible, but from the considerably more innocuous case in this thread, that is apparently not the modus operandi

I'm curious to hear ARIN's thoughts, as well as the general NANOG populous, on whether you think it would be 
beneficial/possible to allocate the former blocks to $internetgoodguys (Shadowserver, Cymru, REN-ISAC, etc) for 
sinkholing and distribution of the data.  /Many/ infected bots remain stranded post-McColo; large amounts of infection 
intelligence could easily be generated by such a move, and seemingly, would hurt no one.

Although I'm in favor of revocation of allocations, similar to what happens in the DNS space for "bad guys", this sort 
of move could obviously only happen if appropriate AUP sections were added into to the contracts (which I don't see 
happening).  In the interm?  This seems like a golden opportunity to gather some serious intel.

Thoughts?

Regards,

Alex Lanstein


________________________________________
From: John Curran [jcurran () arin net]
Sent: Tuesday, September 08, 2009 1:43 PM
To: nanog () nanog org
Subject: Re: Repeated Blacklisting / IP reputation

Folks -

   It appears that we have a real operational problem, in that ARIN
   does indeed reissue space that has been reclaimed/returned after
   a hold-down period, and but it appears that even once they are
   removed from the actual source RBL's, there are still ISP's who
   are manually updating these and hence block traffic much longer
   than necessary.

   I'm sure there's an excellent reason why these addresses stay
   blocked, but am unable to fathom what exactly that is...
   Could some folks from the appropriate networks explain why
   this is such a problem and/or suggest additional steps that
   ARIN or the receipts should be taking to avoid this situation?

Thanks!
/John

John Curran
President and CEO
ARIN

On Sep 8, 2009, at 11:16 AM, Ronald Cotoni wrote:

> Tom Pipes wrote:
> > Greetings,
> >
> > We obtained a direct assigned IP block 69.197.64.0/18 from ARIN in
> > 2008. This block has been cursed (for lack of a better word) since
> > we obtained it.  It seems like every customer we have added has had
> > repeated issues with being blacklisted by DUL and the cable
> > carriers. (AOL, AT&T, Charter, etc).  I understand there is a
> > process to getting removed, but it seems as if these IPs had been
> > used and abused by the previous owner.  We have done our best to
> > ensure these blocks conform to RFC standards, including the proper
> > use of reverse DNS pointers.
> >
> > I can resolve the issue very easily by moving these customers over
> > to our other direct assigned 66.254.192.0/19 block.  In the last
> > year I have done this numerous times and have had no further issues
> > with them.
> >
> > My question:  Is there some way to clear the reputation of these
> > blocks up, or start over to prevent the amount of time we are
> > spending with each customer troubleshooting unnecessary RBL and
> > reputation blacklisting?
> > I have used every opportunity to use the automated removal links
> > from the SMTP rejections, and worked with the RBL operators
> > directly.  Most of what I get are cynical responses and promises
> > that it will be fixed.
> > If there is any question, we perform inbound and outbound scanning
> > of all e-mail, even though we know that this appears to be
> > something more relating to the block itself.
> >
> > Does anyone have any suggestions as to how we can clear this issue
> > up?  Comments on or off list welcome.
> >
> > Thanks,
> >
> > --- Tom Pipes T6 Broadband/ Essex Telcom Inc tom.pipes () t6mail com
> Unfortunately, there is no real good way to get yourself completely
> delisted.  We are experiencing that with a /18 we got from ARIN
> recently and it is basically the RBL's not updating or perhaps they
> are not checking the ownership of the ip's as compared to before.
> On some RBL's, we have IP addresses that have been listed since
> before the company I work for even existed.  Amazing right?



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.