I have my own system of IP reputation whereby if an IP address hits one of my systems with some probe or scan that I didn't ask for, then it's blocked for 12 months.
P.S. just to add a note here that I have been blocked out of my own systems occasionally from mobile / remote IPs due to my paranoia-level setup. But I treat that as learning / refinement, but also can accept that as the cost of security sometimes.
Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach.
I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.
In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs.
Fortunately, real network admins are smarter than that.
Pretty much. I think there's also a responsibility on the part of the network owner to restrict obviously malicious traffic. Allow anonymous people to connect to your network and then perform port scans? I don't really want any traffic from your network then.
Yes, there are less scorched-earth ways of looking at this, but this works for me.
As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts.
If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year.
Additional explanation: this is primarily a personal setup.
There would be a lot of refinement and contingencies to implement something like this for corporate / business.
Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved.
How is this better than blocking after a certain quantity in a range of time instead?
Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either.
I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24.
Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!
P.S. I wholeheartedly support your choice of blocking for your reasons.
Back in the day - port knocking was a perfect fit for this eventuality.
Nowadays, wireguard would probably be a better choice.
(both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")
My biggest issue with IP brokers is how they'll avoid taking any responsibility for their customers action. A fair amount of bullet proof hosters (and we're talking malware distribution, botnet c2s, ransomware c2s, proxy/scanning) get their space from brokers. When you engage with the brokers they say go talk to the transit providers - and because the bullet proof guys can switch off to another transit provider easily they maintain connectivity/continue to operate. Super common in Europe where most of this goes on and they have a super plentiful transit market - but they are still rolling with the same set of IPs they get from these brokers (and one in particular).
I think all the points about IP reputation impact are well taken, but as someone who had to deal with the RIRs at an ISP before and who now works at a firm that buys blocks, I would 10x rather operate in today's environment than in the old RIR environment. It's transparent and predictable by comparison.
I never had much faith in reputation to begin with, and the residential block issue is muddied by the fact that large-scale residential proxies already make that an unreliable abuse check.
Banning IP leasing would concentrate power in the hands of those who have large IP blocks. Makes one wonder what the real motivation behind this post is.
Have you tried getting an ipblock from a RIR and failed? they seem widely available if you justify it and at a reasonable price. If not, you can always go to a host and buy at a smaller fraction...
I mean…not curtailing leasing concentrates power with sketchy rent seekers and empowers the enterprises which use them (many of which range from “sketchy” to “evil and criminal”).
So I guess I’m having trouble envisioning a world without IP leasing that’s materially worse than the one we have.
IP Reputation is only as meaningful as the duration of ownership. If it's the same owner for years, then reputation is meaningful, and that should count; if it changes hands every 6 hours being assigned to VPS clients or whatnot, then make the reputation stick to the /24 owner, and so on, with varying degrees of scope and duration, so that the responsible party - the shady companies renting their IPs to bad people - actually have their reputations stick. Then block the /24 or larger subnets, or aggressively block all ranges owned by the company, isolating them and their clients, good and bad.
That sort of pressure can work. But then you risk brigading and activist fueled social media mobs and that's definitely no way to run the internet.
What's the purpose of blocking them, anyway? Is it to make you feel good? To clean up logs? To reduce spam? With the residential proxy industry - which, I note, is directly boosted by such blocking practices and funnels money into organized crime - IPs don't mean a whole lot to those who can pay.
100% agree with your point regarding long term ownership allowing for meaningful reputation.
I don't necessarily think that's 'no way to run the internet' or even 'no way to run anything', in that people can choose to whom they listen in regards to blocking, protesting, boycotting.
As long as none of the different groups of opinions are forced on anyone else, then pick and choose those you apply and those you ignore.
With my lists of blocking, I classify them, personally, into different tiers such as Basic, Recommended, Aggressive, and Paranoid when I apply the rules to other people's (family) setups - I'm the only one that uses Paranoid.
Large DDoS botnets will have hundreds of thousands of return-path-capable IP addresses. Your temporary blocks will have to be very sensitive (i.e. trigger on a relatively small number of requests within the time window) for an application-level DDoS to be usefully mitigated.
acidvegas is a pretty shady guy himself, running an IRC spam network pretty much in broad daylight. I don't know what to make of this connection, except he probably has a reason for posting this that's slightly more nefarious than sharing some interesting knowledge.
Hard to take much of this too seriously, since there are total misrepresentations like this:
> Their automated reputation management system actively maintains the "cleanliness" of leased IPs, ensuring they don't end up on blacklists — which is a polished way of saying they launder IP reputation as a service.
No, as someone who leases some unused blocks via IPXO the entire point of the reputation management system is to centralize abuse reports for them to respond to so they get categorized, tracked, and handled. If more than a few come in the lease gets canceled as that’s against the AUP. I’ve had folks lease a /24 and try some dirt with it, only for IPXO to pull the route within hours. Far faster than I could have responded.
As an ip holder I don’t want my resources being abused and added to blocklists so this is important to me. I do indeed plan on taking them off the market for my own use as my IPv4 usage needs increase over time. Until then, leasing them was a way to be able to justify the money spent acquiring some blocks before I got entirely frozen out forever by the hyperscalers and giant companies of the world eating practically every large block they could get their hands on.
It’s future proofing my digital sovereignty. IPv4 scarcity is used by the AWS of the world to reduce competition and choice.
Geolocation is such a stupid game as it is. I’m in strong support for anything that makes it even more obviously worthless. It’s been gamed by those with the skills and access since it first existed. The internet would be a better place without it.
The Whois database stuff is actually a decent point, and I’m working on some ways to automate RIR registration this weekend as chance has it.
From time to time I do indeed check where my blocks get advertised and utilized. One /22 right now is being used by a broadband ISP in Europe - and via nmap, traceroute, and BGP looking glass it appears to be legitimate, or at least quite well faked. The other blocks are colo and dedicated server providers competing with AWS/GCP/etc. Who knows what those customers are doing with them - probably a mix of good and bad like everything on the Internet. Functioning as-intended imo. If I'm helping reduce the need for CGNAT and helping a small company stand up to the giant tech conglomerates eating the world I'm calling it a job well done.
You say this, about AWS using IPv4 scarcity for lock-in, but IPv4 prices have been falling for years.
If you want to buy space and auction it off to lessors, more power to you. I don't think there needs to be a moral dimension to it one way or the other. The RIR system was also not good.
Sounds like making IPv6 more commonly used is part of the solution.
Reduce the importance of IPv4 and the stranglehold of big conglomerates is forcibly relaxed (in this context at least).
I don't like that I've ignored IPv6 for so long that now it feels overwhelming to have to try to grasp. That may be true for a lot of networking folks for whom IPv4 is written in their DNA, given the incredibly slow uptake of IPv6.
It's like selling shell companies, or buying passports.
This extends to IP proxies and yes VPNs. The issue with the latter is that they psyop some genuine users into using the tech for dumb reasons like less gaming latency so that they have plausible deniability
I'm sure that it's real nice to have the lack of IPs be a problem that only tangentially affect one's daily experience but try speaking to someone who lives in a jurisdiction that is de facto independent but because of a frozen conflict or some sort of political dispute that predates their birth can neither be assigned a TLD nor be a member of an RIR. There's a giant first mover advantage and the system devised to dish out IPv4 subnets is essentially a cartel. The secondary markets is the rational economic response in the face of a market that is monopolistic, poorly designed, and acts as an absolute gatekeeper to something that's fundamental to life in modern times.
The fact is that just because states and police really wish that 1 IP = 1 person but in reality that's hardly true. Residential and non-residential IPs are not really different. The resource is misallocated and what else does anyone expect? If investigations into actual criminal activity is solely based on IP addresses then it has always been one that is done incompetently. Sorry that the heuristic most convenient to the state isn't actually that great for what the state appropriated it to do. Whose fault is that? IP Geolocation is a massive backdoor whose purported efficacy has been used for geofencing warrants that basically make a mockery out of probable cause. It is also used for no good reason to help authoritarian nations and in the name of jingoism ends up inconveniencing people at the very least. My father spends 3-5 months out of the year in China and while there, he can't access his mortgage company and can't call them, can't renew his vehicle registration, can't check his gmail, and can't even purchase, but can nevertheless run, Turbotax. He's American, and there are hundreds of thousands of Americans overseas that find themselves in this awkward spot because of overreliance on one bad heuristic. So I have to pay his mortgage until he returns, every year for months, and also essentially while imitating him take care of a bunch of quotidian things that he can certainly do himself but since it's hard to teach a 65 year old man how to hop the GFW reliably, I have to go through this rigamarole. Imagine if I didn't have some cash set aside, or that I haven't paid for my own dwelling already. It certainly doesn't stop state actors from attacking when they want, but it sure makes it easy to pretend like you did something meaningful while in reality all you've done is inconvenienced your own customers. The system is broken, lamenting that fact isn't a good look.
https://github.com/UninvitedActivity/UninvitedActivity
P.S. just to add a note here that I have been blocked out of my own systems occasionally from mobile / remote IPs due to my paranoia-level setup. But I treat that as learning / refinement, but also can accept that as the cost of security sometimes.
I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.
Fortunately, real network admins are smarter than that.
Yes, there are less scorched-earth ways of looking at this, but this works for me.
As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts.
IP based bans have long been obsolete.
https://news.ycombinator.com/item?id=47246044
And corporate IT wonders why employees are always circumventing "security policies"...
There would be a lot of refinement and contingencies to implement something like this for corporate / business.
Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved.
Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either.
Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!
P.S. I wholeheartedly support your choice of blocking for your reasons.
Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up:
https://raw.githubusercontent.com/UninvitedActivity/Uninvite...
#2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright.
Nowadays, wireguard would probably be a better choice.
(both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")
I never had much faith in reputation to begin with, and the residential block issue is muddied by the fact that large-scale residential proxies already make that an unreliable abuse check.
So I guess I’m having trouble envisioning a world without IP leasing that’s materially worse than the one we have.
That sort of pressure can work. But then you risk brigading and activist fueled social media mobs and that's definitely no way to run the internet.
I don't necessarily think that's 'no way to run the internet' or even 'no way to run anything', in that people can choose to whom they listen in regards to blocking, protesting, boycotting.
As long as none of the different groups of opinions are forced on anyone else, then pick and choose those you apply and those you ignore.
With my lists of blocking, I classify them, personally, into different tiers such as Basic, Recommended, Aggressive, and Paranoid when I apply the rules to other people's (family) setups - I'm the only one that uses Paranoid.
> Their automated reputation management system actively maintains the "cleanliness" of leased IPs, ensuring they don't end up on blacklists — which is a polished way of saying they launder IP reputation as a service.
No, as someone who leases some unused blocks via IPXO the entire point of the reputation management system is to centralize abuse reports for them to respond to so they get categorized, tracked, and handled. If more than a few come in the lease gets canceled as that’s against the AUP. I’ve had folks lease a /24 and try some dirt with it, only for IPXO to pull the route within hours. Far faster than I could have responded.
As an ip holder I don’t want my resources being abused and added to blocklists so this is important to me. I do indeed plan on taking them off the market for my own use as my IPv4 usage needs increase over time. Until then, leasing them was a way to be able to justify the money spent acquiring some blocks before I got entirely frozen out forever by the hyperscalers and giant companies of the world eating practically every large block they could get their hands on.
It’s future proofing my digital sovereignty. IPv4 scarcity is used by the AWS of the world to reduce competition and choice.
Geolocation is such a stupid game as it is. I’m in strong support for anything that makes it even more obviously worthless. It’s been gamed by those with the skills and access since it first existed. The internet would be a better place without it.
The Whois database stuff is actually a decent point, and I’m working on some ways to automate RIR registration this weekend as chance has it.
From time to time I do indeed check where my blocks get advertised and utilized. One /22 right now is being used by a broadband ISP in Europe - and via nmap, traceroute, and BGP looking glass it appears to be legitimate, or at least quite well faked. The other blocks are colo and dedicated server providers competing with AWS/GCP/etc. Who knows what those customers are doing with them - probably a mix of good and bad like everything on the Internet. Functioning as-intended imo. If I'm helping reduce the need for CGNAT and helping a small company stand up to the giant tech conglomerates eating the world I'm calling it a job well done.
If you want to buy space and auction it off to lessors, more power to you. I don't think there needs to be a moral dimension to it one way or the other. The RIR system was also not good.
Reduce the importance of IPv4 and the stranglehold of big conglomerates is forcibly relaxed (in this context at least).
I don't like that I've ignored IPv6 for so long that now it feels overwhelming to have to try to grasp. That may be true for a lot of networking folks for whom IPv4 is written in their DNA, given the incredibly slow uptake of IPv6.
> These aren't niche services. They are the backbone of how major VPN and proxy providers operate.
> This isn't datacenter IP space being labeled as residential — it's actual ISP networks being leveraged as proxy pipes
The "this isn't X, it's Y" construction is a bright red tell for AI slop. Posting AI slop is just bad manners.
This extends to IP proxies and yes VPNs. The issue with the latter is that they psyop some genuine users into using the tech for dumb reasons like less gaming latency so that they have plausible deniability
The fact is that just because states and police really wish that 1 IP = 1 person but in reality that's hardly true. Residential and non-residential IPs are not really different. The resource is misallocated and what else does anyone expect? If investigations into actual criminal activity is solely based on IP addresses then it has always been one that is done incompetently. Sorry that the heuristic most convenient to the state isn't actually that great for what the state appropriated it to do. Whose fault is that? IP Geolocation is a massive backdoor whose purported efficacy has been used for geofencing warrants that basically make a mockery out of probable cause. It is also used for no good reason to help authoritarian nations and in the name of jingoism ends up inconveniencing people at the very least. My father spends 3-5 months out of the year in China and while there, he can't access his mortgage company and can't call them, can't renew his vehicle registration, can't check his gmail, and can't even purchase, but can nevertheless run, Turbotax. He's American, and there are hundreds of thousands of Americans overseas that find themselves in this awkward spot because of overreliance on one bad heuristic. So I have to pay his mortgage until he returns, every year for months, and also essentially while imitating him take care of a bunch of quotidian things that he can certainly do himself but since it's hard to teach a 65 year old man how to hop the GFW reliably, I have to go through this rigamarole. Imagine if I didn't have some cash set aside, or that I haven't paid for my own dwelling already. It certainly doesn't stop state actors from attacking when they want, but it sure makes it easy to pretend like you did something meaningful while in reality all you've done is inconvenienced your own customers. The system is broken, lamenting that fact isn't a good look.
The marketplace, in fact, is hardly a mess. It has competition, it has decentralized regulatory features, do you prefer all such deals go through say LET's massive thread on it instead? https://lowendtalk.com/discussion/160162/aio-ip-related-ipv4...
/s