4 & 8 denied

Best to go surgical on a /8. Unless you are blocking at a country level, there's too much of a chance of collateral blockage.

Regards...jmcc

Block it all and accept the collateral damage, or be more surgical?

Be as surgical as time allows.

Collateral damage is never a good outcome.

...

I've been wondering about these two /8 blocks as well. I don't see a lot of traffic from them but when I do it's often from referrers like

/url or /search

These are by no means the only /8 ranges.

My method is to leave alone until something nasty this way comes and then investigate, blocking as large a range as relevant or setting it to DSL if that is indicated (ie the hit was probably from an infected m/c).

These are by no means the only /8 ranges.

I agree, but what's the point?

My method is to leave alone until something nasty this way comes and then investigate, blocking as large a range as relevant or setting it to DSL if that is indicated (ie the hit was probably from an infected m/c).

Yes, that's what I always do.

Point is, besides the server farms within the /8, I periodically get various trouble (scrapes, hack attempts, probes, refer spam, et al) from other areas with the /8 that have no specific assignment other than Level 3, at least no info I can dig up at the usual places.

Hence my temptation to just block the entire /8 (especially with 8.0.0.0/8 )

I've a 2003 subnet search saved from the 4.0 range that is a rather large text file (213kb), however incomplete. Arin use to cut-off the search at a specific number and it was impossible to retrieve the complete subnets. If your interested?

I've no subnet on the 8.0 range.

Thanks Don, however not interested as it's old data.

OK, I find this interesting if not quite the mess in it's own right.

[whois.arin.net ]

When running certain whois queries for stuff in the 4. range, sometimes, all I get for an answer is

LVLT-ORG-4-8 4.0.0.0 - 4.255.255.255

Other times a smaller subnet is returned and the list in the link above pretty much identifies what ranges are actually identified as specific subnets. Everything not accounted for as a named network in the 4 block (for example) appears to be ether. There are a bunch of /16s and at least one /15 listed for 4. but I find it interesting that when I look for a range to identify a request with a referrer like this (yes a referrer)

/_ylt=A0LEVxyZZFhT6hsA.o9XNyoA;_ylu=X3oDMTEzbHM3ZjVxBHNlYwNzcgRwb3MDOARjb2xvA2JmMQR2dGlkA1ZJUDQwM18x/RV=2/RE=1398330650/RO=10/RU=http%3a//... (edited for brevity)

coming from 4.34.68.x

All I get for my trouble is that it's in 4/8.

So, it's very tempting to block that /8 as there doesn't appear to be any explanation for what actually lives there.

Added: At the very least, I'm tempted to block 4.34/16 and get some satisfaction for my trouble. The question is, will that just eventually lead to blocking the entire 4/8 anyway? Just taking more time and effort in the process.

Until a few years ago, ARIN used to allow "sub net" searches (subdelegations)

A search in the the following manner (greater than character) would provide all the sub-net assignments.

> 4.1.

Unfortuately, it no longer works.
Whether the method (subdelegations) is possible using another search option is unknown to me.

in larger ip blocks i also look at the routing information.

public routing info for 4 is:

cidr;provider;country
4.0.0.0/8;Level 3 Communications, Inc.;US
4.0.0.0/9;Level 3 Communications, Inc.;US
4.17.19.0/24;TSYS;US
4.23.88.0/23;AT&T Mobility Labs;US
4.23.88.0/24;AT&T Mobility Labs;US
4.23.89.0/24;AT&T Mobility Labs;US
4.23.92.0/22;AT&T Mobility Labs;US
4.23.92.0/23;AT&T Mobility Labs;US
4.23.94.0/23;AT&T Mobility Labs;US
4.23.112.0/22;Rapid Systems Corporation;US
4.23.112.0/24;Rapid Systems Corporation;US
4.23.113.0/24;Rapid Systems Corporation;US
4.36.112.0/22;Rapid Systems Corporation;US
4.36.112.0/24;Rapid Systems Corporation;US
4.36.113.0/24;Rapid Systems Corporation;US
4.36.114.0/24;Rapid Systems Corporation;US
4.36.115.0/24;Rapid Systems Corporation;US
4.36.116.0/23;Rapid Systems Corporation;US
4.36.116.0/24;Rapid Systems Corporation;US
4.36.117.0/24;Rapid Systems Corporation;US
4.36.118.0/24;Rapid Systems Corporation;US
4.38.0.0/20;AT&T Mobility Labs;US
4.38.0.0/21;AT&T Mobility Labs;US
4.38.8.0/21;AT&T Mobility Labs;US
4.43.50.0/23;AT&T Mobility Labs;US
4.43.50.0/24;AT&T Mobility Labs;US
4.43.51.0/24;AT&T Mobility Labs;US
4.53.201.0/24;Rebel Hosting;US
4.55.0.0/16;Level 3 Communications, Inc.;US
4.67.96.0/20;AT&T Mobility Labs;US
4.67.96.0/21;AT&T Mobility Labs;US
4.67.104.0/21;AT&T Mobility Labs;US

Well, this barely scratches the surface but it is revealing. Not sure how to get more of this (and not sure I actually do want more to be frank) when the search limits results to 256 records but it does provide a look under the surface of 4/8.

[whois.arin.net ]

My guess is that there are certainly some humans in here (probably office workers as keyplyr mentioned). Looking at my logs for the past month, I found one example of a visit that was probably human from Level 3 but it was from 8. Beyond that, lots of bots from 4. and nothing that looks remotely human. Blocking that whole /8 looks extreme but from my logs, it seems like I'd just be blocking bots. The original quandary posed in this thread is murkier than ever in my mind.

webcentric,
What method did you use to get those results?

In the old days and using the ">" every search provided that it was limited to 256 lines, however more often than not, the results contained more than 250 lines.
The unfortunate side was that when it did return 256 lines, there was not any way to retrieve the next 256 lines and/or any lines afterward.

Wilderness, the answer is in the url e.g. /children

whois.arin.net/rest/net/NET-4-0-0-0-1/children

Added: BTW, your mention of the ">" operator got me looking at the documentation to see if there was still a mention of it (and there is).
The documentation page is here...

[arin.net ]

The ">" operator is mentioned in the Port 43 service section and the /children parameter, elsewhere.