Ta Don, 'twas kerwick! :O)

I've a nagging recollection that I posted this previously. Not sure.

Centarra was recently renamed from something else, wasn't it? So it's worth re-posting just to get the names consistent.

There are free sites where you can look up all IP ranges allocated to a given country. Not so free if you want up-to-the-minute information ... but I don't think China has added any /14s just lately. For most purposes, "everything up to 2-3 months ago" will do fine for starters. Always excepting 185

Atlantic-net

69.28.64.0 - 69.28.95.255 69.28.64.0/19
104.219.52.0 - 104.219.55.255 104.219.52.0/22
107.190.176.0 - 107.190.191.255 107.190.176.0/20
209.26.48.0 - 209.26.55.255 209.26.48.0/21
209.208.0.0 - 209.208.127.255 209.208.0.0/17 (I have the whole 209.208. range blocked as the other /17 is QualityTech)
216.98.0.0 - 216.98.15.255 216.98.0.0/20

I ran into some new nasties:
(I am not getting the entire range in lookups, just blocks, so I'm pretty sure this range is not correct.)
FASTWEB-POP-INTERNET
claims to be an Italian ISP, but I see two scrapers from widely different IPs and some looking for wp-logins
93.48.0.0 - 93.54.103.127
93.48.0.0/13

Ran into a few new LINODE ranges I did not have:

23.239.0.0 - 23.239.31.255
23.239.0.0/19

88.80.184.0 - 88.80.191.255
88.80.184.0/21

My list is now:
*23.239.0.0 - 23.239.31.255
50.116.0.0 - 50.116.63.255
66.228.32.0 - 66.228.63.255
69.164.192.0 - 69.164.223.255
72.14.176.0 - 72.14.191.255
74.207.224.0 - 74.207.255.255
*88.80.184.0 - 88.80.191.255
96.126.96.0 - 96.126.127.255
97.107.128.0 - 97.107.143.255
104.237.128.0 - 104.237.159.255
109.74.192.0 - 109.74.207.255
151.236.216.0 - 151.236.219.255
173.230.128.0 - 173.230.159.255
173.255.192.0 - 173.255.255.255
178.79.128.0 - 178.79.191.255
198.74.48.0 - 198.74.63.255
2600:3C00:: - 2600:3C03:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Lucy - 193.104.19.n - I have the whole /16 blocked under EU for the reason: "various /24 blocks in different countries, at least some are servers". Thanks for pointing out the OVH connection.

> 192.95.0.0-192.95.63.0 was a typo for .255

Yes! Thanks for the headsup!

For reference: I have Centarra listed as "Avante Hosting Services Inc." as the Centarra ranges seem to be sub-ranges of Avante - but it matters little and I may be wrong.

@ not2easy - fastweb.it is just that, an ISP. Most likely your bad boys were just compromised accounts. I'd be critical about blocking /13, an awlful lot of Italians.

Enzu Inc. NV USA 23.244.0.0 - 23.245.255.255 23.244.0.0/15 ber...locked!

So here's one I found looking in the bottom of the filters for the biggest lumps:

I'm not sure how sure you have to be to list here:

* lots of different IPs from the same subset.
* some signs of scaping still left: i.e. lots of requests on each IP in spite of being blocked from the get go by their UA
* they belong to "Republic of Seoul Korea Telecom" which suggests they're DSL... according to wikipedia they have cloud services also, but I don't know how to distinguish them by IP.

1 IP from 112.216.127.nnn Mozilla/5.0 (compatible; ZumBot/1.0; [help.zum.com...]
20 IPs from 121.189.37.nnn ZumBot/1.0 (ZUM Search; [help.zum.com...]
16 IPs from 222.122.190.nnn Mozilla/5.0 (compatible; ZumBot/1.0; [help.zum.com...]

KT's ranges are much bigger, but I've only seen zumbot from these ranges. I'm guessing I've found their cloud ranges. I'd list them as ranges and CIDRs if I was more sure.

I've seen them since antiquity and still seeing them in December, but can't find a mention on this forum.

they belong to "Republic of Seoul Korea Telecom"

Some parts of the world seem to be especially infection-prone. ("If you can't drink the water, are the computers safe?")

If it's all the same UA, and you don't like its behavior, why not block it by UA? This is most easily done in mod_setenvif where it can feed into a single

Deny from env=keep_out

line. Don't forget to poke a hole for your custom 403 page!

Edit: I checked my own logs for ZumBot. It has shown up every month or so since last April, but it doesn't seem to be very interested in me: on each visit it just gets robots.txt and then the front page. Wait, no, I tell a lie: in March 2013 (that is, a year earlier, not a month) it made a similar two-request visit to my then-unified personal site. I think it follows links, because it only visits one site at any given time. For all I know, it may even be scooping up whatever domain is named in your WebmasterWorld profile.

I block anything with 'bot' in the UA, but I keep the IP so if they show up in plain clothes I'll know their face.

I block anything with 'bot' in the UA

Well that should keep things quiet.

Well *almost* anything... :)

Does anyone know anything about 27.254? The range as a whole is LoxInfo (really) which appears to be a human ISP in Thailand. But I just met a robot from 27.254.148.26 which professes to be hosting ("18 websites use this address"), not the infected machine you'd expect.

Does anyone know anything about 27.254?

Their web site: www.csloxinfo.net says they are "cloud computing, data center, colo..." which in my book is hosting.

csloxinfo.net, Thailand
27.254.148.0/24
27.254.148.0 - 27.254.148.255

I had a logged-in member visit from Hurricane Electric today - which is focusing my mind on the distinction between server-only ranges and mixed-use ranges...

More colocrossing:
104.168.0.0/17

not listed here, AFAIK.

I've seen 8 IPs from this range in the last month, generally Firefox/2[1-2], which is reason enough for me.

27.254.148.0/24 - I have the whole /16 blocked but on reflection some of the IPs are tagged in DNS as docomo so may be genuine dynamic. Certainly the range 27.254.148.0/24 is servers, though. I have other loxinfo ranges that are not blocked, but they still may include cloud, which I have not yet learned to identify, and be quiescent - only 5 trapped IPs in the lot.

I have ALL hurricane ranges (known to me) blocked.

My current colocrossing list (all USA) is:

23.94.0.0 - 23.95.255.255
75.127.0.0 - 75.127.15.255
96.8.112.0 - 96.8.127.255
104.168.0.0 - 104.168.127.255
107.172.0.0 - 107.175.255.255
108.174.48.0 - 108.174.63.255
172.245.0.0 - 172.245.255.255
192.3.0.0 - 192.3.255.255
192.210.128.0 - 192.210.255.255
192.227.128.0 - 192.227.255.255
198.12.64.0 - 198.12.127.255
198.23.128.0 - 198.23.255.255
198.46.128.0 - 198.46.255.255
198.144.176.0 - 198.144.191.255
199.21.112.0 - 199.21.115.255
199.188.100.0 - 199.188.103.255
206.217.128.0 - 206.217.143.255

not listed here, AFAIK.

Eeuw, that's older than I thought. I'd had all of 104.168 listed as bogons, but I must have missed a page.

And now the good news...
The bottom half of 104.168 is HostWinds. So if you're feeling thrifty, you can save yourself seven bytes.

And now the good news...

Cool :)

A couple more not in dstiles list:

65.99.192.0/18 #ColoCrossing 65.99.192.0 - 65.99.255.255
72.249.0.0/17 #ColoCrossing 72.249.0.0 - 72.249.191.255
75.102.0.0/18 #ColoCrossing 75.102.0.0 - 75.102.63.255
206.123.64.0/18 #ColoCrossing 206.123.64.0 - 206.123.127.255
207.210.192.0/18 #ColoCrossing 207.210.192.0 - 207.210.255.255
216.246.49.0/24 #ColoCrossing 216.246.49.0 - 216.246.49.255

Are bogons something I should be worrying about?
I've downloaded the ipv4 full bogon list from team cymru (currently 3364 CIDRs). I could use it as an additional block list, but is it likely to catch anything?
Does it depend on where/how you're hosted?

(sorry this is slightly off topic)

^{I do sometimes step back in wonderment at this small industry we've created in getting intimately familiar with the 4 billion 32-bit numbers, and small ranges thereof. :) And that's before we get to ipv6...}

Are bogons something I should be worrying about?

Heehee. A bogon is an IP address that is officially unassigned. Even in IPv4, there are still a few of them. As we speak, 185 is being doled out in /22 slivers and there are similar ranges in APNIC, some going right down to /24s. (That is, actual /24 assignments, as opposed to colos and servers where the nominal country assignment of any random /30 is less relevant than where the server lives.)

In practice, a lot of ARIN bogons seem to be getting gobbled up by server farms, so if you blocked all known bogons in those ranges, you would be pre-blocking a lot of robots ... but also a fair number of humans.

Reliable hosting services
199.15.248.0/21

I downloaded the full bogon list again today: about a dozen ranges have been added, and a dozen removed. In a single day.

It looks like there are around 90 million IPs in the list, excluding the big ranges that are unlikely to be assigned. Probably a few more could be removed.

I've saved ranges (four) of Reliable from Oct 2012, none of which are in use today.

The following are current (InfoRelay offers a very large set ( [whois.arin.net...] ):
Reliable Hosting Services (RELIA-60)
RHS-HOSTING3 192.82.109.0 - 192.82.109.255 192.82.109.0/24
RELIABLE-HOSTING-NETWORK 199.15.248.0 - 199.15.255.255 199.15.248.0/21
RELIABLE-HOSTING-NETWORK2 208.73.20.0 - 208.73.23.255 208.73.20.0/22
RELIABLEHOSTING-08 66.231.176.252 - 66.231.176.255 (InfoRelay Online Systems, Inc. (IOS-40) 66.231.176.0/20)
RELIABLEHOSTING-01 66.231.181.176 - 66.231.181.179 (InfoRelay Online Systems, Inc. (IOS-40) 66.231.176.0/20)
RELIABLEHOSTING-07 66.231.176.52 - 66.231.176.55 (InfoRelay Online Systems, Inc. (IOS-40) 66.231.176.0/20)
RELIABLEHOSTING-06 66.231.178.0 - 66.231.178.255 (InfoRelay Online Systems, Inc. (IOS-40) 66.231.176.0/20)
RELIABLE-HOSTING-NETWORK 2604:4100:: - 2604:4100:FFF:FFFF:FFFF:FFFF:FFFF:FFFF

I downloaded the full bogon list again today: about a dozen ranges have been added, and a dozen removed.

Probably isn't worth the trouble. In rare cases, a server farm will go out of business and then you'll see a hole in some older range. But it's just as likely they were simply late sending in paperwork, and then something gets transitorily listed as a bogon though it isn't really. Huge sections of Brazil, in particular, seem to roll-over every other week, but it's all illusory.

In general you want to know who a range is, not who it isn't.

keyplr - I have different names for those you list.

75.102.0.0/18 - server central
216.246.49.0/24 expands to 216.246.0.0/17 - server central

and the others, plus a few more, are (according to me) colo4 aka colo4dallas...

65.99.192.0 - 65.99.255.255
72.29.96.0 - 72.29.127.255
72.249.0.0 - 72.249.191.255
173.237.128.0 - 173.237.191.255
174.136.0.0 - 174.136.63.255
206.123.64.0 - 206.123.127.255
207.210.192.0 - 207.210.255.25

wilderness - Thanks. My Reliable Hosting (excluding short subranges of other providers) is now...

68.68.32.0 - 68.68.47.255
96.45.144.0 - 96.45.159.255
98.158.112.0 - 98.158.127.255
108.171.96.0 - 108.171.127.255
173.195.0.0 - 173.195.15.255
192.82.109.0 - 192.82.109.255
192.200.144.0 - 192.200.159.255
199.15.248.0 - 199.15.255.255
199.116.72.0 - 199.116.75.255
199.127.248.0 - 199.127.255.255
207.204.224.0 - 207.204.255.255
208.73.20.0 - 208.73.23.255
216.131.64.0 - 216.131.127.255

keyplr - I have different names for those you list.

As I often do for host ranges posted here. I suspect some of these free IP look-ups use archaic information, which is why I stopped using them a while back.

I generally rely on WHOIS entries to check details of IPs and ranges (using linux Network Tools). However, within a single WHOIS response there can be several different companies etc listed (or even countries!). The actual ranges can also be multiplex - eg RIPE gives a range at the top of a result that may be superced by one at the bottom. ARIN also sometimes returns such discrepancies, giving (for example) a /24 and a /16 result that may name two different "owners", whilst LACNIC may give the parent range somewhere in the record.

eg RIPE gives a range at the top of a result that may be superseded by one at the bottom

They seem to like naming the country that the owner of the smallest sliver lives in. This can be useful though. If you notice a lot of /28s and /30s jumping from one country to another-- or jumping in and out of "bogon" status-- you can be pretty sure there's a server farm or colo somewhere upstream. And it generally isn't hard to work out the overall range even if you never find something that says outright Hetzner or, um, whatever that place with too many x's is called.