Rebel Hosting

8.14.145.0/24
8.14.145.0 - 8.14.147.255

8.14.146.0/23
8.14.145.0 - 8.14.147.255

199.33.120.0/21
199.33.120.0 - 199.33.127.255

PlanetHoster (LEGRO-2)
PHBLOCK201 199.16.128.0 - 199.16.131.255 199.16.128.0/22
PLANETHOSTER19-11 199.59.244.0 - 199.59.247.255 199.59.244.0/22
NETEL-PLANETHOSTER01 209.44.101.208 - 209.44.101.215 209.44.101.208/29
NETEL-PLANETHOSTER-BARIZCO 209.44.102.64 - 209.44.102.127 209.44.102.64/26
NETEL-PLANETHOSTER-06 209.44.99.168 - 209.44.99.175 209.44.99.168/29
NETEL-PLANETHOSTER-04 64.15.68.64 - 64.15.68.127 64.15.68.64/26
NETEL-PLANETHOSTER-03 67.212.66.128 - 67.212.66.191 67.212.66.128/26
NETEL-PLANETHOSTER-06 67.212.67.144 - 67.212.67.151 67.212.67.144/29
PLANETHOSTER-BARIZCO 68.71.36.0 - 68.71.36.255 68.71.36.0/24
PLANETHOSTER-IPV6-01 2605:2900:: - 2605:2900:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
PLANETHOSTER21-11 199.188.220.0 - 199.188.223.255

Rebel Hosting has multiple subranges [whois.arin.net] leased from Hurrcane, EGI and Level3, however found these two additional:
REBEL-64-158-146-0-24 64.158.146.0 - 64.158.146.255 64.158.146.0/24
REBEL-64-158-147-0-24 64.158.147.0 - 64.158.147.255 64.158.147.0/24

Thanks wilderness

JumpLine
66.11.12.0/24
66.11.12.0 - 66.11.12.255

Jumpline Inc (JMPL)
NET-199-204-248-0-1 199.204.248.0 - 199.204.255.255 199.204.248.0/21
NET-207-55-240-0-1 207.55.240.0 - 207.55.255.255 207.55.240.0/20
NET-208-73-32-0-1 208.73.32.0 - 208.73.39.255 208.73.32.0/21
NET-208-79-200-0-1 208.79.200.0 - 208.79.207.255 208.79.200.0/21
NET-208-86-184-0-1 208.86.184.0 - 208.86.191.255 208.86.184.0/21
JUMPLINE-COM 216.222.192.0 - 216.222.207.255 216.222.192.0/20
JUMPLINE-COM 64.6.224.0 - 64.6.255.255 64.6.224.0/19
JMPL-BLK1-CBB 66.11.12.0 - 66.11.12.255 66.11.12.0/24
JUMPLINE-COM 66.84.0.0 - 66.84.63.255 66.84.0.0/18
JUMPLINE-COM 68.171.32.0 - 68.171.63.255 68.171.32.0/19
JUMPLINE-COM 72.172.128.0 - 72.172.143.255 72.172.128.0/20

Altus (a.k.a Altus-Avalon, AltusHost) avalon.hr or cloud.hr

31.3.152.0/22
31.3.152.0 - 31.3.155.255

91.214.44.0/22
91.214.44.0 - 91.214.47.255

185.3.192.0/22
185.3.192.0 - 185.3.195.255

HostHatch
31.220.7.0/24
31.220.7.0 - 31.220.7.255
31.220.30.0/24
31.220.30.0 - 31.220.30.255

AL-Albanian-Hosting
31.220.29.0/24
31.220.29.0 - 31.220.29.255

Ghostnet
5.175.128.0/17
5.175.128.0 - 5.175.255.255

94.130.0.0/15
D2 International Investment Ukraine Ltd.
with sublets including Russia.

Of late I've been dealing with Ukrainian robots with a crafty env=bad_russia, but this time it seemed safe to proceed directly to Deny from...

Whoops! Missed the Edit cutoff.

212.109.216.0/21
Novosibirsk, servers and colo oh my.

Someone may be able to get more information than me. The rest of
212.109.192.0/19
(that is, the 192-215 part) calls itself Internet of Siberia and may therefore be human. I wouldn't know. (What do you mean, people in Novosibirsk have no interest in reading about coatamundis riffing on how to say "leaf blower" in Burushaski? The nerve of them.)

[edited by: phranque at 5:30 am (utc) on Mar 23, 2015]
[edit reason] spelling [/edit]

AVK Computers
94.130.0.0/15
94.130.0.0 - 94.131.255.255

Doesn't appear to be a Server Farm but there are company sites hosted, example: streamsolution.ru

[edited by: keyplyr at 10:54 pm (utc) on Mar 22, 2015]

Another Volume Drive range - registered in January:

104.255.64.0-104.255.71.255
104.255.64.0/21

More on 94.130.0.0/15

AVK Computers is an India owned ISP with servers in Ukraine: avk-com.ru.

D2 International Investment Ukraine Lt:. d2invest.com.ua, one of many tenants in their biz section, may be responsible for bad actors, or it may be any number of other companies or compromised accounts from these servers. Point being 94.130/15 is not a card carrying server farm IMO, it is an ISP owned range but like many ISPs it also offers cloud & data center biz products.

Difficult to be surgical since I could not find any more info.

NewHost
188.119.150.0/23
188.119.150.0 - 188.119.151.255

Transit Colo
195.182.8.0/24
195.182.8.0 - 195.182.8.255

185.14.28.0/22
Serverius

Netherlands, with an outside option on Ukraine in case anyone's color-coding. (In my records, the "blocked" color code trumps all others.)

This is what I have for ServerIUS:

5.255.64.0/19
5.255.69.0 - 5.255.75.255

31.148.220.0/24
31.148.220.0 - 31.148.220.255

46.249.32.0/19
46.249.58.0 - 46.249.255.255

92.63.110.0/23
92.63.110.0 - 92.63.111.255

185.12.12.0/22
185.12.14.0 - 185.12.255.255

185.14.28.0/22
185.14.30.0 - 185.14.31.255

5.255.64.0/19
5.255.69.0 - 5.255.75.255

For "69...75" read "64...95" ?
Anyway the /19 alarmed me, because I'd got the whole /18 blocked. Turns out the bottom half-- the 96-127 range-- is something called Liteserver, also Netherlands, which you will agree sounds eminently blockable.

JMPL-BLK1-CBB 66.11.12.0 - 66.11.12.255 66.11.12.0/24

This seemed a strangely small sliver for ARIN, so I checked in the neighborhood. Are Jumpline and Continental Broadband the same people, or is Jumpline a server subdivision of a human range?

RE: 5.255.64/18 Good eye, thanks :)

RE: 66.11.12/24 All I see is Jumpline Inc: jumpline.com all hosting, no BB at least in the /24

89.31.56.0/21
Netherlands, Unithost
(I think this is fairly recent. The top half of 48/21 is still Italy.)

Free lookup says "dreamatorium.badexample.net" which sounds like a strong contender for this year's Truth In Naming prize.

Elsewhere:
149.255.96.0/20
UK Inception Hosting
Yup, that's RIPE within an ARIN range.

Also, inside of IOFlood: 199.30.48.0 - 199.30.55.255
is Inception: 199.30.49.82 - 199.30.49.97

199.30.49.82 - 199.30.49.97

82-97?! Couldn't we possibly make it 80-95?

Answer after detour to free lookup: No, we couldn't. Weird. (The adjoining ranges come through as 66-81 and 98-114, leading me to suspect that someone at IOFlood is letting their cat assign IP numbers.)

Until I discovered the encompassing IOFlood range, I was blocking 199.30.49.82 - 199.30.49.97 as:
199.30.49.82/31
199.30.49.84/30
199.30.49.88/29
199.30.49.96/31

Vultr
45.63.84.0/23
45.63.84.0 - 45.63.85.255

vultr is a sub-range of choopa, which I normally block except this one was new to me.

Choopa...

45.63.0.0 - 45.63.127.255
64.237.32.0 - 64.237.63.255
66.55.128.0 - 66.55.159.255
68.232.160.0 - 68.232.191.255
104.156.224.0 - 104.156.255.255
104.207.128.0 - 104.207.159.255
104.238.128.0 - 104.238.191.255
107.191.32.0 - 107.191.63.255
108.61.0.0 - 108.61.255.255
173.199.64.0 - 173.199.127.255
208.167.224.0 - 208.167.255.255
209.222.0.0 - 209.222.31.255
216.155.128.0 - 216.155.159.255

IOFlood

23.226.64.0 - 23.226.79.255
104.161.0.0 - 104.161.255.255
107.167.64.0 - 107.167.95.255
107.178.64.0 - 107.178.127.255
107.189.128.0 - 107.189.191.255
148.163.0.0 - 148.163.127.255
162.213.208.0 - 162.213.211.255
162.218.112.0 - 162.218.119.255
184.164.64.0 - 184.164.95.255
192.30.136.0 - 192.30.139.255
192.110.160.0 - 192.110.167.255
199.30.48.0 - 199.30.55.255
199.167.132.0 - 199.167.135.255
199.231.84.0 - 199.231.87.255

vultr is a sub-range of choopa, which I normally block except this one was new to me.

Thanks for the heads-up. Didn't have that larger Choopa range. Had the other Choopa as well as the IOFlood.

Jiapei Group Limited, Hong Kong
103.27.124.0/22
103.27.124.0 - 103.27.127.255

Many smaller hosting companies within this range. Example: sunnyvision.com

Personally I block all known Chinese ranges for a variety of reasons, but this had "server farm" written all over it.

Another reason for blocking is: the registration email address is a free public one, specifically gmail in this case. Quite apart from the suspicious use of a public address, google mail is not particularly welcome in China at the moment so this address may be dead.

In words of two syllables: Who or what is NFOrce Entertainment?
77.247.176.0/21
Netherlands
Met a stray botnet from 77.247.181.162; cursory searching leads me to thread about TOR [webmasterworld.com] which unfortunately assumes we already know what they're about. What's with the onions? Free lookup for the above IP spits out a bunch of names, including ... drumroll ... Zwiebelfreunde. (Also Dresdner Institut für Datenschutz, which intrigued me a bit because the visitor arrived on my test site as part of a botnet that also featured a small Boston University range.)

I had previously been blocking Zwiebelfreunde torservers 77.247.181.160/28, Thanks for the heads-up on the larger range.

Elsewhere...

Tralala, I think this is an actual server farm:
195.184.192.0/19
FTIcom, Ukraine

Does anyone know which bits of
212.250
(Virgin UK) are hosting? I met a robot from 212.250.202.217 -- which is definitely hosting -- but archived logs tell me there are, or at least used to be, humans in the neighborhood.

Tralala, I think this is an actual server farm:

Doesn't look like servers to me, looks like what it says it is, a telecom (donbass.net.)

Virgin Media is one of the largest ISPs worldwide. That's not to say some web site's aren't hosted within their ranges, just like most ISPs. My ISP offers a free webpage with my account, complete with a "web site builder" tool. I've never used it.

I occasionally get malicious hits from Virgin Media but I just assume they're compromised accounts and block them in other ways.