This is coming from Boranet, an ISP owned by Korean company LG Dacom Corp.

1.215.226.190 - - [17/May/2015:02:41:38 -0700] "GET / HTTP/1.1" 403 1530 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

It's a bot that will scrape entire site if not blocked. Even blocked this sucker hits my server 5 to 10 times a day, ongoing for over a month. Always from this same IP address.

If I see a range listed here I'll sometimes look them up on ipinfo.io, which will take you to the ASN and thence to a list of ranges. For coloblox they have:

130.205.0.0/16 Coloblox, LLC
206.65.48.0/20 Coloblox, LLC
207.15.208.0/21 Coloblox, LLC
208.216.80.0/21 Coloblox, LLC
208.222.120.0/21 Coloblox, LLC
208.26.8.0/21 Coloblox, LLC
208.73.216.0/21 Coloblox, LLC
208.88.24.0/21 Coloblox, LLC
209.195.0.0/18 Coloblox, LLC
209.8.248.0/21 Coloblox, LLC

This is just from the ipinfo.io listing, though. I don't appear to have caught any bots from them. Yet.


I wasn't meaning to imply that this thread isn't useful, just that much of what I might post here has either been seen before or is not of interest anyway. The difficulty for me is figuring out when I have something useful to post. If there was a collectively maintained list/database, it would be easier.

Not sure how your source resolved those. The first of those ranges is listed as wittsend in DNS; no mention of colobox. Next few are verizon comstar business ranges followed by sprint. First colobox in that list, according to current DNS is 208.73.216.0/21; also next two. Final one is "beyond the network" - 209.8.0.0/15. It's possible DNS has not been updated but some of those non-colobox ranges have been in my database for a long time and check out on re-test of DNS.

Thanks for the 208.88.24.0 range, though, I didn't have that one. To confirm, the three I (now) have for colobox are:

208.73.216.0 - 208.73.223.255
208.88.24.0 - 208.88.31.255
209.195.0.0 - 209.195.63.255

I got the list from ipinfo.io, but I usually cross-check with domaintools. Those first ranges are as you describe, but the ASN is still coloblox for those - even in domaintools.
Are they sublet or something?
I'm still a bit of a babe in the woods with the whois listings, and it's not generally clear to me who's actually responsible for the IPs.

I'm still a bit of a babe in the woods with the whois listings, and it's not generally clear to me who's actually responsible for the IPs.

Don't know if any free look-up tool has the most accurate info. Probably good to check a couple every time, although that becomes tedious.

FWIW, Coloblox only has three ranges
[whois.arin.net...]

Not sure where that other crap came from!

...Not sure where that other crap came from!

trintragula said ipinfo.io :)

Coloblox (formerly xilogix) appear to have their name on the whole ASN. Domaintools, ipinfo and tcpiputils all agree about this, yet ranges within the ASN seem to be owned by different companies. This is apparently not uncommon.
One of the ranges owned by a different company has the abuse contact for a subrange within it still at xilogix.
So I guess the abuse responsibility for an IP range does not always coincide with the owner of the ASN that contains it, and this is perhaps more likely to be the case with a server farm than elsewhere.
Sorry if this is all blindingly obvious to you all, but it's something I'm only gradually getting a handle on.

On the other hand, if a colo owns a lot of ranges in its ASN aren't those ranges still likely to be servers in their server farm? Even if they're nominally owned by some customer? Coloblox may only actually claim responsibility for 3-4 of those ranges, but would you choose not to list the rest of them here anyway?

I'm still very unclear about what you list on this thread, and why.

I'm still very unclear about what you list on this thread, and why.

I wouldn't worry about it. Everyone deals with the same uncertain info, we just do the best we can with it. Much of that info at IP tools is obsolete, some is incomplete and some is intentionally misleading.

You're correct about the sub ranges being registered by one company but managed by another. 17 years ago I leased servers in Plano,Texas thinking I would start a hosting company. Network whois record displayed my (now defunct) company name.

I'll mention again my own (linux) checking tools:

Network Tools - this has a whois and dns lookup which are particularly useful.

Umit - this makes port scanning easy - not really a good thing to do but if a range's purpose is in doubt this can SOMETIMES help: if it shows open ports on several IPs there is a good chance it's a server. Sadly clouds seldom show open ports so that is a downer. One day I will find out why and, better, how to detect clouds.

Dig - occasionally I will run this in a terminal box but it's not so useful as the above.

PlusServer IPv4 CIDRs (aggregated):

46.22.32.0/20
46.231.88.0/21
62.75.128.0/17
78.138.64.0/18
80.86.80.0/20
80.242.128.0/19
83.220.128.0/19
85.25.0.0/16
85.93.64.0/19
85.119.200.0/21
87.119.192.0/19
89.19.224.0/19
188.138.0.0/17
194.145.192.0/23
212.40.160.0/19
213.131.224.0/19
213.174.32.0/19
213.203.192.0/18
217.118.16.0/20
217.119.48.0/20
217.172.160.0/19

Found these 2 Chinese hosting companies hiding near the bottom of IPv4:

gainet.com
223.252.128.0/19
223.252.128.0 - 223.252.159.255

i4hk.com
223.252.160.0/20
223.252.160.0 - 223.252.175.255

Landis Holdings A.K.A jaguarpc.com

69.73.128.0/18
69.73.128.0 - 69.73.191.255

209.140.16.0/20
209.140.16.0 - 209.140.31.255

209.217.224.0/19
209.217.224.0 - 209.217.255.255

inetnum: 155.133.10.0 - 155.133.10.255 --- 155.133.10.0/24
netname: PL-DELORIAN
descr: Delorian Internet Services

155.133.10.111 - fake trackback to a site that does not have a blog, comment spammer.

@blend27 - do you allow trackbacks?

Delorian also has 155.133.18.0/23, but they look to be an ISP, mostly mobile, and managed by Sprint, Poland. Your bad actor my be a hacked account or just a jerk, but blocking the /24 might be overkill.

155.133.10.0/24 belongs to v-net.pro . polish hosting.

try this: [bgp.he.net...]

no trackbacks for this site. the URL where trackback is requested from is a parked domain.

155.133.10.0/24 belongs to v-net.pro . polish hosting.

And v-net.pro belongs to Ring, Poland.

try this:

I prefer to stay away from the freebie look-ups. Much of the time they display incomplete or in some cases outdated or just incorrect info. Hurricane is one such look-up. I used to use it, but no longer. Besides, I can't help getting the feeling they have a vested interest in giving misleading information since often it is bad actors from their very own server ranges I'm looking up :)

Regardless, If blocking it might be prudent to poke some holes for those polish mobile phone users. Looks like the whole /16 is owned by netronik.net, a Polish ISP for telephone, boadband & TV. Often times large ISPs will lease smaller sub-ranges. My own ISP does that.

@keyplyr So what do you use for looking up complete and up to date ISP CIDRs?

I use an API on my local machine which includes a suite of tools. I also have a smaller version loaded on my phablet for when I'm on the road, which is often these days.

However, most CIDRs I do in my head using the range info since the problem with a lot of the IP look-ups (especially the free ones) seem to be they have a difficult time spanning the natural ASN boundaries, even when it's all owned by a single registrant.

The API is for querying the whois database directly?

Many WhoIS DBs and a dozen other tools.. Search back a ways and I talked about what I'm using (difficult to type where I'm at, what I'm typing on.)

So can you query the ARIN whois database directly to get CIDRs of ISPs?

I can automate all the tools they offer, but often just do it manually. Just read it for yourself. You'll probably get a better understanding than my meager explanation. Again, I do not have access to a conventional/physical keyboard so typing these replies is a PITA.

The top IOMart range is new to me, which brings my IOMart list (all blocked) to:

5.133.176.0/21
5.133.176.0 - 5.133.183.255

78.129.128.0/17
78.129.128.0 - 78.129.255.255

82.145.32.0/19
82.145.32.0 - 82.145.63.255

83.142.224.0/21
83.142.224.0 - 83.142.231.255

87.117.192.0/18
87.117.192.0 - 87.117.255.255

88.150.168.0/22
88.150.168.0 - 88.150.175.255

95.154.192.0/18
95.154.192.0 - 95.154.255.255

109.169.0.0/18
109.169.0.0 - 109.169.63.255

212.38.160.0/19
212.38.160.0 - 212.38.191.255

217.147.80.0/20
217.147.80.0 - 217.147.95.255

@keyplyr read what for my self? You have offered no direct answer...a simple link will do.

Edit: Never mind answering the above...this is going nowhere.

keyplyr:

88.150.168.0/22 is part of redstation's range 88.150.128.0 - 88.150.255.255

109.169.0.0/18 actually extends to 109.169.0.0 - 109.169.95.255

@dstiles

Yes I have the redstation range blocked, just listing the IOMart I have in my db.

Thanks for the additional range:

109.169.64.0/19
109.169.64.0 - 109.169.95.255

FASTVPS-VE
5.101.118.0/24
5.101.118.0 - 5.101.118.255

MEGA-COLOCATION
67.213.112.0 - 67.213.127.255
67.213.112.0/20


When are they going to learn that having = sign in UA gets them *itch slapped on the spot?
---------------------------------------


UKWEB-EQX
95.142.156.0/22
95.142.159.0 - 95.142.159.255

Now a new bot calls itself maluuba-crawler/Nutch-1.6 from 162-249-90-202.dedicated.allstream.net

162.249.88.0/21
162.249.88.0 - 162.249.95.255

Thanks blend27,

The FastVPS is a little larger:
5.101.112.0/20
5.101.112.0 - 5.101.127.255

As far as the allstream.net range, I allow the /26 because Microsoft uses it to crawl for product info and I sell things :)

I also block anything with "nutch" in the UA.

Just a FYI - allstream.com is a business phone service. Looks like you found a port to a leased-out server, but blocking the rest of allstream *may* be blocking human users. I don't block it.

interoute.com
84.233.128.0/17
84.233.128.0 - 84.233.255.255

superhost.pl
178.250.40.0/21
178.250.44.0 - 178.250.47.255

interbusiness.it
194.243.0.0/16
194.243.0.0 - 194.243.255.255