racksrv.com

37.26.104.0 - 37.26.111.255
37.26.104.0/21

213.5.176.0 - 213.5.183.255
213.5.176.0/21

197.231.221.211(exit1.ipredator.se) - referrer spamming.


CYBERDYNE-VPN01
197.231.221.0 - 197.231.221.255
197.231.221.0/24

@blend27 - actual range is a bit larger :)

Cyberdyne (cyberdyne.net.lr)
197.231.220.0 - 197.231.223.255
197.231.220.0/22

BODIS.COM

199.59.240.0 - 199.59.243.255
199.59.240.0/22

Domain parking service that has scraped content hosted on that servers.

Digital Ocean Singapore (new range, at least for me)
128.199.0.0 - 128.199.255.255
128.199.0.0/16

BroadRiver Inc.
216.126.32.0 - 216.126.47.255
216.126.32.0/20

This comes around attempting to cause trouble every couple months. Not sure if this file is common to a CMS or other popular platform, but I do not have a file named "filesman" or even "filesmanager."

31.184.238.*** - - [02/Apr/2016:21:56:04 -0700] "GET /filesman HTTP/1.1" 418 552 "http://example.com/filesman" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

(example.com being my domain)

jijikserver (Data center: Russia)
31.184.238.0 - 31.184.238.255
31.184.238.0/24

<tangent>

example.com being my domain

I sometimes think the single strongest argument for making your entire site in php-or-equivalent is that you can then check every request for auto-referers and slam the door in their face forthwith. (Can't be done globally in apache alone.)
</tangent>

They tried that too...

There is an App for That :)

added
As a matter of fact the function that has been taking care of that is called a Bouncer, same logic as in an underage teen trying to get into a club by saying "But I just came from inside of the place a minute ago". GuestBook spammers used that logic and I use "a reversed version" of it for the rest of the nastiest.

No Stamp = No Entry

privax.com (hidemyass.com)
UK-PRIVAX-20120608
5.62.4.0 - 5.62.5.255
5.62.4.0/23

It has been a while since the HideMyAss IP list has been posted and the site search isn't bringing it up, so I'll post what I've got again:

95.154.245.64 - 95.154.245.127
212.38.167.192 - 212.38.167.255
212.38.170.64 - 212.38.170.127
212.38.170.128 - 212.38.170.191
212.38.170.0 - 212.38.170.63
78.129.168.0 - 78.129.168.127
78.129.150.128 - 78.129.150.255
78.129.168.128 - 78.129.168.255
78.129.150.0 - 78.129.150.127
87.117.232.128 - 87.117.232.255
109.169.17.0 - 109.169.17.127
78.129.160.0 - 78.129.160.127
78.129.171.0 - 78.129.171.127
78.129.160.128 - 78.129.160.255
109.169.4.128 - 109.169.4.255
82.145.62.128 - 82.145.62.255
62.233.42.0 - 62.233.42.127
62.233.42.128 - 62.233.42.255
62.233.37.0 - 62.233.37.127
62.233.34.128 - 62.233.34.255
62.233.41.128 - 62.233.41.255
62.233.41.0 - 62.233.41.127
62.233.34.0 - 62.233.34.127
185.25.84.0 - 185.25.84.127
5.102.170.0 - 5.102.171.255
91.238.214.0 - 91.238.215.255
87.117.238.64 - 87.117.238.127
185.25.84.128 - 185.25.84.255
5.56.23.128 - 5.56.23.255
5.62.4.0 - 5.62.5.255
46.229.224.128 - 46.229.224.255
130.185.105.128 - 130.185.105.255
31.7.187.0 - 31.7.187.255
185.25.86.0 - 185.25.86.255
185.25.87.0 - 185.25.87.255
185.25.85.0 - 185.25.85.255
178.16.27.0 - 178.16.27.255
185.25.84.0 - 185.25.87.255
37.46.115.0 - 37.46.115.255
178.73.212.96 - 178.73.212.127
178.73.198.0 - 178.73.198.63
46.246.89.0 - 46.246.89.127
188.126.73.128 - 188.126.73.255
46.246.123.0 - 46.246.123.255
162.211.178.0 - 162.211.178.255
162.211.179.0 - 162.211.179.255
66.187.64.0 - 66.187.64.255
66.187.68.0 - 66.187.68.255

62.233.41.0 - 62.233.41.127
+
62.233.41.128 - 62.233.41.255
=
62.233.41

62.233.42.0 - 62.233.42.127
+
62.233.42.128 - 62.233.42.255
=
62.233.42

(I think both of these must have been posted earlier, as I'd already got them labeled. I remember having to make up a new color code for "proxy" ;))

Oh, and similarly
78.129.150
78.129.160
78.129.168

Finally,
185.25.84.0/22
subsumes some smaller groups

Normally condensing ranges works, but since these are VPNs, I like to list HMA ranges separately so I can add/remove as needed when beneficial agents use them (albeit I've only found 2 in 10 years.)

Thank You keyplyr for the Big list. I was missing half of it.

*New hostkey.ru (for me)

5.39.216.0 - 5.39.219.255
5.39.216.0/21

31.192.104.0 - 31.192.111.255
31.192.104.0/21

46.17.96.0 - 46.17.103.255
46.17.96.0/21

146.0.72.0 - 146.0.74.255
146.0.72.0/21

193.109.68.0 - 193.109.69.255 *
193.109.68.0/23

195.162.68.0 - 195.162.69.255
195.162.68.0/23

enternet.hu is a multi service ISP offering residential/cooperate DSL as well as domain services & hosting.
77.111.88.0 - 77.111.95.255
77.111.88.0/21

Petersburg Internet Network - Russia
xmlrpc hacker

5.8.0.0/18
5.8.64.0/19
5.101.0.0/18
5.101.64.0/19
5.188.0.0/16
5.189.192.0/18
31.44.176.0/20
31.184.192.0/18
37.9.0.0/19
37.9.32.0/20
37.9.48.0/21
37.139.32.0/19
46.161.0.0/18
91.243.80.0/20
95.215.0.0/22
146.185.192.0/18
193.93.192.0/22
195.2.240.0/23

Wishing I had a nicely concise set of IP ranges for ALL of Russia.

Alibaba.com is hosting websites in the USA. Not surprisingly hackers are using those servers to launch root attacks on other servers.

Alibaba Servers in US
47.88.0.0/14
198.11.128.0/18
205.204.96.0/19

Wishing I had a nicely concise set of IP ranges for ALL of Russia.

I use countryipblocks dot net. The free version can lag a few months behind, but at this point for RIPE that just means 185.blahblah/22 which is pretty hopeless anyway.

Wishing I had a nicely concise set of IP ranges for ALL of Russia.

If you are in to programming:

ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest

Contains all the into u need.

Example:

ripencc|RU|ipv4|213.159.208.0|2048|20080318|allocated

Treat that as a list with |(pipe) delimiter

1. RU - country
2. ipv4 is a type(actual file has IPV6 as well)
3. IP 213.159.208.0 convert that to a number( [google.com...] ) - this is you start IP(in this case it is 3584020480)
3.1 2048 is the number of IPs in the allocation, so add 2048-1 to 3584020480 = 3584022527(213.159.215.255)

At this point you will have the country start IP and end IP that could be used in SQL query lookup by comparing if the converted to Number incoming IP is between starting IP and ending IP:)

3.2 CIDR - Basically we would use a switch/case statement

switch(numberOfIps) {
 case "16777216": return 8;
 case "8388608": return 9;
 case "4194304": return 10;
 case "2097152": return 11;
 case "1048576": return 12;
 case "524288": return 13;
 case "262144": return 14;
 case "131072": return 15;
 case "65536": return 16;
 case "32768": return 17;
 case "16384": return 18;
 case "8192": return 19;
 case "4096": return 20;
 case "2048": return 21;
 case "1024": return 22;
 case "512": return 23;
 case "256": return 24;
 case "128": return 25;
default:return 0;
}

So at this point we would take starting ipv4 213.159.208.0 AND case "2048" which returns 21;

And there you go:

CIDR Range: 213.159.208.0/21
Netmask: 255.255.248.0 <<<--- not covered here
Wildcard Bits: 0.0.7.255 <<<--- not covered here
First IP  213.159.208.0
Last IP  213.159.215.255
Total Hosts 2048

which accidentally contains:
JSC Server WebDC colocation
213.159.208.0 - 213.159.211.255
213.159.208.0/23

:)

BTW, here is more information on RIR Statistics Exchange Format of the file if someone interested writing their own scrips to get Country/IP Range information:

ftp://ftp.ripe.net/ripe/stats/RIR-Statistics-Exchange-Format.txt

The other files are also available:

afrinic - ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
arin - ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
apnic - ftp://ftp.apnic.net/pub/apnic/stats/apnic/delegated-apnic-latest
lacnic -ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
ripe - ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest

There is all kind of Juicy data on those ftp sites!

There are also a ton of scripts already on GitHub that would do that in a programming Lang of you choice.

Very kind of you to share your insights, blend27.

If only I was up to speed on coding. Getting there . . . slowly . . . inch by inch . . .

Any time Sir.

here is one more!

Selectel NOC, Russia
95.213.128.0 - 95.213.255.255
95.213.128.0/17

New one for me.

Used by ELVSOFT SRL and maintained by LEASEWEB

46.102.240.0 - 46.102.243.255
46.102.240.0/21

Cloudevelops.com
185.120.68.0 - 185.120.71.255
185.120.68.0/22

FYI - Ant.com uses these ranges

CloudVsp.Inc(China)
120.132.32.0 - 120.132.95.255
120.132.32.0/19

firstvds.ru(Russian VDS)
62.109.0.0 - 62.109.7.255
62.109.0.0/21

@blend27

The cloudvsp.com needs another CIDR:
120.132.32.0 - 120.132.95.255
120.132.32.0/19
120.132.64.0/19

That firstvds.ru range is actually a bit larger:
62.109.0.0 - 62.109.15.255
62.109.0.0/20
more...
82.146.32.0 - 82.146.63.255
82.146.32.0/19
92.63.96.0 - 92.63.103.255
92.63.96.0/21
188.120.224.0 - 188.120.255.255
188.120.224.0/19

cloudscale.ch
5.102.144.0 - 5.102.151.255
5.102.144.0/21

185.79.232.0 - 185.79.235.255
185.79.232.0/22

185.98.120.0 - 185.98.123.255
185.98.120.0/22

americanis.net

69.165.48.0 - 69.165.63.255
69.165.48.0/20

173.213.240.0 - 173.213.255.255
173.213.240.0/20

204.68.96.0 - 204.68.127.255
204.68.96.0/19

206.71.160.0 - 206.71.191.255
206.71.160.0/19

206.251.224.0 - 206.251.255.255
206.251.224.0/19

207.158.0.0 - 207.158.63.255
207.158.0.0/18

209.112.240.0 - 209.112.255.255
209.112.240.0/20

209.216.192.0 - 209.216.255.255
209.216.192.0/18

dravanet.hu
109.61.0.0 - 109.61.127.255
109.61.0.0/17