IP Block Lists

There are many ways to protect your network.  One of the many ways EITS works to protect their clients is with a “honey pot” the unsuspecting hacker or hacker bot finds.  They or their mechanisms try to hack any number of services (mail, ftp, ssh, etc) which we detect then block.  That block action is added to a number of master lists we then share online through our blog Whackers For Hackers.

I’m opinionated about tech and one of the most irritating things about tech today is the lack of understanding about the history of tech and how things were built to work like “whois” abuse information!  I’ll get to this but first an example.  Email!  Email was originally meant to deliver electronic text based messages (like texting on a cell phone which is actually a rudimentary email system, that too has “evolved”).  For about 20 years email was used to communicate in text format, it’s what it was designed to do but then we added HTML, attachments but watch out how BIG your attachments are or else(!)…embedded content and then the marketing folks got a hold of it…then the hackers and spammers came to exploit it…oh my!  All that is here today (you can still send plain text emails!) with the phishing problems and spear phishing issues and and and and…the list goes on.  Do you think the “Can SPAM Act” of 2003 did anything to curtail the SPAM and phishing problems?  Nope, they’re here more than ever today and large companies including Google have fallen victim to email scams…the CEO and co-founder of FaceBook (another evil company) was exploited and had several accounts hacked via email and email password resets (LULZ)!  The tech history speaks for itself…and it gets awfully dirty if you want to look at the real dirty ugly history of IBM…but we won’t go there (you can with that link).  The original intent of a system evolves and is eventually exploited.  Think about other systems that have been invented for good productive purposes that are then turned into evil systems that exploit you, your company, institutions, the planet…it goes on and on.

Telephones (marketing calls, scammers)

Faxing (marketing and junk faxing)

Internet Web Browsing (marketing & trackers, click hijacking, annoying advertising, trolls, etc)

Email (spammers, phishing, marketing, click tracking, URL hijacking)

…and more

What are we to do?  Reigning in my unfocused thought stream and getting us back to IPBL’s…because it’s so easy to get off topic when talking about IT security…for the time being the “answer” is that we’ve got to build better walls UNTIL the Government (unfortunately) or a consortium of ISP’s or big players like Google, Amazon, Microsoft (although they’re the problem profiting by the hacker culture) do something about the abuse and create financial pain for the abuse these organizations let happen.  Yes, I will defend this opinion…like LINODE who knowingly hosts malware, viruses, spyware and profits from it or OVH who publicly condemns crypto’s yet to this day hosts one on a node on their network (that we include in our botnet block)…the list goes on.  Try getting Amazon to unblock a hacked host.  Technically I submit so many abuse@ emails to them I should file a W2 and be on the payroll because I do their security departments job for them…they should be embarrassed.  I block half of Amazon’s network because of the abuse…the other half I have to tolerate an individual IP block…again, I’m getting off topic and ranting but that’s OK!  Back to it…reign it in!

EITS has built one IPBL among many IPBL’s online.  We’ve got our Whackers For Hackers IPBL but we’ve also got several other weapons in the arsenal to protect the perimeter of your network.

Our buffet of protection includes:

* A list that aggregates over 250 IPBL’s into 4 major IPBL categories of varying degree not publicly shared except on our FireWalls and by subscribing managed FireWall clients.  These update up to 1 hour intervals (default is every 2 hours).

* Our W4H IPBL that aggregates a number of BL’s based on criteria (brute force, bogus email TLD’s, email hackers, comment spammers, etc) we determine and that are caught by your honey pots.  There are 7 types and 1 is a TOR exit node block (8 lists in total).

* DNSbl’s that block based on domain name and not IP address, this allows us to block click trackers, hijackers, TLD’s and advertisers who continually change the IP addresses they’re from but typically not their domain names…or anything we want to block based on a TLD which is how the Internet works.  This also blocks “malvertising” now prevalent on the afore mentioned evil empires of Google, Amazon, Microsoft and FaceBook…among others.  You block ads you block malvertising!

* Finally, IDS or Intrusion Detection System.  We currently use a product called SNORT which was bought by CISCO a while back.  As long as they keep it Open Source we’ll continue using it.  You can pay for “zero day” signatures but generally speaking the exploits are out BEFORE anyone knows about them so nothing is “zero day”.  It’s a zero day from when they detect or know about the exploit…again, sometimes it’s months before anyone knows about an exploit.  If you’re in IT and know anything about IT security at a minimum you know attacks come from certain countries or networks online.  IDS is actually a secondary or tertiary defensive mechanism and works differently than an IPBL.  They work on “signatures” much like antivirus to detect a pattern and they look at the packet data.  It’s much smarter than an IPBL.

Because of the technical lag of when something is actually exploited by the hacker to when the exploit comes to light by anyone like a vendor, security group, or government, etc and a patch is issued by said parties…a holistic approach to IT security is what’s needed.  A holistic approach in my view is the building of each “brick” in the wall among many other bricks beyond the edge (firewall) working in tandem doing different jobs.  The sum of the parts is what secures infrastructure and one thing isn’t more important than any other.  Each of the mechanisms need to work as a team on the firewall (and beyond) to put up a good defensive wall against malicious attacks.  Quite often this deterrence is more like a mote with alligators in it, then there’s the barbed wire or archers, if you make it past that now you’ve got to scale a 50′ wall while we’re dumping boiling tar onto your head…enough to make anyone go away for sure.

I never spoke to the whois lookup issue and why whois lookups are irritating sometimes.  Mostly; although there are many criticisms, it’s because the companies who give you the “OrgAbuseHandle” are supposed to put an ACTUAL REAL EMAIL ADDRESS you can email and report abuse.  Some people are getting clever about their whois and:

* Don’t monitor that abuse@ inbox

* Have a non-working abuse@ inbox or it’s not an “abuse@” it’s something obscure

* Redirect you to a website to fill out a web form (Virgin Mobile does that and it’s irritating, they should have their hand slapped!)

* Companies like QuadraNet who don’t care about systems security (more blatantly than GoDaddy, Microsoft, Amazon, etc)

* Companies with conflicts of interest like EIG, the publicly traded only interested in corporate profits rather than systems security scamming users into worthless security products from companies they own!  Thanks BlueHost and HostGator!

…and the list drones on!

By flat out ignoring the designed process (to come full circle) of a whois lookup where an abuse email SHOULD be listed, MONITORED and WORKING…or circumventing this process with a web form causing me to do extra work they’ve actually BROKEN the process.  It’s no wonder the hackers are winning because nobody is using the working standard to report abuse, nobody is monitoring their network to prevent the abuse in the first place relying on people like me and Whackers For Hackers to do their jobs for them or they’re trying to exploit their existing customers like EIG so they can funnel them into a new company under their umbrella to protect their customers and “monitor” their websites with “sitelock”…ugh, the EIG thing is an absolute extortion enterprise…but NOBODY is doing anything about it.

Until there is actual government enforcement of reporting, punishing and adherence to standard reporting mechanisms the Internet will remain broken with respect to ISP’s (the “on ramps of the Internet”) or hosting companies.  There is a massive conflict of interest to not crack down on security, keep networks clean and curb hacker activity because companies profit in massive ways thanks to pretending to not know they’re hosting the activity or flat out knowingly profit by the activity.  Companies looking to defend against attacks will continue building bigger walls, deeper motes, more prickly barbed wire, feed the alligators, get AI to try and fix it (and it’ll likely fail because we’ll make a hacker AI to thwart the good AI) and we’ll just continue to fight and struggle with Internet security.  The government trying to tamper down on encryption technologies or build in back doors to encryption doesn’t help either.  What should be done is enforcement of clean networks, active monitoring, cracking down on companies or users who host malicious data with increasingly higher financial penalties, ISP’s cutting the on ramps to the Internet off from bad actors or throttling those connections until they’re “good” and physically punish private enterprise with financial and throughput fines (including individuals!).  This can’t happen until ISP’s and companies are responsible, and they won’t be unless forced to be because IT security from hosting companies and ISP’s perspective doesn’t “make money” it costs money.  With the exception of EIG (who’s a scam artist of the 10th degree) nobody is securing anything except those who need to be defensive.

This blog is particularly lengthy, unfocused and bounces around however…it needs to be said.  I’m not certain how it could be said any differently unless I wrote a book and broke things into chapters :).  IT security is now an industry like it has never been before.  It’s kind of a disgusting industry in many ways actually but that’s an opinion for another post some day.

If you’re having security problems we can help!  We can look at your existing infrastructure and figure out how to integrate various technologies into your IT security stack or migrate your existing stack (no matter how large or small) into any number of mechanisms to thoroughly protect your infrastructure!


Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *