yungman said:
So this is common?
Yes, it is not uncommon.
Some organizations are vigilant about this and will attempt to make contact and report the IP addresses associated with malicious activity back to the owners of the address space (e.g. via email to
abuse@ownerorg.com). As the registered POC for a class B netblock, I would receive those emails from time to time. My hat is off to the folks generating those notices. Generally speaking, they provided source IPs, time stamps, log files and a general characterization of the attacks.
Other organizations will simply chuck the IP address (or the owner ASN) on some flavor of IP blacklist and consider the job done. My organization fell into that camp. We had a good number of blacklisted ASNs along with a few blacklisted IP ranges. From time to time, I would need to update whitelists to make exceptions within blacklisted ranges. [Customers get upset when they cannot visit our web sites or send us email].
[An ASN (
Autonomous System Number) is a number associated with an organization that connects to the
BGP routing backbone for the public Internet. As an ordinary customer of an ISP, you would not have an assigned ASN. Your ISP would probably have an ASN. Your VPN provider would have a different ASN.]
I was on the routing and switching side of things. Our primary goal was to blacklist IP ranges from which huge attack volumes were emanating. The security guys had trouble keeping their firewalls up under the resulting load. So we took care of the bulk of the attack volume for them. We used blackhole routes and an
RPF check -- that sort of thing is easy for a router but hard for a firewall.
As I said, I wore a routing hat. Our security guys certainly had the ability to subscribe to an IP block service. But since I was not directly involved, I have no good idea about how widely deployed such services are. For instance, the Imperva WAF (Web Access Filter)
documents their capability. We ran a WAF, among other components, but I do not think we subscribed to an IP block list.
Getting yourself off of an IP blacklist can be a time consuming and thankless task. The hardest part is finding someone who cares enough to try to help. Then you have to pray that they can navigate their way to someone who has the ability to help. The level of individual and organizational competence that you encounter can sometimes be mind boggling. Often our security guys would need to skip all that and handle it from our end, switching to a different egress IP (we ran Cisco
WCCP and transparent proxies for outbound traffic) or getting us router guys to use traffic engineering to a different egress point of presence entirely.
Some target web sites (mostly military) are opt-in. You have to register your IP in order to gain access. This can be troublesome when your egress IP can dynamicly change due to the use of VPN, outbound transparent proxy or an ISP that does not provide their customers with long term stable IP addresses. [My company's egress IPs were short term stable (days or weeks) but not long term stable (months or years)]
