# Various netblocks which appear to believe there is such a thing as # (to quote one netblock's data) "scanning for LEGIT purposes". # # At least some of these appear to also fall into the "please volunteer # _your_ resources to improve _our_ commercial offerings" bucket too. # # RIPE networks NET-3-163, 89.248.163.0/24 (but for some reason broken # into two /25s in RIPE's database), and NET-2-165, 89.248.165.0/24. 89.248.163.0/24 89.248.165.0/24 # RIPE netblocks # INTERNETMEASUREMENT-A (193.163.125.0/25) # INTERNETMEASUREMENT-B (193.163.125.128/25) # INTERNETMEASUREMENT-C (87.236.176.0/25) # INTERNETMEASUREMENT-D (87.236.176.128/25) 87.236.176.0/24 193.163.125.0/24 # ARIN netblock ACDRESEARCH, 104.156.155.0/24. 104.156.155.0/24 # RIPE netblock CH-KS-INNOVATION. 185.35.62.0/23 # RIPE netblock INTERNET-RESEARCH-NET 45.83.64.0/22 # ARIN netblocks (all called CENSY!). 162.142.125.0/24 167.94.138.0/24 167.248.133.0/24 199.45.154.0/23 206.168.32.0/22 # ARIN netblock ARBORN, NET-146-88-240-0-1. They replied to my # question, making it clear they consider what they're doing # acceptable. They even have the gall to offer an opt-out, apparently # thinking it reasonable for victims to have to ask in order to be # exempted from their abuse attempts. 146.88.240.0/20 # ARIN netblock 67.21.36.0/24, NET-67-21-36-0-1 (RGnet) and # NET-67-21-36-0-2 (UCBerkeley). Both RGnet and UCB replied and # consider the behaviour acceptable, inviting me to opt out. As if # victims ever should have to ask to not be abused. 67.21.36.0/24 # shadowserver.org 184.105.139.64/26 184.105.247.192/26 216.218.206.64/26 74.82.47.0/26 65.49.20.64/26 64.62.197.0/24 65.49.1.0/24 64.62.156.0/24 # internet-census.org 45.156.129.0/24 109.105.210.0/24 # Blocks which appear to be "please volunteer your resources to improve # our commercial offerings" outfits. # # crawler%03d.deepfield.net, apparently a branch of Nokia. 104.234.115.0/24 # RIPE netblock HETZNER-fsn1-dc10, 144.76.32.128/27. They host # 144.76.32.151, which reverses to # discovery-crawler11.blex.seranking.com, which doesn't crosscheck. # I asked Hetzner what other addresses this customer had with them; # they were unwilling to say, passing my message to their customer, # who also were apparently unwilling to say, expecting those who don't # want to have their resources leeched to opt out. As far as I can # tell seranking.com doesn't publish a list of their probe-from # addresses. 144.76.32.128/27 # # RIPE network CY-STARCRECIUM, which has 9 addresses which tripped my # address range scanning border test on 2021-03-02 - and then kept # pecking away enough to stay in my border blacklist until 2021-03-21, # a total of some 51 to 52 thousand packets each. 45.146.166.0/23 # # Digital Ocean, who apparently can't be bothered to staff their abuse # desk enough to handle the level of abuse they emit. Their abuse@ # autoresponse says abuse@ mail is "processed with automated tooling # due to the high volume of abuse submissions [they] receive". They # demand X-ARF, "tools such as fail2ban", or jumping through some # Webpage hoop. If they can't be bothered to either keep a lid on the # abuse they emit or staff their abuse desk enough to handle the # resulting complaints, I have negative interest in accepting their # traffic. # # They also host numerous *.internet-measurement.com hosts, one of the # "please volunteer _your_ resources to improve _our_ commercial # offerings" outfits. # 64.227.0.0/17 64.227.128.0/18 146.190.0.0/16 128.199.0.0/16 107.170.0.0/16 162.243.0.0/16 45.55.0.0/16 157.245.0.0/16 159.65.0.0/16 185.247.137.0/25 # # An ovh.net range. Their abuse address autoresponse had no # Message-ID, Content-Type: multipart/mixed, and # Content-Transfer-Encoding: base64. It also says that the # information I provided "does not allow [them] to identify the # customer or service corresponding to [my] report"; if they can't # look up a customer that's been sending me multiple packets per day # for months by IP, they're too incompetent or too lazy to do their # job. Either way, buh-bye. 51.89.0.0/16 # Netblocks hosting *.probe.onyphe.net hosts, which have been, well # probing my infrastructure. Onyphe has a list of network ranges, but # they rather obnxiously hide it behind HTTPS. This list was fetched # with the help of a work machine. 137.74.181.240/28 139.99.35.32/28 149.202.99.192/28 15.204.37.16/28 15.204.37.80/28 15.235.189.144/28 178.32.72.208/28 195.184.76.0/24 213.32.32.80/28 45.43.33.210/32 45.43.33.218/32 5.135.58.192/28 5.196.200.240/28 51.178.236.240/28 51.254.49.96/28 51.81.144.32/28 51.81.181.160/28 51.81.215.64/28 51.91.174.240/28 79.137.65.46/32 91.134.185.80/28 91.196.152.0/24 94.23.117.80/28 # Their list, claimed to be complete (see the RIPE record for # 195.184.76.0/24), isn't. I've also seen attempts from: 149.202.132.192/28