New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Project HCRL
TehEnforce
Member
Project Hosters CIDR Range List (HCRL)
Like the name suggests. Project HCRL is a project that is looking to provide users with a big list fo CIDR Ranges used by hosters. This is very useful for various reasons such as being a hoster self. Able to use the list to deny customers that use a VPS to VPN. Without having to check manually all user IP's! Wonderful right! Without paying a single penny for the list. No query limits etc. 100% free! But. A list like this is hard to maintain. We need people to help fill the list with CIDR ranges from hosters and maintain the list.
https://github.com/TehEnforce/HCRL
Comments
Awesome! Now we can go and bruteforce SSH passwords on all a provider's ranges.
You should also request permission before adding provider ranges.
/sarcasm
Congrats on the terrible idea though.
Oh no! Domain Registrars are evil! Making those WHOIS details public! Spammers be able to call ya number and spam ya email! Oh no. Not to start about ARIN!!!
No but lets face it. Even without the list it would be childs play for spammers to collect provider's ranges. This list is just for the average website/forum/host/etc. owner that does not wish ColoCrossing or whatever provider VPN's crossing by.
Completely different.
Also, FYI, you might as well just block all ranges except for residential.
Well as far as I know ARIN puts CIDR ranges public from providers. So just the same.
Problem would be with that I don't know every residential ISP their CIDR range. Even if people from LET knew alot it would be massive trouble if there is atleast 1 residential CIDR range thats not whitelisted.
The list is open-source, but the project won't be I suppose?
BlockScript already does this very well.
The list is the project so it will be open-source indeed :P
Looks impressive but sadly its not free and closed-source IIRC
Update:
Pushed update 05 out.
128 CIDR Ranges have been added and 15 Autonomous Systems have been added.
Still working on the ChicagoVPS ranges. Halfway though. They have ALOT of ranges.
Planned to push out updates weekly.
This is excellent. Fraudsters would never be smart enough to use residential IPs as a proxy (zombie computers, open wifis, and mobile internet are myths), nor would a legitimate customer ordering from the office ever be on an IP that isn't residential or business. No business has ever set up a VPN within their server housing data center. Additionally, not a single non-hosting business has its own ASN, which I'm sure you'd be able to identify.
Sigh.
The complete level of ecommerce amateurism prevalent with many actors in the in web hosting is probably holding them or the industry back.
Have fun shooting yourself in the foot. Anyone using this might reduce fraud, but at the cost of legitimate customers.
Oh, I see. So the actual service implementation is not included in the project. "No query limit" part got me confused there.
The actual service implemtation is not included indeed. Would be pretty simple tho to import the list in IPTables or .htaccess might make a tutorial later on.
Why do you think an fraudster would even use a VPN... To avoid the blacklists you know. If the fraudster did the fraud on his residential IP his own IP would be blacklisted.
I don't think many users here order LEB's during work. Taking the risk to get caught and fired. Also its on the residential CIDR or on the residential CIDR. There are no people ordering from the office from NASA IP's you silly
Thats right. No business ever setups up a VPN with their server housing data center because that would be just plain stupid. They use a VPN to access their INHOUSE network . There are many reasons why such as privacy.
Im pretty sure a business buys an business line from the local residential ISP that offers business plans. They would be identified that way.
Anyway. Go tell any host how stupid they are by using a blacklist of VPN's. Im sure they would tell you all the same anser.
As a quick example, the company I work for uses a VPN to connect to the datacentre we use and then to the outside world. It's not in LE* range so it probably will not get blocked, however there are probably more, maybe tons more out there operating the same way.
Although I like the idea, I dont see any good usage for it, a part from bothering your visitors by blocking them (by accident).
Hmm yeah. Maybe you and the rest are right. Maybe I should not spend my time creating this list for others. I just though it would be useful for forum owners as I am myself one and I had a real big problem with banned people using VPN's from LE* ranges to just wreck the forum. Made this list to prevent other forum owners having to deal with all this stuff. Also I though it would be a great alternative of MaxMind MinFraud. A free alternative for the startups. Who can't afford such services. But yeah.
There is a saying around here, if you can't pay for your services you shouldn't be running a host.
There are categories of fraudsters. The ones using VPNs are the easiest to catch. The good ones use residential IPs, business IPs, mobile internet IPs, public wifis, et cetera.
It's a good initiative to collect these IP ranges, though. It's been done before, but not as a free service, AFAIK. With manual review, it definitely might help cut down on simplistic fraud.
But you're only taking into account the LET community ordering LEBs from LET hosts.
It's quite brave to say no one from NASA would order from work. I see orders from offices all the time across various industries. People do more and more online shopping from work.
Sadly, I have seen it all too often. How some people get hired as IT Managers is a mystery.
If you are basing your anti-fraud tool on all users and all customers not being "plain stupid", you're in for a surprise.
There are several ASNs that belong to companies, that they use for their office space. Here is one, for example. All employees at Novartis Pharma AG in Switzerland browse the internet from the office through their own network. I have seen surprisingly small companies do the same.
So you'll have to identify these networks, unless you want your tool to block employees from - in this case - a pharmaceutical company where salaries and disposable incomes tend to be quite high. Perhaps an unlikely LET customer, so maybe you can afford to blanket-blacklist companies with their own ASN. It's usually the merchant that makes that decision, though.
Blacklisting what you perceive to be VPN is stupid, because you're not accounting for all the possible parameters.
Manually reviewing orders which you deem to be VPNs is a good idea, though.
Blacklisting customers, where the order looks otherwise fine, based on a list provided by a third party is quite possibly moronic.
Again - it's a good initiative but you have to take it for what it is: a very, very rough indication to be used as a part in a larger decision-making process.