Project HCRL

TehEnforce

Project Hosters CIDR Range List (HCRL)

Like the name suggests. Project HCRL is a project that is looking to provide users with a big list fo CIDR Ranges used by hosters. This is very useful for various reasons such as being a hoster self. Able to use the list to deny customers that use a VPS to VPN. Without having to check manually all user IP's! Wonderful right! Without paying a single penny for the list. No query limits etc. 100% free! But. A list like this is hard to maintain. We need people to help fill the list with CIDR ranges from hosters and maintain the list.

https://github.com/TehEnforce/HCRL

0xdragon

Awesome! Now we can go and bruteforce SSH passwords on all a provider's ranges.

You should also request permission before adding provider ranges.

/sarcasm

Congrats on the terrible idea though.

TehEnforce

@0xdragon said:
Awesome! Now we can go and bruteforce SSH passwords on all a provider's ranges.

/sarcasm

Congrats on the terrible idea though.

Oh no! Domain Registrars are evil! Making those WHOIS details public! Spammers be able to call ya number and spam ya email! Oh no. Not to start about ARIN!!!

No but lets face it. Even without the list it would be childs play for spammers to collect provider's ranges. This list is just for the average website/forum/host/etc. owner that does not wish ColoCrossing or whatever provider VPN's crossing by.

0xdragon

@TehEnforce said:
Oh no! Domain Registrars are evil! Making those WHOIS details public! Spammers be able to call ya number and spam ya email! Oh no. Not to start about ARIN!!!

No but lets face it. Even without the list it would be childs play for spammers to collect provider's ranges. This list is just for the average website/forum/host/etc. owner that does not wish ColoCrossing or whatever provider VPN's crossing by.

Completely different.

Also, FYI, you might as well just block all ranges except for residential.

TehEnforce

@0xdragon said:
Also, FYI, you might as well just block all ranges except for residential.

Well as far as I know ARIN puts CIDR ranges public from providers. So just the same.

Problem would be with that I don't know every residential ISP their CIDR range. Even if people from LET knew alot it would be massive trouble if there is atleast 1 residential CIDR range thats not whitelisted.

vedran

The list is open-source, but the project won't be I suppose?

jh

BlockScript already does this very well.

TehEnforce

@vedran said:
The list is open-source, but the project won't be I suppose?

The list is the project so it will be open-source indeed :P

@jhadley said:
BlockScript already does this very well.

Looks impressive but sadly its not free and closed-source IIRC

Update:

Pushed update 05 out.

128 CIDR Ranges have been added and 15 Autonomous Systems have been added.
Still working on the ChicagoVPS ranges. Halfway though. They have ALOT of ranges.

Planned to push out updates weekly.

MrX

said: Able to use the list to deny customers that use a VPS to VPN.

This is excellent. Fraudsters would never be smart enough to use residential IPs as a proxy (zombie computers, open wifis, and mobile internet are myths), nor would a legitimate customer ordering from the office ever be on an IP that isn't residential or business. No business has ever set up a VPN within their server housing data center. Additionally, not a single non-hosting business has its own ASN, which I'm sure you'd be able to identify.

Sigh.

The complete level of ecommerce amateurism prevalent with many actors in the in web hosting is probably holding them or the industry back.

Have fun shooting yourself in the foot. Anyone using this might reduce fraud, but at the cost of legitimate customers.

vedran

TehEnforce said: The list is the project so it will be open-source indeed :P

Oh, I see. So the actual service implementation is not included in the project. "No query limit" part got me confused there.

TehEnforce

@vedran said:
Oh, I see. So the actual service implementation is not included in the project. "No query limit" part got me confused there.

The actual service implemtation is not included indeed. Would be pretty simple tho to import the list in IPTables or .htaccess might make a tutorial later on.

MrX said: Fraudsters would never be smart enough to use residential IPs as a proxy (zombie computers, open wifis, and mobile internet are myths)

Why do you think an fraudster would even use a VPN... To avoid the blacklists you know. If the fraudster did the fraud on his residential IP his own IP would be blacklisted.

MrX said: nor would a legitimate customer ordering from the office ever be on an IP that isn't residential or business.

I don't think many users here order LEB's during work. Taking the risk to get caught and fired. Also its on the residential CIDR or on the residential CIDR. There are no people ordering from the office from NASA IP's you silly

MrX said: No business has ever set up a VPN within their server housing data center.

Thats right. No business ever setups up a VPN with their server housing data center because that would be just plain stupid. They use a VPN to access their INHOUSE network . There are many reasons why such as privacy.

MrX said: Additionally, not a single non-hosting business has its own ASN, which I'm sure you'd be able to identify.

Im pretty sure a business buys an business line from the local residential ISP that offers business plans. They would be identified that way.

Anyway. Go tell any host how stupid they are by using a blacklist of VPN's. Im sure they would tell you all the same anser.

xDutchy

TehEnforce said: I don't think many users here order LEB's during work. Taking the risk to get caught and fired. Also its on the residential CIDR or on the residential CIDR. There are no people ordering from the office from NASA IP's you silly

As a quick example, the company I work for uses a VPN to connect to the datacentre we use and then to the outside world. It's not in LE* range so it probably will not get blocked, however there are probably more, maybe tons more out there operating the same way.

Although I like the idea, I dont see any good usage for it, a part from bothering your visitors by blocking them (by accident).

TehEnforce

@xDutchy said:
Although I like the idea, I dont see any good usage for it, a part from bothering your visitors by blocking them (by accident).

Hmm yeah. Maybe you and the rest are right. Maybe I should not spend my time creating this list for others. I just though it would be useful for forum owners as I am myself one and I had a real big problem with banned people using VPN's from LE* ranges to just wreck the forum. Made this list to prevent other forum owners having to deal with all this stuff. Also I though it would be a great alternative of MaxMind MinFraud. A free alternative for the startups. Who can't afford such services. But yeah.

matthewvz

TehEnforce said: A free alternative for the startups. Who can't afford such services.

There is a saying around here, if you can't pay for your services you shouldn't be running a host.

MrX

TehEnforce said: Why do you think an fraudster would even use a VPN... To avoid the blacklists you know. If the fraudster did the fraud on his residential IP his own IP would be blacklisted.

There are categories of fraudsters. The ones using VPNs are the easiest to catch. The good ones use residential IPs, business IPs, mobile internet IPs, public wifis, et cetera.

It's a good initiative to collect these IP ranges, though. It's been done before, but not as a free service, AFAIK. With manual review, it definitely might help cut down on simplistic fraud.

TehEnforce said: I don't think many users here order LEB's during work. Taking the risk to get caught and fired. Also its on the residential CIDR or on the residential CIDR. There are no people ordering from the office from NASA IP's you silly

But you're only taking into account the LET community ordering LEBs from LET hosts.

It's quite brave to say no one from NASA would order from work. I see orders from offices all the time across various industries. People do more and more online shopping from work.

TehEnforce said: Thats right. No business ever setups up a VPN with their server housing data center because that would be just plain stupid. They use a VPN to access their INHOUSE network . There are many reasons why such as privacy.

Sadly, I have seen it all too often. How some people get hired as IT Managers is a mystery.

If you are basing your anti-fraud tool on all users and all customers not being "plain stupid", you're in for a surprise.

TehEnforce said: Im pretty sure a business buys an business line from the local residential ISP that offers business plans. They would be identified that way.

There are several ASNs that belong to companies, that they use for their office space. Here is one, for example. All employees at Novartis Pharma AG in Switzerland browse the internet from the office through their own network. I have seen surprisingly small companies do the same.

So you'll have to identify these networks, unless you want your tool to block employees from - in this case - a pharmaceutical company where salaries and disposable incomes tend to be quite high. Perhaps an unlikely LET customer, so maybe you can afford to blanket-blacklist companies with their own ASN. It's usually the merchant that makes that decision, though.

TehEnforce said: Anyway. Go tell any host how stupid they are by using a blacklist of VPN's. Im sure they would tell you all the same anser.

Blacklisting what you perceive to be VPN is stupid, because you're not accounting for all the possible parameters.

Manually reviewing orders which you deem to be VPNs is a good idea, though.

Blacklisting customers, where the order looks otherwise fine, based on a list provided by a third party is quite possibly moronic.

Again - it's a good initiative but you have to take it for what it is: a very, very rough indication to be used as a part in a larger decision-making process.