Shadiest Web Hosts?

Kobe

What are the shadiest networks that I should block on all my networks? I want to do a blanket ban on all hosts that knowingly host malicious applications and controllers.

So far my list is Ecatel, Ubiquity, 2x4 and removed.

Kind of on the fence about [Redacted], awesome provider that I use but often used by skiddies for their public VPN nodes. Same goes for HostSailor.

jar

Don't forget Ecatel is now Quasi Networks. So make sure you get all of those ranges

GCat

Well, since we're listing...

1. Retrosnub ( http//www.retrosnub.co.uk/dedicated )

https//spoofer.caida.org/report.php?sessionid=65855

2. PacketHost( https//www.packet.net/ )

https//spoofer.caida.org/report.php?sessionid=65700

3. SuperHostingCZ ( https//www.superhosting.cz/ )

https//spoofer.caida.org/report.php?sessionid=65431

4. 10Gbps.io (SuperHostingCZ) ( https//10gbps.io/ )

https//spoofer.caida.org/report.php?sessionid=65431

5. Iperweb ( http//iperweb.com/home/ )

https//spoofer.caida.org/report.php?sessionid=65015

6. Prometeus ( http//www.prometeus.net/site/ )

https//spoofer.caida.org/report.php?sessionid=64231

7. HostSailor ( https//hostsailor.com/ )

https//spoofer.caida.org/report.php?sessionid=62294

8. QueryFoundry ( https//queryfoundry.com )

https//spoofer.caida.org/report.php?sessionid=61433

9. ReliableHosting ( https//www.reliablehostingservices.net )

https//spoofer.caida.org/report.php?sessionid=55958

10. IPServerSU ( https//www.ipserver.su/ )

https//spoofer.caida.org/report.php?sessionkey=oope4rtioq1lbl

11. Tele2 ( https//www.tele2.at/business/managed-se...ted-server )

https//spoofer.caida.org/report.php?sessionid=57267

12. FirstHeberg ( https//www.firstheberg.com/ )

https//spoofer.caida.org/report.php?sessionid=56718

13. WOWRack ( http//www.wowrack.com/ )

https//spoofer.caida.org/report.php?sessionid=56632

14. SoftLayer (FR DC) ( http//www.softlayer.com/ )

https//spoofer.caida.org/report.php?sessionid=56565

15. NTX ( http//ntx.ru/ )

https//spoofer.caida.org/report.php?sessionid=56505

16. IOFlood ( http//www.ioflood.com/ )

https//spoofer.caida.org/report.php?sessionid=56417

17. CnServers ( http//billing.cnservers.com/ )

https//spoofer.caida.org/report.php?sessionid=56315

18. Ecatel (QuasiNetworks) ( http//ecatel.co.uk/cdn.php )

https//spoofer.caida.org/report.php?sessionid=56292

19. QuasiNetworks (Ecatel) ( http//quasinetworks.com/ )

https//spoofer.caida.org/report.php?sessionid=56292

20. LibertyVPS (QuasiNetworks)( https//libertyvps.net/ )

https//spoofer.caida.org/report.php?sessionid=56292

21. HostAG ( https//www.host.ag/ )

https//spoofer.caida.org/report.php?sessionid=55167

22. DediDam ( http//dedidam.net )

https//spoofer.caida.org/report.php?sessionid=54872

23. HostHatch ( https//hosthatch.com/ )

https//spoofer.caida.org/report.php?sessionid=56223

24. PrivateLayer ( https//privatelayer.com/ )

https//spoofer.caida.org/report.php?sessionid=56204

25. StepHostMD ( https//stephost.md/ )

https//spoofer.caida.org/report.php?sessionid=62212

26. Verdina ( http//verdina.net/ )

https//spoofer.caida.org/report.php?sessionid=56169

27. Contabo ( https//contabo.de/ )

https//spoofer.caida.org/report.php?sessionid=56082

28. SimplexHosts (Contabo) ( http//simplexhosts.com/)

https//spoofer.caida.org/report.php?sessionid=56082

29. ColoCrossing ( https//www.colocrossing.com/ )

https//spoofer.caida.org/report.php?sessionid=54817

30. NociX (nDeviX) ( https//www.nocix.net/ )

https//spoofer.caida.org/report.php?sessionid=56977

31. WholeSaleInternet (nDeviX) ( https//www.wholesaleinternet.net )

https//spoofer.caida.org/report.php?sessionid=56977

Zeast

There is a lot of no-malicious websites on hostsailor.

Kobe

@Zeast said:
There is a lot of no-malicious websites on hostsailor.

Valid point, I kind of want to add that to HostUS and what not - case by case basis.

busbr

@GCat said:

5. Iperweb ( http//iperweb.com/home/ )

https//spoofer.caida.org/report.php?sessionid=65015

6. Prometeus ( http//www.prometeus.net/site/ )

I thought these guys have a nice reputation on LET. Did anything change?

jar

@GCat I think you might be almost in this territory:

ip route add blackhole 0.0.0.0/0

Zeast

@GCat said:
Well, since we're listing...

Time to buy new spoofed servers for my stresser!!!11one

jk

Kobe

@busbr said:

@GCat said:

5. Iperweb ( http//iperweb.com/home/ )

https//spoofer.caida.org/report.php?sessionid=65015

6. Prometeus ( http//www.prometeus.net/site/ )

I thought these guys have a nice reputation on LET. Did anything change?

Seflow and Prometeus have really stringent abuse policies for sure, but they're used for VPN exit nodes a lot by skiddies. In general, I'd list them as good though.

ricardo

Surely any host of appreciable size is going to end up on one list or another, for an amount of time.

Various shades of grey etc. OVH must seem quite shady by some standards, yet one of the biggest providers on the planet.

MikeA

@ricardo said:
Surely any host of appreciable size is going to end up on one list or another, for an amount of time.

Various shades of grey etc. OVH must seem quite shady by some standards, yet one of the biggest providers on the planet.

Good thing about OVH is that they automatically block IPs that send out attacks from their network, same for mass mail spam.

Domin43

any good script for blocking tons of ip blocks from a list

seriesn

Unless you are running your own switch, all these blocking might have a very bad affect on your box. Then again I might be thinking about something completely different. It is Sunday night after all.

Domin43

@seriesn said:
Unless you running your own switch, all these blocking might have a very bad affect on your box. Then again I might be thinking about something completely different. It is Sunday night after all.

I heard iptables can handle an extreme quantity with no problem or am i hearing things?

Ishaq

@Domin43 said: I heard iptables can handle an extreme quantity with no problem or am i hearing things?

If not OpenVZ, ipset is a good choice.

globalRegisters

Psychz Networks.

Used to get a ton of malicious activity from these guys.
I have been blocking them for a year now.

Ishaq

@globalRegisters said:
Psychz Networks.

Used to get a ton of malicious activity from these guys.
I have been blocking them for a year now.

They've cleaned up their act. We use them.

They don't tolerate anything.

globalRegisters

@Ishaq said:

@globalRegisters said:
Psychz Networks.

Used to get a ton of malicious activity from these guys.
I have been blocking them for a year now.

They've cleaned up their act. We use them.

They don't tolerate anything.

Good to know, thanks!

Zeast

@globalRegisters said:

@Ishaq said:

@globalRegisters said:
Psychz Networks.

Used to get a ton of malicious activity from these guys.
I have been blocking them for a year now.

They've cleaned up their act. We use them.

They don't tolerate anything.

Good to know, thanks!

same, lol

William

Ishaq said: They don't tolerate anything.

Anything not targeted at Asia.

pbgben

@MikeA said:

@ricardo said:
Surely any host of appreciable size is going to end up on one list or another, for an amount of time.

Various shades of grey etc. OVH must seem quite shady by some standards, yet one of the biggest providers on the planet.

Good thing about OVH is that they automatically block IPs that send out attacks from their network, same for mass mail spam.

Yes, this happened again for me yesterday. The spammer got two IP's blocked before the account was disabled.

jh_aurologic

Makes no sense to block them, as they only allow spoofing or dont have some spoofing protection like RPF in place. Spoofing means, that you may receive traffic from their network, but not from prefixes which has been announced by them.

@GCat said:
Well, since we're listing...

1. Retrosnub ( http//www.retrosnub.co.uk/dedicated )

https//spoofer.caida.org/report.php?sessionid=65855

2. PacketHost( https//www.packet.net/ )

https//spoofer.caida.org/report.php?sessionid=65700

3. SuperHostingCZ ( https//www.superhosting.cz/ )

https//spoofer.caida.org/report.php?sessionid=65431

4. 10Gbps.io (SuperHostingCZ) ( https//10gbps.io/ )

https//spoofer.caida.org/report.php?sessionid=65431

5. Iperweb ( http//iperweb.com/home/ )

https//spoofer.caida.org/report.php?sessionid=65015

6. Prometeus ( http//www.prometeus.net/site/ )

https//spoofer.caida.org/report.php?sessionid=64231

7. HostSailor ( https//hostsailor.com/ )

https//spoofer.caida.org/report.php?sessionid=62294

8. QueryFoundry ( https//queryfoundry.com )

https//spoofer.caida.org/report.php?sessionid=61433

9. ReliableHosting ( https//www.reliablehostingservices.net )

https//spoofer.caida.org/report.php?sessionid=55958

10. IPServerSU ( https//www.ipserver.su/ )

https//spoofer.caida.org/report.php?sessionkey=oope4rtioq1lbl

11. Tele2 ( https//www.tele2.at/business/managed-se...ted-server )

https//spoofer.caida.org/report.php?sessionid=57267

12. FirstHeberg ( https//www.firstheberg.com/ )

https//spoofer.caida.org/report.php?sessionid=56718

13. WOWRack ( http//www.wowrack.com/ )

https//spoofer.caida.org/report.php?sessionid=56632

14. SoftLayer (FR DC) ( http//www.softlayer.com/ )

https//spoofer.caida.org/report.php?sessionid=56565

15. NTX ( http//ntx.ru/ )

https//spoofer.caida.org/report.php?sessionid=56505

16. IOFlood ( http//www.ioflood.com/ )

https//spoofer.caida.org/report.php?sessionid=56417

17. CnServers ( http//billing.cnservers.com/ )

https//spoofer.caida.org/report.php?sessionid=56315

18. Ecatel (QuasiNetworks) ( http//ecatel.co.uk/cdn.php )

https//spoofer.caida.org/report.php?sessionid=56292

19. QuasiNetworks (Ecatel) ( http//quasinetworks.com/ )

https//spoofer.caida.org/report.php?sessionid=56292

20. LibertyVPS (QuasiNetworks)( https//libertyvps.net/ )

https//spoofer.caida.org/report.php?sessionid=56292

21. HostAG ( https//www.host.ag/ )

https//spoofer.caida.org/report.php?sessionid=55167

22. DediDam ( http//dedidam.net )

https//spoofer.caida.org/report.php?sessionid=54872

23. HostHatch ( https//hosthatch.com/ )

https//spoofer.caida.org/report.php?sessionid=56223

24. PrivateLayer ( https//privatelayer.com/ )

https//spoofer.caida.org/report.php?sessionid=56204

25. StepHostMD ( https//stephost.md/ )

https//spoofer.caida.org/report.php?sessionid=62212

26. Verdina ( http//verdina.net/ )

https//spoofer.caida.org/report.php?sessionid=56169

27. Contabo ( https//contabo.de/ )

https//spoofer.caida.org/report.php?sessionid=56082

28. SimplexHosts (Contabo) ( http//simplexhosts.com/)

https//spoofer.caida.org/report.php?sessionid=56082

29. ColoCrossing ( https//www.colocrossing.com/ )

https//spoofer.caida.org/report.php?sessionid=54817

30. NociX (nDeviX) ( https//www.nocix.net/ )

https//spoofer.caida.org/report.php?sessionid=56977

31. WholeSaleInternet (nDeviX) ( https//www.wholesaleinternet.net )

https//spoofer.caida.org/report.php?sessionid=56977

doughmanes

GlobalFrag?

joepie91

IP blocking isn't really a reasonable way to deal with abuse. You're going to have a ton of false positives, and still not actually prevent the abuse.

Block the actual abuse itself instead. Plenty of methods for that, and I'll happily make suggestions if you describe a concrete scenario...

Falzo

@Ishaq said:

@Domin43 said: I heard iptables can handle an extreme quantity with no problem or am i hearing things?

If not OpenVZ, ipset is a good choice.

https://github.com/trick77/ipset-blacklist

loot

Well, I also think that some of these have a business strategy that's affiliate-centered and hosting-second, which would explain things.

PrColo

@doughmanes said:
GlobalFrag?

GlobalFrag is quite the headache.

Butters

Ecatel, NFOrce, Dotsi (owned by blazingfast.io)

plueschopath

@Butters said:

NFOrce

hmm.. why?

UrDN

IP blocking is security through obscurity.

If you run vulnerable stuff on your network, then pebcak and you should reconsider yourself. You also better get compromised by script-kiddies rather than facing a more sophisticated attack.

globalRegisters

@UrDN said:
IP blocking is security through obscurity.

Apparently everything one does nowadays is classified as "security through obscurity". LOL.