Author Topic: Forum Mgt Needs Help on IP Numbers  (Read 468 times)

0 Members and 1 Guest are viewing this topic.

Online Danno

Forum Mgt Needs Help on IP Numbers
« on: November 30, 2021, 10:14:32 AM »
ArimaOwners.com has a anti-spam modification to the forum software that allows us to ban individuals on name, email address or IP. We get a huge number of spam hits from a few IP's so we tend to ban the entire range of IP's such as 199.*.*.* which cover any IP that starts with 199. That a huge range and sometimes we have a few individuals that are US based but using an IP such as 199.431.23.18 (these are jus examples). It is very difficult to block the many spammers from 199... just to allow a few individuals in. I have some questions on IP addresses:

1) Is there any sense to the way IP addresses are doled out? Are they country specific? Is 114.119.*.* solely assigned to Taiwan's use?

2) Other than the typical numerical heritage of the four sets of numbers having any significance relative to each other?

3) I know a lot of spammers invade unsuspecting people's PC's to send spam via another location so those we just have to block the individual IP but this sometimes catches one of our members in the ban. How does an individual request a different IP for their devices?

Thanks,
Danno
2015 19' Sea Chaser (2019 to current)
1998 19' Sea Ranger (2003 to 2008)

Lures are designed to catch fishermen not fish.

Offline disposable

Re: Forum Mgt Needs Help on IP Numbers
« Reply #1 on: November 30, 2021, 10:35:56 AM »
I've passed this on to a knowledgeable individual, will post if he has any insights.
Reveille
2012 Sea Chaser 17 (custom PH)
2013 Honda 90hp

Offline Splunkk

Re: Forum Mgt Needs Help on IP Numbers
« Reply #2 on: November 30, 2021, 12:38:49 PM »
You're blocking regional registries at the moment.  There is an IPv4 hierarchy by location, https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks, where RIRs control certain areas.  For example, 78.0.0.0/8 is RIPE NCC, which controls Russia, EU, UK, some middle east etc.  They then lease out lower blocks to ISPs, large orgs, etc.
So 78.1.0.0/16 block is currently controlled by Croatian telco (https://apps.db.ripe.net/db-web-ui/lookup?source=RIPE&type=route&key=78.1.0.0%2F16AS5391), 78.100.0.0/15 is Qatar Net, etc.  They're not necessarily permanent assignments.  For the single home user, they get assigned a dynamic IP when negotiating a new connection with their ISP, somewhere within that ISPs' /16 range. 
(If I'm in Croatia, I'm probably getting a 78.1.*.* IP, etc.). It's probably better from a user perspective to ban /16 blocks vs. /8 blocks (one rogue ISP vs. 17mm /8 addresses somewhere in the RIRs region).
The trouble with botnets is they take control of users machines that already have an IP leased and can be located anywhere, so IP bans aren't as effective.
Hope that helps.
 

Online DeskJockey

Re: Forum Mgt Needs Help on IP Numbers
« Reply #3 on: November 30, 2021, 12:49:13 PM »
Oooof, those are some pretty broad brush strokes.

I feel for you though, I've run forums before and it quickly turns from fun to not fun, on the admin side.

1) Is there any sense to the way IP addresses are doled out? Are they country specific? Is 114.119.*.* solely assigned to Taiwan's use?

Yes, No, and Maybe.

Short version IANA owns all IPv4 and IPv6 address and doles them out to Regional Internet Registries (RIR) which serve different regions of the world.  Big5 are ARIN, RIPE, APNIC, LACNIC, and AFRINIC.  Company X then buys a prefix from a RIR.  To make matters worse,  RIRs don't have any more IPv4 prefixes available, the address pool is exhausted.  Company Y must now buy/lease a smaller portion of the prefix that was allocated to Company X from a RIR.  This is common when you get address space from your Internet Service Provider.  It's pretty easy for me to tell that AO is not the owner of the IP from which this forum is hosted, and I can tell you who the owner is, by looking it up at a RIR.

However, the Internet runs on BGP, and it matters less where you acquired your Prefix and more about where you advertise it.  What I mean is, I can get a prefix from ARIN (North America Region) and advertise it from anywhere in the world.  Where I am going with this is, blocking prefixes based on region of allocation is ineffective.


2) Other than the typical numerical heritage of the four sets of numbers having any significance relative to each other?

Yes.  The 4 octects are basically a decimal notation of a binary number.  It is presented this way for human readability, my job would be exponentially harder if it weren't.

Let's analyze the 2nd rule, 5.*.*.* which is the equivalent of 5.0.0.0/8.  It looks like this whole block was assigned to the RIPE RIR from IANA.  From there, we can spot check a few prefixes.  Let's start at the beginning.

The 1st and 2nd prefix allocated from 5.0.0.0/8 is 5.0.0.0/17 and 5.0.128.0/17, which belongs to a Syrian Telco
https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=5.0.0.0&source=RIPE
https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=5.0.128.0&source=RIPE

The 3rd and 4th prefix is 5.1.0.0/20 and 5.1.16.0/20 is Retail Data in Ukraine
https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=5.1.0.0&source=RIPE
https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=5.1.16.0&source=RIPE

The 5th is 5.1.32.0/21 and assigned to Prisco in Spain
https://apps.db.ripe.net/db-web-ui/query?bflag=false&dflag=false&rflag=true&searchtext=5.1.32.0&source=RIPE

The next is in Lithuania...

I think we are getting the picture.  So, as long as we're playing the whack-a-mole game, if we know a spammers IP, we want to look that IP up in one of the RIR's or a WHOIS Service.  Let's arbitrarily choose 49.125.213.50.

IANA tells us the 49/8 block was assigned to APNIC, APNIC tells us this IP is within the prefix assigned to DiGi, range 49.124.0.0 - 49.125.255.255, or 49.124.0.0/15.  This is the range of addresses you want to block, especially if you are getting spammed from multiple addresses within that range.  Ideally, you'd block the single IP that is spamming, but that's often not enough.  A /15 is likely too big, you'll generally see IP rotate within a /23 or /24.  Use the smallest hammer possible to achieve the desired result.  It's an endless game.


3) I know a lot of spammers invade unsuspecting people's PC's to send spam via another location so those we just have to block the individual IP but this sometimes catches one of our members in the ban. How does an individual request a different IP for their devices?

This is a double edged sword.  Depends on how compromised the system is, if the systems IP changes, the spam may just follow from the the new IP.  As a home user, your only option is to call your ISP and request a new IP.  Maybe they'll grant your request.

More commonly, active spammers will generally use a VPN or VPS to mask where the request originates.  What you are seeing is often times not the IP of the spammer but the IP of the VPN or bastion host that the spammer is using.  These are typically disposable and move around frequently.
1991 17' Sea Ranger

Online Hunter

Re: Forum Mgt Needs Help on IP Numbers
« Reply #4 on: December 18, 2021, 09:44:56 AM »
Couple of questions:

1)    If a specific member is banned for ANY reason, can an admin go to that person in the admin control panel and lift or remove the ban?

2)    If a member in good standing does get banned, how do they contact the forum to let them know there is an issue?    (my only recourse is that I happen to have the phone numbers of a couple of the admins here) 
2001 Sea Legend 22 (Gone But Not Forgotten)
2017 Hewescraft Ocean Pro 220 ET-HT - Honda BF250 & Honda 9.9 Power Thrust
All Garmin Electronics

 "ALWAYS QUESTION AUTHORITY!!"

Online Danno

Re: Forum Mgt Needs Help on IP Numbers
« Reply #5 on: December 18, 2021, 10:26:13 AM »
Couple of questions:

1)    If a specific member is banned for ANY reason, can an admin go to that person in the admin control panel and lift or remove the ban?

2)    If a member in good standing does get banned, how do they contact the forum to let them know there is an issue?    (my only recourse is that I happen to have the phone numbers of a couple of the admins here)


1) Yes. Except we have only banned less than 5 actual members. I can only think of two at the moment. It really takes a lot of obstinance on a member’s part to get banned and we will have had a number of discussions with them first.

If you get the BANNED title part when you visit and haven’t had any discussions with the moderators, you have not been banned but caught up in a ban of a spammer due to having a similar IP address.

2) First thing they can do is follow the instructions for clearing their cookies, etc as noted here:  http://www.arimaowners.com/index.php?topic=18003.0

Next is to try their other devices or other devices to see if they can get through. Also, try logging in from another location (work, etc) to PM us. Other than that, we don’t have a good way.

Hunter, I did email you about the ban while you were at another location last week. Did you get that email?




2015 19' Sea Chaser (2019 to current)
1998 19' Sea Ranger (2003 to 2008)

Lures are designed to catch fishermen not fish.

Online Hunter

Re: Forum Mgt Needs Help on IP Numbers
« Reply #6 on: December 18, 2021, 01:04:36 PM »
Hey Danno....    I checked and no email.....  I also checked my junk folder.    I also went into Internet Options and totally cleared all history, cookies, passwords, etc.... also a full restart.......but still doesn't help. It's just weird that I still get the Banned message but only when using Chrome on this laptop....    Oh well, I'm sure it'll all work out.....   :beerchug:
2001 Sea Legend 22 (Gone But Not Forgotten)
2017 Hewescraft Ocean Pro 220 ET-HT - Honda BF250 & Honda 9.9 Power Thrust
All Garmin Electronics

 "ALWAYS QUESTION AUTHORITY!!"

Online Danno

Re: Forum Mgt Needs Help on IP Numbers
« Reply #7 on: December 18, 2021, 03:08:48 PM »
Hey Danno....    I checked and no email.....  I also checked my junk folder.    I also went into Internet Options and totally cleared all history, cookies, passwords, etc.... also a full restart.......but still doesn't help. It's just weird that I still get the Banned message but only when using Chrome on this laptop....    Oh well, I'm sure it'll all work out.....   :beerchug:

Call me after Christmas and we’ll work on it. Chrome may be using a different IP. I use Chrome on my PC without problems.
« Last Edit: December 19, 2021, 07:57:21 AM by StreamFixer »
2015 19' Sea Chaser (2019 to current)
1998 19' Sea Ranger (2003 to 2008)

Lures are designed to catch fishermen not fish.

 

Menu Editor Pro 1.0 | Copyright 2013, Matthew Kerle