Christopher's Broom Cupboard Rotating Header Image

December, 2010:

The decreasing usefulnesss of blocklists?

[Update, February 2014: I no longer use client-side blocklists. Join the discussion in the comments.]

My current job involves music and copyright to a fair extent. Ironically whilst I used to be a chronic downloader in my teens, these days not only do I enforce copyrights online, I also buy more music than ever.

However, I'm still healthily paranoid :> and I run Peerblock on every machine I touch, including work machines.

Now, dearth of available IPv4 addresses aside - and what seems to me like the increasingly futile idea of blocking ranges of IPv6 addresses! - it's incredibly difficult to accurately maintain a blocklist of IPs, let alone administer or implement dozens of them. There's too much "collateral damage" from innocent IPs. And as more lists are used and combined, the usefulness and accuracy of the blocks exponentially decreases.

Case in point (and this has made me reevaluate the usefulness of apps like Peerblock with lists from services such as iBlocklist): in the past couple of days, on machines running Peerblock with default lists and Kaspersky Internet Security have been unable to finish their daily definitions updates. How come? It turns out that all of the Kaspersky update servers are classified on half a dozen lists as "bad" IPs. To finish an update, you must disable Peerblock - hardly its intended purpose!

Currently, all Kaspersky IPs between and .86 are in a fair few blocklists hosted on iBlocklist, for various reasons - you can view them by going to the iBlocklist query page and tapping in (for example) Here's what I got on a query just now:

This is clearly incorrect, and as an added inconvenience Kaspersky cannot finish a definitions update until PeerBlock is temporarily disabled.

There still seems to be no easy way of flagging up specific IPs or ranges for review if they have been reassigned or are no longer under the control of the original company (as I suspect is the case with these Kaspersky IPs) - how best should we go about notifying iBlocklist as to the inaccuracy of the blocklist entries?

Performance Systems International-ed2k/ap2p:
Performance Systems International / Cogent Communications:
PSINet, Inc:
Performance Systems International Inc:
Primary Threats
Performance Systems International-ed2k/ap2p:
Business ISPs
Performance Systems International:
United States
United States:

Now, this is obviously far too much of a kneejerk reaction; some lists have the entire Class A range blocked and the rest have a good old dollop listed! Hammer to crack a nut anyone? Obviously one need not use every list, but the problem remains that popular programs such as Peerblock download and use several of these lists by default (including the "level1" list), and these are not being kept up to date by Bluetack, the supplier. (This has been an ongoing problem for some time).

The more you use these lists, the more you'll find legitimate IPs being blocked - I explicitly have to allow all the BBC IP addresses to use their web sites, which is intensely frustrating. My "permallow.p2b" exceptions list grows in size each day... So take everything with a pinch of salt! Disabling HTTP is a bodge workaround, but programs like Kaspersky will often use UDP on port 2001 (for example) to update, and those will always fall foul of the egress traffic block as long as people keep on using the massively popular, but stale, blacklists.

Keep watching the log windows...