Christopher's Broom Cupboard Rotating Header Image

The decreasing usefulnesss of blocklists?

[Update, February 2014: I no longer use client-side blocklists. Join the discussion in the comments.]

My current job involves music and copyright to a fair extent. Ironically whilst I used to be a chronic downloader in my teens, these days not only do I enforce copyrights online, I also buy more music than ever.

However, I'm still healthily paranoid :> and I run Peerblock on every machine I touch, including work machines.

Now, dearth of available IPv4 addresses aside - and what seems to me like the increasingly futile idea of blocking ranges of IPv6 addresses! - it's incredibly difficult to accurately maintain a blocklist of IPs, let alone administer or implement dozens of them. There's too much "collateral damage" from innocent IPs. And as more lists are used and combined, the usefulness and accuracy of the blocks exponentially decreases.

Case in point (and this has made me reevaluate the usefulness of apps like Peerblock with lists from services such as iBlocklist): in the past couple of days, on machines running Peerblock with default lists and Kaspersky Internet Security have been unable to finish their daily definitions updates. How come? It turns out that all of the Kaspersky update servers are classified on half a dozen lists as "bad" IPs. To finish an update, you must disable Peerblock - hardly its intended purpose!

Currently, all Kaspersky IPs between 38.113.165.68 and .86 are in a fair few blocklists hosted on iBlocklist, for various reasons - you can view them by going to the iBlocklist query page and tapping in (for example) 38.113.165.86. Here's what I got on a query just now:

This is clearly incorrect, and as an added inconvenience Kaspersky cannot finish a definitions update until PeerBlock is temporarily disabled.

There still seems to be no easy way of flagging up specific IPs or ranges for review if they have been reassigned or are no longer under the control of the original company (as I suspect is the case with these Kaspersky IPs) - how best should we go about notifying iBlocklist as to the inaccuracy of the blocklist entries?

Anti-Infringement
BayTSP:38.0.0.0-38.255.255.255
level1
Performance Systems International-ed2k/ap2p:38.113.114.164-38.113.175.255
level2
Performance Systems International / Cogent Communications:38.108.107.69-38.114.63.255
level3
PSINet, Inc:38.0.0.0-38.114.63.255
rangetest
Performance Systems International Inc:38.0.0.0-38.114.63.255
Primary Threats
Performance Systems International-ed2k/ap2p:38.113.112.43-38.113.175.255
Business ISPs
Performance Systems International:38.0.0.0-38.255.255.255
ipfilterX
TMEOH PSI:38.0.0.0-38.255.255.255
United States
United States:38.0.0.0-38.255.255.255

Now, this is obviously far too much of a kneejerk reaction; some lists have the entire Class A range blocked and the rest have a good old dollop listed! Hammer to crack a nut anyone? Obviously one need not use every list, but the problem remains that popular programs such as Peerblock download and use several of these lists by default (including the "level1" list), and these are not being kept up to date by Bluetack, the supplier. (This has been an ongoing problem for some time).

The more you use these lists, the more you'll find legitimate IPs being blocked - I explicitly have to allow all the BBC IP addresses to use their web sites, which is intensely frustrating. My "permallow.p2b" exceptions list grows in size each day... So take everything with a pinch of salt! Disabling HTTP is a bodge workaround, but programs like Kaspersky will often use UDP on port 2001 (for example) to update, and those will always fall foul of the egress traffic block as long as people keep on using the massively popular, but stale, blacklists.

Keep watching the log windows...

5 Comments

  1. Derrick says:

    You jerk
    United States:38.0.0.0-38.255.255.255
    That's only a shit small part of some unfair provider in the U.S.

    LoL you act as a great professeur knowing nothing .

    Try again .

    1. Christopher says:

      38.0.0.0-38.255.255.255 is an entire /8 block controlled by Cogent, how is that only just a "shit small part" of "some unfair provider"?

      Recommend you think before commenting next time.

  2. Samuel says:

    Create an allow list and add the ranges needed, as every computer will run different programs, custom allow lists will be needed to ensure your connectivity

  3. Robert says:

    Sorry to bring up an old thread. But I'd like to make some points.

    One is that Derrick isn't exactly wrong here. Sure, it's an entire /8 range. But that doesn't mean 16,777,216 sites are being blocked. The reality of way ranges of IP's get leased out, you're talking about only a hand full of sites. To that end, rather then look at who the owner of the IP range is, you need to look at who it's being leased to. One organization a chunk of 38.x.x.x has been leased to is a company called Cyveillance. A cyber surveillance outfit who's clients include the RIAA and MPA. Hence why it's blocked.

    Also, gripes about what you believe should be legitimate, such as addresses in the ranges used by various anti virus software for updates, are not as innocent as you think. Often, it's not just a virus database update taking place, but also back door secret authentication of the programs by the sites to make sure they are not pirated versions. While many may make the argument that since they don't use pirated software they don't care; many people, including those running legitimate and honest copies of software, do not appreciate such spying and view it as an invasion of privacy. Hence why they get blocked. Rather then bend over and take the probing by adding them to your exclude list, a better option would be to switch software to one that doesn't assume you're a dirty rotten thief that needs to be spied on.

    I've been using peerblock for years, from back when it used to be known as peerguardian. I have learned that 99% of the time, if it's being blocked, there is a reason, and when I'm stupid enough to ignore peerblock, I always find out why. Oh, that web page is 95% per ads. This app phones home. That site site is a tracker. This side is giving me cookies. And I want no part of any of their activities.

    It is not terribly difficult nor time consuming to right click on a blocked IP in the peerblock status window and select allow permanently. You and everyone else can do it for the whole 0.00000001% of IP's that shouldn't be on the block list. But seriously, before doing that, research the IP's in question in-depth first and find out why they are really blocked rather then assume it's ignorance and overkill on the part of the list makers.

    1. Christopher says:

      Some interesting comments, thanks.

      Like you, I was a PG user for a long time (following it to PG2, then PB). IMO, today, better solutions to blocking ads, cookies and client-side scripts have emerged -- Ad Block Plus for Chrome is a truly excellent plugin, as is NoScript for Firefox (which I run on all my machines).

      Combined with a few broad iptables rules on my router (an old Linksys, running Tomato) and the usual Firewall/AV solution on my PCs, I think it's about as safe as you can reasonably be without being completely paranoid and airgapping everything in a bunker.

      DomainTools is an excellent way to quickly look up an IP's RIPE/IANA details (Surf to whois.sc/<ip-or-domain-here> and the site magically returns the results).

      The fact I have to rely on third party updated blocklists of IPs put together by people who are most likely not involved with their maintenance or admin doesn't really instil me with much faith any more. You're trusting third parties - with interests unknown - to maintain a definitive list of IPs you either permit or deny connections for on your machines, which seems a really broken security model. What are their vested interests? Are they across latest developments in IP allocation? So many of the delegations seemed out of date the last time I updated my blocklists and it seemed nigh impossible to submit corrections, it was borderline hilarious.

      If software dials home to check its authenticity, that doesn't bother me at all. I'm a legitimate customer of those products so their licensing mechanism is just part of that. I've never had any problems whatsoever from desktop or Android apps (which use a similar model of periodically pinging home to the Play Store). That's not spying, it's the licensing model.

      Spying would be if it keylogged the past 12 hours' worth of keyboard input and uploaded it to the licensing server... Something a few keyboard apps do by default (sometimes, along with anonymised use metrics) to improve their mistype detection! This can be turned off though and is plainly advertised.

      If software developers wanted to defeat IP-based blocklists, they could do this easily by just renting a collection server at a commercial provider and periodically forwarding those results. Are they going to do this? No, it's not worth it. Only proper surveillance agencies (Five Eyes, etc) do this kind of thing. Nowadays, my point of view is that client-side blocklists are an outmoded, scatter-gun approach.

      Likewise, as you say, many owners of large blocks have been encouraged to give their unused allocations back - or sub-let - so we have an increasingly fractured landscape where you can't necessarily discern the use of an IP simply by its owner or delegated admin. And what about ranges returned and then reallocated? For a long time, one of my (then-new) VPSes was on several spam blocklists - the previous IP owner was using it for nefarious purposes. I've had this problem in the past with forums disallowing connections from my home DSL after I was assigned a new static IP. Again, blocklists causing more problems than they solve, even for antispam purposes. (and with most spam now sent from compromised botnets, do you kill multiple /8 ranges and face the prospect of having no connectivity to much of the outside world? No, you employ cleverer methods to filter out spam.)

      As you say, if you don't approve of phone home software licence checks you can use other software but you're only limiting your own choice. I've never come across a piece of software (Steam games aside!) which absolutely require you to be online simply to run, it's just not practicable for things like corporate installs or offline machinery.

      I personally think the argument against cookies is a bit stupid; you can be simply and effectively tracked in other ways (notably by IP and browser characteristics) which don't require cookies. I've opted out of the AdChoices and Google individualisation programmes though, which was simple to do. You have to adopt a hybrid approach and sadly I feel blocklists aren't up to it any more.

Leave a Reply