Get the top HN stories in your inbox every day.
tptacek
hananova
I bet if residential proxy ips were added to blocklists en masse that those ISPs would rather quickly clean up their network.
JasonADrury
No? The companies which are now losing sales because a bunch of their customers are blocked would simply stop using those lists.
pigggg
There are "live" residential proxy IP lists you can purchase today from a variety of companies. Various companies defending use them as an additional data point when making a call to throw a captcha or block.
ISPs have been fairly silent on the topic (it is a hot topic for many of them due to the kimwolf botnet leveraging resiproxies to function and launching attacks). In many cases, being a resiproxy is a violation of the TOS - but they struggle with enforcement and how to do customer engagement given that most resiproxies are loaded without the end user knowing. So you have an educational problem - how does an end user figure out how to remove it.
Some ISPs could null the resiproxy c2 infra - and a few have played in that space.
Home router vendors could play their part and notify users exactly which device is connecting out and give them an option to isolate, etc.
sandworm101
If residential IPs were blocked, cutting off innocent users from services as IPs rotate, customers would bring lawsuits against ISPs and cell providers. Blocked IPs would have to be parked. Impacted users would rush to VPNs and other privacy tools, damaging the ad industry that is the backbone of most big tech. Everyone would rather deal with today's problems than that chaos.
akerl_
> customers would bring lawsuits against ISPs and cell providers
What would the case be against ISPs here?
Mindwipe
I hate to break it to you but services have been routinely blocking residential IPs associated with being part of VPN endpoints for the better part of a decade now. Akamai will even sell you (granted they are just reselling another vendors product) a database to do this.
pigggg
My biggest issue with IP brokers is how they'll avoid taking any responsibility for their customers action. A fair amount of bullet proof hosters (and we're talking malware distribution, botnet c2s, ransomware c2s, proxy/scanning) get their space from brokers. When you engage with the brokers they say go talk to the transit providers - and because the bullet proof guys can switch off to another transit provider easily they maintain connectivity/continue to operate. Super common in Europe where most of this goes on and they have a super plentiful transit market - but they are still rolling with the same set of IPs they get from these brokers (and one in particular).
47282847
I thought these days one can go directly to the RIR in case neither LIR nor the IP end-user acts on repeated/ongoing abuse? With the ongoing tension between central policy enforcement mechanisms vs. net/jurisdictional neutrality…
gzread
acidvegas is a pretty shady guy himself, running an IRC spam network pretty much in broad daylight. I don't know what to make of this connection, except he probably has a reason for posting this that's slightly more nefarious than sharing some interesting knowledge.
miki123211
> IRC spam network
Why is anybody still doing IRC spam in 2026? Is there still any profit in doing that? One would think that all the remaining IRC users are highly technical and unlikely to fall for it anyway.
JasonADrury
You've also got the fugitive neo-Nazi weev, who now hides in the Russian-backed separatist region of Transnistria as an admin on his IRC.
Not to mention the ransomware guy who is again being sought by Interpol, also an op on acidvegas's IRC.
irc.supernets.org is truly one of the shadiest places on the internet. I wouldn't connect even over Tor.
gzread
Oh I've been there. If he doesn't like you he spams you with "you just joined a channel" protocol messages until your client crashes from being in too many channels - most clients don't survive that. I can't fault the ingenuity.
_notdan_
This is absolutely unbelievable.
I cant believe weev has admin on supernets and I dont, wtf.
JasonADrury
I've read on Brian Krebs that you and Sergio Gor are both russian. I don't think you'll have difficulty getting ops
ackbar03
this guy most dangerous motherf* man, so edgy, what do you expect
acid_vegas
[flagged]
9cb14c1ec0
Banning IP leasing would concentrate power in the hands of those who have large IP blocks. Makes one wonder what the real motivation behind this post is.
dsl
> concentrate power in the hands of those who have large IP blocks
Who do you think is doing the leasing? People who have no IP space?
TZubiri
Have you tried getting an ipblock from a RIR and failed? they seem widely available if you justify it and at a reasonable price. If not, you can always go to a host and buy at a smaller fraction...
oarsinsync
> Have you tried getting an ipblock from a RIR and failed? they seem widely available if you justify it and at a reasonable price
RIPE wont "sell" me an IP block, no matter how reasonable a price I offer. RIPE will gladly let me pay them LIR annual membership dues for 2 years before they consider allocating me a /24 (based on current waiting list times)
TZubiri
I was aware of the yearly membership (600$/yr in my RIR), and that they are on a per request basis where you have to demonstrate that you will put those IPs to the use and benefit of the general public, so you need to talk about your users basically, and if you are B2B you need to talk about your client's users.
But in my RIR I don't think there's a 2 year minimum.
Regarding IPv6 blocks do those require a 2 year membership as well? They are probably easier to get.
zbentley
I mean…not curtailing leasing concentrates power with sketchy rent seekers and empowers the enterprises which use them (many of which range from “sketchy” to “evil and criminal”).
So I guess I’m having trouble envisioning a world without IP leasing that’s materially worse than the one we have.
BLKNSLVR
I have my own system of IP reputation whereby if an IP address hits one of my systems with some probe or scan that I didn't ask for, then it's blocked for 12 months.
https://github.com/UninvitedActivity/UninvitedActivity
P.S. just to add a note here that I have been blocked out of my own systems occasionally from mobile / remote IPs due to my paranoia-level setup. But I treat that as learning / refinement, but also can accept that as the cost of security sometimes.
Latty
My first thought is that with CGNAT ever more present, this kind of approach seems like it'll have a lot of collateral damage.
BLKNSLVR
Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach.
I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.
lxgr
In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs.
Fortunately, real network admins are smarter than that.
Borg3
Haha, nice, I run something similar.. But more manualy managed and I put those bans pernametly. Currneltly, there are 1360 blocks in drop list and growing. I never really remove them, because even those leased blocks move from one spam/abuse operator to another, so no big loss.
And indeed, if people would fight w/ spam/abuse better and more aggresivly, the problem would be much smaller. I dont care anymore, In my opinion Internet is done. Time to start building overlay networks with services for good guys...
Gigachad
If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year.
IP based bans have long been obsolete.
ronsor
> can accept that as the cost of security sometimes
And corporate IT wonders why employees are always circumventing "security policies"...
BLKNSLVR
Additional explanation: this is primarily a personal setup.
There would be a lot of refinement and contingencies to implement something like this for corporate / business.
Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved.
cortesoft
How is this better than blocking after a certain quantity in a range of time instead?
Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either.
undefined
kevin_thibedeau
I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects.
BLKNSLVR
I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24.
Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!
P.S. I wholeheartedly support your choice of blocking for your reasons.
kees99
> bunch of organisations that just probe the entire IPv4 range on a regular basis
Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up:
https://raw.githubusercontent.com/UninvitedActivity/Uninvite...
#2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright.
efilife
> trying to map it for 'security' purposes.
Yes. Fucking censys and internet-measurement and the predatory "opt-out" of scans. What about opting-in to scan my website? Fuck you, i'm blocking you forever
lxgr
Sounds like a great idea until you ever try to connect to your own servers from a network with spammy neighbors.
kees99
Back in the day - port knocking was a perfect fit for this eventuality.
Nowadays, wireguard would probably be a better choice.
(both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")
xnyan
Anything important requires wireguard, you can use that on any personal device. For situations like plex from the hotel TV on vacation, I have a workflow that lets me quickly whitelist a client with my firewall specially for access to plex.
BLKNSLVR
Good network admins have contingencies for contingencies for contingencies.
observationist
Nice, thanks for the link. Good to be ruthless about those things when you can.
paulddraper
How often do you ask for probes or scans?
BLKNSLVR
Do you have two middle initials, both starting with d?
paulddraper
Like most people, I have one middle initial.
undefined
phil21
Hard to take much of this too seriously, since there are total misrepresentations like this:
> Their automated reputation management system actively maintains the "cleanliness" of leased IPs, ensuring they don't end up on blacklists — which is a polished way of saying they launder IP reputation as a service.
No, as someone who leases some unused blocks via IPXO the entire point of the reputation management system is to centralize abuse reports for them to respond to so they get categorized, tracked, and handled. If more than a few come in the lease gets canceled as that’s against the AUP. I’ve had folks lease a /24 and try some dirt with it, only for IPXO to pull the route within hours. Far faster than I could have responded.
As an ip holder I don’t want my resources being abused and added to blocklists so this is important to me. I do indeed plan on taking them off the market for my own use as my IPv4 usage needs increase over time. Until then, leasing them was a way to be able to justify the money spent acquiring some blocks before I got entirely frozen out forever by the hyperscalers and giant companies of the world eating practically every large block they could get their hands on.
It’s future proofing my digital sovereignty. IPv4 scarcity is used by the AWS of the world to reduce competition and choice.
Geolocation is such a stupid game as it is. I’m in strong support for anything that makes it even more obviously worthless. It’s been gamed by those with the skills and access since it first existed. The internet would be a better place without it.
The Whois database stuff is actually a decent point, and I’m working on some ways to automate RIR registration this weekend as chance has it.
From time to time I do indeed check where my blocks get advertised and utilized. One /22 right now is being used by a broadband ISP in Europe - and via nmap, traceroute, and BGP looking glass it appears to be legitimate, or at least quite well faked. The other blocks are colo and dedicated server providers competing with AWS/GCP/etc. Who knows what those customers are doing with them - probably a mix of good and bad like everything on the Internet. Functioning as-intended imo. If I'm helping reduce the need for CGNAT and helping a small company stand up to the giant tech conglomerates eating the world I'm calling it a job well done.
BLKNSLVR
Sounds like making IPv6 more commonly used is part of the solution.
Reduce the importance of IPv4 and the stranglehold of big conglomerates is forcibly relaxed (in this context at least).
I don't like that I've ignored IPv6 for so long that now it feels overwhelming to have to try to grasp. That may be true for a lot of networking folks for whom IPv4 is written in their DNA, given the incredibly slow uptake of IPv6.
Sesse__
> now it feels overwhelming to have to try to grasp
Here's a dirty secret: It's just like IPv4, except with longer addresses and slightly different autoconfig. :-) (Well, you don't have the legacy of classful addressing and non-contiguous netmasks and stuff, but I don't really think most people care much about that in the IPv4 world either.) Getting up to speed is, thankfully, simple.
_zoltan_
I agree with 100% also as an IP space owner.
tptacek
You say this, about AWS using IPv4 scarcity for lock-in, but IPv4 prices have been falling for years.
If you want to buy space and auction it off to lessors, more power to you. I don't think there needs to be a moral dimension to it one way or the other. The RIR system was also not good.
undefined
pigggg
Renting /24s by the hour is like a motel room rented by the hour. You know some shit is going on in there.
Btmviolet123
Interesting perspective. The IPv4 leasing ecosystem does have areas that lack transparency, especially in multi-layer subleasing models. Some newer platforms, like LARUS (larus.net), are trying to address this by offering direct first-party IPv4 leasing and verified resource ownership, which could bring more structure and trust to the market.
drnick1
> We're talking about paying to get IPs delisted from spam blacklists, choosing arbitrary geolocations with no validation, buying "unattributable" white-labeled address space, and renting residential IPs that make traffic look like it's coming from someone's house.
Sounds pretty good from a privacy point of view, and a natural response to big tech and governments trying to fingerprint and track everyone.
TZubiri
It's like selling shell companies, or buying passports.
This extends to IP proxies and yes VPNs. The issue with the latter is that they psyop some genuine users into using the tech for dumb reasons like less gaming latency so that they have plausible deniability
malklera
Are these problems we want to fix?
A direct example of this is the situation of Spain and soccer.
xunairah
sourcing crises, industry is currently split into two camps: The 'Dark' Supply Chain: SDKs hidden in flashlight apps, cracked IoT devices (Kimwolf), and malware. The user has no idea they are a proxy. This is unsustainable and, frankly, unethical. The 'Ethical' Supply Chain: Bandwidth sharing apps (like Honeygain, Pawns, etc.) where the user knowingly installs the software in exchange for payment. The problem is that Camp #1 is cheaper to run, so it floods the market with 'cheap residential IPs.' Camp #2 requires paying the end-user, which raises the floor price. Until buyers stop chasing the absolute lowest price per GB, the incentive for 'malware proxies' remains. The solution isn't just router-level blocking (which creates false positives for legitimate P2P), but transparency in sourcing. If a provider can't tell you how they acquired the IP, it's likely stolen.
Get the top HN stories in your inbox every day.
I think all the points about IP reputation impact are well taken, but as someone who had to deal with the RIRs at an ISP before and who now works at a firm that buys blocks, I would 10x rather operate in today's environment than in the old RIR environment. It's transparent and predictable by comparison.
I never had much faith in reputation to begin with, and the residential block issue is muddied by the fact that large-scale residential proxies already make that an unreliable abuse check.