Join the community today
Become a Member

Block colocrossing traffic

Discussion in 'System Administration' started by Jon Snow, Jan 26, 2018.

  1. Jon Snow

    Jon Snow Active Member

    766
    157
    43
    Jun 30, 2017
    Ratings:
    +225
    Local Time:
    12:33 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I think I found some information about this some months ago but I can't seem to find it anymore. On my xenForo forum, in the who is online list, I see traffic like :

    198.12.72.159 host.colocrossing.com
    23.95.99.81 host.colocrossing.com

    Is it possible for me to block all traffic coming from colocrossing.com (if not the direct domain, then host.colocrossing.com will do) without blocking each IP individually?


    I'd like to do the same for OVH.
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    1:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not advisable as colocrossing has 780,000+ IPs, blocking them will affect your server performance especially if you are on openvz vps or if you do not have linux kernel with IPSET support (and csf firewall without IPSET support).

    colocrossing ASN number is AS36352 AS36352 ColoCrossing - ipinfo.io 787,000+ ips

    where's the ip ranges
    Code (Text):
    asnid=AS36352
    whois -h whois.radb.net -- "-i origin $asnid" | awk '/route:/ {print $2}'
    

    175 ip ranges
    Code (Text):
    asnid=AS36352
    whois -h whois.radb.net -- "-i origin $asnid" | awk '/route:/ {print $2}' | wc -l
    175
    

    actual ip ranges
    Code (Text):
    asnid=AS36352
    whois -h whois.radb.net -- "-i origin $asnid" | awk '/route:/ {print $2}'
    72.249.124.0/24
    65.99.246.0/24
    65.99.193.0/24
    96.8.126.0/23
    198.206.8.0/21
    204.197.248.0/22
    75.127.5.0/24
    75.127.6.0/23
    198.23.132.0/22
    162.251.112.0/21
    216.246.108.0/24
    216.246.109.0/24
    205.234.159.0/24
    66.225.194.0/23
    205.234.203.0/24
    216.246.49.0/24
    66.225.198.0/24
    75.102.27.0/24
    69.31.134.0/24
    205.234.152.0/24
    75.102.10.0/24
    75.102.34.0/24
    69.31.130.128/25
    75.102.38.0/23
    75.102.47.0/24
    66.225.231.0/24
    66.225.232.0/24
    206.217.128.0/20
    206.217.130.0/24
    96.8.112.0/20
    8.17.252.0/24
    8.17.250.0/23
    199.21.112.0/22
    108.174.48.0/20
    198.144.176.0/20
    199.188.100.0/22
    75.127.0.0/20
    198.12.64.0/18
    204.86.16.0/20
    72.249.94.0/24
    206.123.95.0/24
    207.210.239.0/24
    207.210.252.0/23
    207.210.254.0/24
    198.23.128.0/17
    5.226.171.0/24
    192.157.56.0/22
    192.210.128.0/17
    5.61.27.0/24
    192.227.128.0/17
    198.245.64.0/21
    198.46.128.0/17
    198.245.72.0/23
    198.20.160.0/19
    172.245.0.0/16
    192.198.96.0/19
    192.3.0.0/16
    162.218.88.0/22
    162.218.92.0/23
    23.94.0.0/15
    162.221.176.0/22
    162.221.180.0/23
    162.221.182.0/23
    23.249.160.0/20
    162.218.94.0/24
    107.172.0.0/14
    107.161.144.0/21
    107.161.152.0/24
    107.161.156.0/23
    107.161.158.0/24
    23.236.240.0/20
    107.161.155.0/24
    23.254.88.0/21
    23.254.96.0/20
    23.254.112.0/20
    216.170.112.0/21
    104.145.224.0/22
    104.145.228.0/24
    104.144.0.0/16
    179.61.192.0/24
    216.170.120.0/21
    104.168.0.0/17
    179.61.250.0/23
    104.145.231.0/24
    104.145.232.0/24
    104.145.233.0/24
    104.145.234.0/24
    104.227.192.0/19
    179.61.250.0/24
    104.232.32.0/20
    104.145.237.0/24
    104.145.238.0/24
    198.143.9.0/24
    198.143.12.0/24
    162.218.95.0/24
    23.249.171.0/24
    23.249.174.0/23
    104.250.125.0/24
    104.168.82.0/23
    104.232.40.0/21
    191.101.50.0/24
    85.203.16.0/24
    45.57.240.0/24
    45.57.241.0/24
    45.57.242.0/24
    45.57.243.0/24
    45.57.244.0/24
    192.157.30.0/24
    104.250.126.0/24
    104.250.124.0/24
    107.161.159.0/24
    179.61.253.0/24
    206.217.143.0/24
    108.174.60.0/24
    192.3.16.0/22
    23.94.12.0/22
    192.3.248.0/22
    23.94.56.0/22
    23.95.16.0/22
    75.127.12.0/23
    192.210.142.0/23
    198.23.149.0/24
    104.168.16.0/22
    23.94.72.0/23
    23.94.74.0/24
    192.3.252.0/23
    192.3.255.0/24
    198.12.116.0/24
    107.174.244.0/22
    107.174.240.0/22
    192.71.201.0/24
    107.161.153.0/24
    45.40.112.0/20
    107.173.180.0/23
    45.248.54.0/23
    192.3.248.0/21
    103.210.12.0/22
    104.250.117.0/24
    216.41.39.0/24
    191.101.33.0/24
    191.101.241.0/24
    191.96.151.0/24
    191.96.133.0/24
    107.175.214.0/24
    179.61.137.0/24
    181.214.83.0/24
    181.214.31.0/24
    181.214.156.0/24
    181.215.53.0/24
    181.215.55.0/24
    191.96.223.0/24
    191.96.165.0/24
    179.61.232.0/24
    154.16.144.0/22
    191.96.40.0/24
    181.214.143.0/24
    181.214.142.0/24
    154.16.112.0/24
    154.16.114.0/24
    154.16.115.0/24
    154.16.116.0/24
    154.16.117.0/24
    154.16.118.0/24
    154.16.119.0/24
    208.122.48.0/23
    208.122.52.0/24
    208.122.57.0/24
    72.26.196.0/24
    74.63.54.0/24
    206.217.128.0/23
    205.234.152.0/24
    205.234.153.0/24
    65.99.246.0/24
    216.246.109.0/24
    208.122.48.0/23
    

    and if you really want to block them in CSF Firewall list the and create the CSF Firewall deny ip range commands.
    Code (Text):
    asnid=AS36352
    whois -h whois.radb.net -- "-i origin $asnid" | awk '/route:/ {print $2}' | while read i; do echo "csf -d $i colocrossing" ; done
    csf -d 72.249.124.0/24 colocrossing
    csf -d 65.99.246.0/24 colocrossing
    csf -d 65.99.193.0/24 colocrossing
    csf -d 96.8.126.0/23 colocrossing
    csf -d 198.206.8.0/21 colocrossing
    csf -d 204.197.248.0/22 colocrossing
    csf -d 75.127.5.0/24 colocrossing
    csf -d 75.127.6.0/23 colocrossing
    csf -d 198.23.132.0/22 colocrossing
    csf -d 162.251.112.0/21 colocrossing
    csf -d 216.246.108.0/24 colocrossing
    csf -d 216.246.109.0/24 colocrossing
    csf -d 205.234.159.0/24 colocrossing
    csf -d 66.225.194.0/23 colocrossing
    csf -d 205.234.203.0/24 colocrossing
    csf -d 216.246.49.0/24 colocrossing
    csf -d 66.225.198.0/24 colocrossing
    csf -d 75.102.27.0/24 colocrossing
    csf -d 69.31.134.0/24 colocrossing
    csf -d 205.234.152.0/24 colocrossing
    csf -d 75.102.10.0/24 colocrossing
    csf -d 75.102.34.0/24 colocrossing
    csf -d 69.31.130.128/25 colocrossing
    csf -d 75.102.38.0/23 colocrossing
    csf -d 75.102.47.0/24 colocrossing
    csf -d 66.225.231.0/24 colocrossing
    csf -d 66.225.232.0/24 colocrossing
    csf -d 206.217.128.0/20 colocrossing
    csf -d 206.217.130.0/24 colocrossing
    csf -d 96.8.112.0/20 colocrossing
    csf -d 8.17.252.0/24 colocrossing
    csf -d 8.17.250.0/23 colocrossing
    csf -d 199.21.112.0/22 colocrossing
    csf -d 108.174.48.0/20 colocrossing
    csf -d 198.144.176.0/20 colocrossing
    csf -d 199.188.100.0/22 colocrossing
    csf -d 75.127.0.0/20 colocrossing
    csf -d 198.12.64.0/18 colocrossing
    csf -d 204.86.16.0/20 colocrossing
    csf -d 72.249.94.0/24 colocrossing
    csf -d 206.123.95.0/24 colocrossing
    csf -d 207.210.239.0/24 colocrossing
    csf -d 207.210.252.0/23 colocrossing
    csf -d 207.210.254.0/24 colocrossing
    csf -d 198.23.128.0/17 colocrossing
    csf -d 5.226.171.0/24 colocrossing
    csf -d 192.157.56.0/22 colocrossing
    csf -d 192.210.128.0/17 colocrossing
    csf -d 5.61.27.0/24 colocrossing
    csf -d 192.227.128.0/17 colocrossing
    csf -d 198.245.64.0/21 colocrossing
    csf -d 198.46.128.0/17 colocrossing
    csf -d 198.245.72.0/23 colocrossing
    csf -d 198.20.160.0/19 colocrossing
    csf -d 172.245.0.0/16 colocrossing
    csf -d 192.198.96.0/19 colocrossing
    csf -d 192.3.0.0/16 colocrossing
    csf -d 162.218.88.0/22 colocrossing
    csf -d 162.218.92.0/23 colocrossing
    csf -d 23.94.0.0/15 colocrossing
    csf -d 162.221.176.0/22 colocrossing
    csf -d 162.221.180.0/23 colocrossing
    csf -d 162.221.182.0/23 colocrossing
    csf -d 23.249.160.0/20 colocrossing
    csf -d 162.218.94.0/24 colocrossing
    csf -d 107.172.0.0/14 colocrossing
    csf -d 107.161.144.0/21 colocrossing
    csf -d 107.161.152.0/24 colocrossing
    csf -d 107.161.156.0/23 colocrossing
    csf -d 107.161.158.0/24 colocrossing
    csf -d 23.236.240.0/20 colocrossing
    csf -d 107.161.155.0/24 colocrossing
    csf -d 23.254.88.0/21 colocrossing
    csf -d 23.254.96.0/20 colocrossing
    csf -d 23.254.112.0/20 colocrossing
    csf -d 216.170.112.0/21 colocrossing
    csf -d 104.145.224.0/22 colocrossing
    csf -d 104.145.228.0/24 colocrossing
    csf -d 104.144.0.0/16 colocrossing
    csf -d 179.61.192.0/24 colocrossing
    csf -d 216.170.120.0/21 colocrossing
    csf -d 104.168.0.0/17 colocrossing
    csf -d 179.61.250.0/23 colocrossing
    csf -d 104.145.231.0/24 colocrossing
    csf -d 104.145.232.0/24 colocrossing
    csf -d 104.145.233.0/24 colocrossing
    csf -d 104.145.234.0/24 colocrossing
    csf -d 104.227.192.0/19 colocrossing
    csf -d 179.61.250.0/24 colocrossing
    csf -d 104.232.32.0/20 colocrossing
    csf -d 104.145.237.0/24 colocrossing
    csf -d 104.145.238.0/24 colocrossing
    csf -d 198.143.9.0/24 colocrossing
    csf -d 198.143.12.0/24 colocrossing
    csf -d 162.218.95.0/24 colocrossing
    csf -d 23.249.171.0/24 colocrossing
    csf -d 23.249.174.0/23 colocrossing
    csf -d 104.250.125.0/24 colocrossing
    csf -d 104.168.82.0/23 colocrossing
    csf -d 104.232.40.0/21 colocrossing
    csf -d 191.101.50.0/24 colocrossing
    csf -d 85.203.16.0/24 colocrossing
    csf -d 45.57.240.0/24 colocrossing
    csf -d 45.57.241.0/24 colocrossing
    csf -d 45.57.242.0/24 colocrossing
    csf -d 45.57.243.0/24 colocrossing
    csf -d 45.57.244.0/24 colocrossing
    csf -d 192.157.30.0/24 colocrossing
    csf -d 104.250.126.0/24 colocrossing
    csf -d 104.250.124.0/24 colocrossing
    csf -d 107.161.159.0/24 colocrossing
    csf -d 179.61.253.0/24 colocrossing
    csf -d 206.217.143.0/24 colocrossing
    csf -d 108.174.60.0/24 colocrossing
    csf -d 192.3.16.0/22 colocrossing
    csf -d 23.94.12.0/22 colocrossing
    csf -d 192.3.248.0/22 colocrossing
    csf -d 23.94.56.0/22 colocrossing
    csf -d 23.95.16.0/22 colocrossing
    csf -d 75.127.12.0/23 colocrossing
    csf -d 192.210.142.0/23 colocrossing
    csf -d 198.23.149.0/24 colocrossing
    csf -d 104.168.16.0/22 colocrossing
    csf -d 23.94.72.0/23 colocrossing
    csf -d 23.94.74.0/24 colocrossing
    csf -d 192.3.252.0/23 colocrossing
    csf -d 192.3.255.0/24 colocrossing
    csf -d 198.12.116.0/24 colocrossing
    csf -d 107.174.244.0/22 colocrossing
    csf -d 107.174.240.0/22 colocrossing
    csf -d 192.71.201.0/24 colocrossing
    csf -d 107.161.153.0/24 colocrossing
    csf -d 45.40.112.0/20 colocrossing
    csf -d 107.173.180.0/23 colocrossing
    csf -d 45.248.54.0/23 colocrossing
    csf -d 192.3.248.0/21 colocrossing
    csf -d 103.210.12.0/22 colocrossing
    csf -d 104.250.117.0/24 colocrossing
    csf -d 216.41.39.0/24 colocrossing
    csf -d 191.101.33.0/24 colocrossing
    csf -d 191.101.241.0/24 colocrossing
    csf -d 191.96.151.0/24 colocrossing
    csf -d 191.96.133.0/24 colocrossing
    csf -d 107.175.214.0/24 colocrossing
    csf -d 179.61.137.0/24 colocrossing
    csf -d 181.214.83.0/24 colocrossing
    csf -d 181.214.31.0/24 colocrossing
    csf -d 181.214.156.0/24 colocrossing
    csf -d 181.215.53.0/24 colocrossing
    csf -d 181.215.55.0/24 colocrossing
    csf -d 191.96.223.0/24 colocrossing
    csf -d 191.96.165.0/24 colocrossing
    csf -d 179.61.232.0/24 colocrossing
    csf -d 154.16.144.0/22 colocrossing
    csf -d 191.96.40.0/24 colocrossing
    csf -d 181.214.143.0/24 colocrossing
    csf -d 181.214.142.0/24 colocrossing
    csf -d 154.16.112.0/24 colocrossing
    csf -d 154.16.114.0/24 colocrossing
    csf -d 154.16.115.0/24 colocrossing
    csf -d 154.16.116.0/24 colocrossing
    csf -d 154.16.117.0/24 colocrossing
    csf -d 154.16.118.0/24 colocrossing
    csf -d 154.16.119.0/24 colocrossing
    csf -d 208.122.48.0/23 colocrossing
    csf -d 208.122.52.0/24 colocrossing
    csf -d 208.122.57.0/24 colocrossing
    csf -d 72.26.196.0/24 colocrossing
    csf -d 74.63.54.0/24 colocrossing
    csf -d 206.217.128.0/23 colocrossing
    csf -d 205.234.152.0/24 colocrossing
    csf -d 205.234.153.0/24 colocrossing
    csf -d 65.99.246.0/24 colocrossing
    csf -d 216.246.109.0/24 colocrossing
    csf -d 208.122.48.0/23 colocrossing
    

    I would only do this if Centmin Mod has detected Linux Kernel support for IPSET and has auto enabled it in CSF Firewall via LF_IPSET = "1" setting
    Code (Text):
    grep ^LF_IPSET /etc/csf/csf.conf 
    LF_IPSET = "1"
    LF_IPSET_HASHSIZE = "1024"
    LF_IPSET_MAXELEM = "65536"
    
     
  3. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    11:33 AM
    Got sick of ColoCrossing's servers scanning my server. Server was constantly getting hammered by IP addresses from ColoCrossing. Decided to ban every IP range they use (only the ones marked ColoCrossing). AS36352 ColoCrossing - IPinfo IP Address Geolocation API

    I just banned them in Cloudflare.

    My server went from 40-50% of average resources to 13%. From 51% idle to 63%.

    I hate banning ip ranges, but the amount of errors from these servers on my server / site were getting out of control.

    Funny thing, the visitors on my site increased when I banned all these IPs.
     
  4. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    11:33 AM
    Another one which is a pain is Your-server.de I see errors on my site all the time.

    I never ban anything on the server in CSF. I always use Cloudflare IP Access Rules, it's a little more limiting only accepting /16 and /24 but works great and stops them at the street vs. the front door. :D
     
  5. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    11:33 AM
    Ever since I blocked those ColoCrossing IPs, my server is now 89.9% idle (I'm only running 1 site on the server). I still have the same amount of members and guests on the site... if anything members / guests have increased.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    1:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nice.. that's why when getting a new dedicated or vps server, make sure web host isn't using colocrossing network. Lots of folks do blanket ban/block colocrosssing network ASN/IPs !
     
  7. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    11:33 AM
    I wonder why that specific network is so bad? Do they have a lax TOS?
     
  8. rdan

    rdan Well-Known Member

    5,439
    1,397
    113
    May 25, 2014
    Ratings:
    +2,186
    Local Time:
    11:33 PM
    Mainline
    10.2
    Instead of blocking, I just challenge those abusive IP's.
    Abusive means, those IP that hit my connection per IP limit constantly.

    upload_2019-9-23_12-41-7.png
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    1:33 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    lots of low end VPS web hosts use colocrossing network so attract the less than ideal VPS users i.e. $10/yr VPS low end type business
    there's known ways of bypassing Cloudflare challenges too, just depends on the attacker and how much effort they're willing to put in