Spamhaus Don’t Route Or Peer Lists Help Stop IP Hijacking

Spamhaus DROP lists are essential tools in the fight against IP hijacking. These lists consist of IP addresses exploited by organizations for malicious purposes, such as distributing malware, controlling botnets, or executing other forms of cybercrime. The service enables IPv4 address owners to report their hijacked IPs, effectively preventing these bad actors from announcing their presence in BGP.

The Don’t Route or Peer Protection List is provided these free of charge, and designed to enhance internet security. As part of the Spamhaus Blocklist (SBL), DROP lists safeguard all internet protocols, including web traffic. Tailored for Tier-1 and backbone providers, these lists filter out malicious traffic through advanced firewalls and routing equipment.

Thorough investigations and forensic analyses confirm control by cybercrime groups or “bulletproof” hosting providers before IP address subnets are added to the DROP lists. With the depletion of IPv4 addresses, assignments have become increasingly dynamic, often overseen by trusted facilitators like Brander Group. Cybercriminals frequently alter ASNs and corporate identities to evade detection, necessitating daily updates to DROP lists to monitor these evasive IP hijacking tactics.

How DROP Lists Work

Free DROP datasets are readily available in JSON format, allowing seamless integration across various devices and software capable of processing IP networks. This includes DNS resolvers, firewalls, network gateways, and web proxies.

Types of DROP Lists:

It’s crucial to acknowledge that while text files are still in use, they will eventually be phased out. Spamhaus will proactively inform the community well in advance to facilitate planning.

Advantages of DROP Lists

The primary benefit of DROP lists is their ability to expel IP hijackers from their designated address spaces. These lists provide up-to-date defenses against a range of malicious activities, including spam, ransomware encryption, DNS hijacking, exploitation attempts, authentication attacks, data harvesting, and DDoS attacks.

Additionally, DROP lists offer automatic safeguards that promptly sever infected devices’ communication with adversaries utilizing “bulletproof hosting” on listed networks. This infrastructure-level protection is vital, as users often remain unaware of existing threats. The dataset boasts high reliability, ensuring that legitimate IPv4 addresses are not mistakenly included, thereby minimizing false positives. IP addresses routed by legitimate network operators will never appear on the list, thanks to the trust and confidence embedded in our dataset.

Spamhaus DROP Access is Complimentary

Spamhaus asserts that the critical nature of DROP list data necessitates free access, regardless of an organization’s size or business model, to protect the internet as a whole. We do request that when this data is utilized within a product, appropriate credit is given to the Spamhaus Project, ensuring that the date and © text remain intact with the file and data.

Organizations seeking a commercially-focused solution that includes data on compromised communities and dedicated botnet C&C listings can use Spamhaus Technology. For inquiries, please contact our team at info@brandergroup.net.

Removing from DROP Lists

Ranges listed in DROP are linked to their respective Spamhaus Blocklist (SBL) records referenced in the DROP files. Once the SBL record is removed, the associated ranges will be automatically excluded from DROP. For further details on removals, visit the SBL page.

IP addresses within DROP are directly connected to the corresponding Spamhaus Blocklist (SBL) records. After the SBL record removal, these IP addresses will automatically be delisted from DROP. For more information on removal procedures, check the SBL page.

Spamhaus DROP FAQ

DROP listings undergo daily re-evaluation. Various factors can trigger changes to these listings, including interactions with involved parties, detection or notification of false positives, automatic network reassignments, and more.

The DROP list encompasses IP ranges identified as highly dangerous to internet users, which Spamhaus provides at no cost. Recognizing the critical significance of this data, Spamhaus ensures that the DROP list remains accessible to all entities, regardless of their size or industry, to safeguard internet users effectively.

Hijacked netblocks are IP addresses that spammers exploit by “reviving” abandoned resources. Here’s a streamlined overview of how this process unfolds:

  1. The original owner relinquishes the IP block.
  2. Squatters reclaim it through tactics like registering abandoned domains to capture emails.
  3. Some hijackers audaciously steal IP space allocated to others by announcing it under their BGP Autonomous System Number (ASN).
  4. Autonomous System Numbers themselves can be hijacked, allowing spammers to take over inactive ASNs and announce various IP ranges, resulting in netblocks being advertised by hijacked ASNs.

These activities empower spammers to misuse abandoned resources for nefarious purposes, significantly challenging network security. Identifying hijacked netblocks can be done within ranges allocated by Regional Internet Registries (RIRs).

Restoring rightful ownership of a hijacked netblock involves pinpointing the original owner—often a defunct company—and navigating the lengthy procedures of the RIR. Unfortunately, this slow process is insufficient to combat the modern spam epidemic.

So, how can ISPs leverage DROP effectively?

Several applications for the DROP list stand out:

  • Implementing DROP in DNS RPZ Zones: Use DROP ranges in a DNS RPZ zone to invalidate lookups in these ranges. Detailed guidance on this can be found on the Spamhaus Technology website, specifically within the DNS Firewall Threat Feed.
  • Logging DNS Server Queries: Monitoring customer queries for DNS servers within any DROP-listed IP space is crucial for identifying malware-infected systems.
  • Vetting New Transit Customers: Assess proposed IP ranges of new transit customers against DROP lists to mitigate risks associated with new routing options.
  • Enhancing Spam Filtering: Increase scores for DROP ranges in spam-filtering software like SpamAssassin to boost detection capabilities.

Don’t Route Or Peer (DROP) is an authoritative advisory list aimed at blocking all traffic from specific sources. It represents a specialized subset of the SBL, optimized for firewalls and routing devices. This list includes netblocks hijacked or leased by professional spam or cybercrime operations, often used for spreading malware, trojan downloaders, and controlling botnets.

Spamhaus strongly encourages Tier-1 and backbone networks to adopt DROP. Consulting the DROP list webpage when routing suspicious IPs can prevent significant network issues, ensuring a secure and dependable infrastructure.

Absolutely. All networks listed in DROP and EDROP are also covered in the SBL list. A DNS lookup for SBL and ZEN will indicate the listed status for these networks. A return code of 127.0.0.9 signifies listings in DROP.

The DROP list features IP ranges recognized as highly dangerous to internet users, and Spamhaus offers it for free to all interested parties. Understanding its critical importance, Spamhaus ensures accessibility to the DROP list for entities of all sizes and industries, safeguarding internet users.

Similar Posts