False Positive

[Sn00zr]

Q: What are you currently seeing?

37.202.60.196 174.140.181.223 76.74.71.51

Q: What should it be marked as?

NOT VPN

Q: What is the IP Address?

37.202.60.196 174.140.181.223 76.74.71.51

Q: What is the internet provider?

__Q: What other info can you provide us?__ Can you please assist in marking these IPs as not VPN? Thank you!

[Munzy]

37.202.60.196:

• This looks to be hosting. https://www.blix.com/
• Can you confirm?

174.140.181.223:

• looks to be a mixed of hosting https://kwic.com/business/
• Need to figure out what list is suggesting this for blocking.

76.74.71.51:

• GTT Backbone. So marked as hosting.

Are you utilizing these IPs at all? What are you using them for?

[Sn00zr]

37.202.60.196:
This looks to be hosting. https://www.blix.com/
Can you confirm?

Yes, that is correct. The WHOIS comes back to "descr: Residential customers DHCP scope" so not sure why it is a VPN?

174.140.181.223:
looks to be a mixed of hosting https://kwic.com/business/
Need to figure out what list is suggesting this for blocking.

Yes, that is correct. This is a small ISP out of northern Canada. Perhaps that is why it is being flagged?

76.74.71.51:
GTT Backbone. So marked as hosting.

Does this mean it will reply with "Y"? Or is it now fixed?

One additional IP... 138.38.234.131. Belongs to a University network out of the UK. Perhaps that is why it is being believed to belong to a proxy or VPN? Multiple users coming out of a single SNAT IP?

All of the provided IPs are from a gaming server, that utilizes anti-cheat technology to prevent people from bypassing issued bans using a VPN or proxy. The 3 IPs provided belong to well established members of the community, and hence I would like to have them continue.

Please let me know if you need any additional information, and I would be happy to help!

[Munzy]

Most of these came from when I initially was starting the project. Many of these were reported as "hosting" providers at the time.

We do some mapping of hosting providers via ASN. Since it is highly unlikely someone is playing a video game from a known VPS provider.

76.74.71.51: Can you confirm this is there actual IP address? This one is the only one that seems odd at the moment, as the more I dig into it the more it seems like this shouldn't and wouldn't be used by a residential IP.

[Sn00zr]

According to SHODAN, the IP belongs to COX, but I guess the WHOIS is not updated and still shows the upstream provider?

Also, the banner shows "MikroTik POCCR1009 1.0 0.1" which appears to belong to a router of some sort.

Ironically, it does have TCP 1723 open, which is for PTP VPN, or a QNAP NAS, so not sure what it is used for specifically.

So I am still leaning towards residential... unless I am missing something?

[Munzy]

All the IPs have been updated minus the 76.74.71.51. Still want to look further into that one, as unblocking GTT seems like I am letting a lot more through than I would like.

[Sn00zr]

37.202.60.196 still shows "Y" [Not fixed?] 174.140.181.223 still shows "Y" [Not fixed?] 76.74.71.51 is still being reviewed. 138.38.234.131 shows "N" [Fixed]

[Munzy]

https://rapidapi.com/CMunroe/api/blackbox/

We use a lot of caching to keep request volumes in control. I double checked, and the current un-cached version is accurate.

[Sn00zr]

Any updates on the last IP?

[Munzy]

Sadly, looking this over. I don't think I have any good options here. The IP is smack dab center in a huge Tier 1 network provider that mostly does IP backhaul for large hosting providers and the likes.

I think I will need to see if I can find a way to automate the finding of Cox's ips if this is the case. It just seems silly the way they have it setup.

For the time being I would suggest looking to see if you can "whitelist" that particular IP for that player.

[Sn00zr]

Unfortunately, that was my very first approach which was unsuccessful. The application that utilizes your API, does not have any such "whitelist" or "allow-list" built into it.

[CameronMunroe]

Here is an idea, tell me what you think.

We create a small docker pod. It would need to run on port 80. Using the host file of your Linux or Windows host machine you point blackbox.ipinfo.app to the host running the docker pod. The docker image would have a whitelist and blacklist file where you could have a list of IPs that are added at your digression. If the IP is not found in either the whitelist or blacklist files, it would reach out to the actual blackbox.ipinfo.app site and pull down the appropriate record.

This would then allow plugins that don't support a whitelist to have a whitelist. The only downside is you would need to run an entire docker pod just for this purpose.

Tell me if you are interested and I can try and create it.

[Munzy]

Not seen any response to this, so going to close ticket. Feel free to reopen.