Closed ktsaou closed 7 years ago
pushinginertia
commented
8 years ago This would have been added because a bot hit my honeypot server in the past. @jtkdpu, I'm more than happy to work with you to make 38.0.0.0/8 more specific if you can provide specific subnets within 38.229/16 used by your organization. It would also be helpful for me to understand what is running on those subnets.
jtkristoff
commented
8 years ago I don't work for Team Cymru anymore and so I'm not in the best position to enumerate their address space for you. See their home page for contact details if you have a concern with something in their address space. I just used their /16 in that 38/8 as an example that is being caught by what appears to be a overly inclusive rule for the entire /8.
ktsaou identified in the original issue for his project that the activity for 38/8 in your ruleset was attributed to something from Cyveillance. 38/8 is not Cyveillance address space, it is assigned to Cogent. Perhaps Cogent SWIP'd a subset of 38/8 to Cyveillance and the entire 38/8 was incorrectly associated with a more specific issue?
There are a lot of organizations utilizing address space in 38/8. Here is some additional detail on how some of the 38/8 address space is being and by who:
RIPEstat routing status for 38/8
It sounds like your rule needs to be more specific, does it not?
MikeRich88
commented
8 years ago My landlord uses Cogent to provide internet access to residents at several different properties.
38.110.218.0/25 38.110.218.128/25 38.110.219.0/25
These are residential IPs.
pushinginertia
commented
7 years ago I've removed this subnet from the list.
Hi,
I have reports that the subnet 38.0.0.0/8 included in your list include false positives. Check https://github.com/firehol/blocklist-ipsets/issues/10
@jtkdpu reported: