How to Manage Blacklisted Resources

16/06/2023

How to Manage Blacklisted Resources

By Guillermo Pereyra – Security Analyst at LACNIC CSIRT

Summary

This topic has been a matter of discussion in different email lists. Also, the LACNIC CSIRT has received reports related to resources from our members that have been included in one or more blacklists.  This causes certain issues within their systems, such as the inability to send e-mails or access certain destinations. Therefore, it is clear that there is a growing concern within our community.

This article will address a number of issues associated with Internet resource blacklisting, as well as the causes of blacklisting and the possible steps that may be taken to be removed from such lists.

Introduction

A blacklist is a service provided by an organization to a specific audience. This service periodically publishes a file containing Internet resources that were associated with a security event in the past.These resources may be IP addresses, autonomous system numbers (ASNs) or domain names.

While some organizations offer the service free of charge, others may charge for it. Fundraising can be achieved through two methods: charging service users for access to the file containing the listed resources or requesting payment from the affected organizations to retrieve the listed resources.

To create the list of Internet resources, these organizations rely on systems that detect some type of unusual activity on IP addresses or on reports generated by a community.

Some of the systems used to identify attacks may include honeypots, SSH logs shared by communities, or applications such as fail2ban that can report to a central system.

(Free access, no subscription required)

Disclaimer

LACNIC is not associated with any of the organizations mentioned herein.

This article mentions organizations for informational purposes with the aim of assisting our members in making decisions in case they find themselves in a similar situation.

Possible reasons for being blacklisted

There are various types of blacklists, but generally, the organizations that manage these lists employ distributed honeypot[1] sensors to detect different types of attacks.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments