The Spamhaus DROP list – “DROP (Don’t Route Or Peer) and EDROP are advisory “drop all traffic” lists, consisting of stolen ‘hijacked’ netblocks and netblocks controlled entirely by criminals and professional spammers.”
Basically, the DROP list is netblocks that you don’t want making connections to and from your network. All kinds of garbage emanates from these networks, spamming, scanning, harvesting, DNS-hijacking and DDoS attacks to name a few.
It occurred to me that these rogue networks have to get connectivity from someone, so I was curious if I could determine what networks are allowing these undesirable networks to route traffic. I figured it would be mostly european ISPs and all the networks involved would be the typical bad guys hosting questionable content and servers. I found the results surprising, folks more involved in spam cleanup and abuse reporting may not be as surprised.
The more I gathered info on who was announcing prefixes on the DROP list, the more interesting the data became. The following are the results, which I’ve automated. The results are interesting as is, but I hope to expand the analysis. At least one DROP prefix is being announced as AS23456, very sneaky.
Data – These files are updated hourly with information for the past 24 hours.
A list of ASNs and the prefixes they announce with the DROP list entry that contains the prefix. DROP CIDRs are aggregated, so smaller blocks are matched, for example, a /24 matching a DROP list /22.
http://threatshare.com/data/Top_DROP.csv
A list of ASNs that provide connectivity to the ASN announcing DROP list prefixes. These ASNs are providing direct peering to DROP prefixes.
http://threatshare.com/data/DROP_Peer.csv
A list of ASNs that appear in the path of the DROP prefix announcement. These aren’t necessarily bad, but it reveals service providers that don’t filter the DROP list.
http://threatshare.com/data/DROP_transit_allow.csv
Detailed list of Announcing ASN with Prefix and DROP match.
http://threatshare.com/data/DROP_Announce.csv
** Update **
I’ve had multiple request to explain some of the unexpected results. Setting out to analyze the data, I expected the ISPs and ASNs to be obviously linked to criminal activity… and that is true. What wasn’t expected was global ISPs are also passing these prefixes. The ASNs announcing these DROP CIDRs are customers of some large ISPs, that most folks would expect to know better. Verizon, Qwest, Level 3, ATT, and Cogent are direct peers to ASNs announcing DROP CIDRs. I understand why, it’s about money, spammers will pay big money to have their infrastructure stay online. Not everyone agrees with Spamhaus that the DROP list should be blocked everywhere, but there is a strong correlation between those networks and “badness”.
AS 23456 (ASTRANS) is reserved for when a 32-bit ASN needs to be represented on a router that doesn’t understand 32-bit ASNs. It’s not supposed to be announcing prefixes.
Over 70 ASNs have been observed announcing DROP prefixes. I expected a much lower number.
Verizon and ATT actually announce DROP prefixes on a customer’s behalf. The same customer, different blocks out of the same DROP entry.