blocklist-ipsets
blocklist-ipsets copied to clipboard
firehol
[firehol_level3]: 140.82.121.4 (GitHub) falsely listed
The IP 140.82.121.4 is listed, which is part of AS36459 (GITHUB) 140.82.112.0/20 IPv4 prefix.
This interferes with the download of resources and cloning of repositories from GitHub. Additionally, it's extremely unlikely that GitHub is responsible for any attacks. Even in the case of abuse of their platform, the issues with listing their IPs outweigh the positive effects.
An aggregated list of AS36459 prefixes:
140.82.112.0/20
143.55.64.0/23
192.30.252.0/22
2620:112:3000::/44
2a0a:a440::/29
Issue still persists,
Relevant commits (according to git grep "140\.82\.121\.4" $(git rev-list --all) ):
1018e571c8ab5a9900da252b4388da12c0376a35
1018e571c8ab5a9900da252b4388da12c0376a35
Relevant DNS-Record: lb-140-82-121-4-fra.github.com
whois:
Using server whois.arin.net.
Query string: "n + 140.82.121.4"
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#
NetRange: 140.82.112.0 - 140.82.127.255
CIDR: 140.82.112.0/20
NetName: GITHU
NetHandle: NET-140-82-112-0-1
Parent: NET140 (NET-140-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS36459
Organization: GitHub, Inc. (GITHU)
RegDate: 2018-04-25
Updated: 2019-06-20
Ref: https://rdap.arin.net/registry/ip/140.82.112.0
OrgName: GitHub, Inc.
OrgId: GITHU
Address: 88 Colin P Kelly Jr Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2012-10-22
Updated: 2021-05-20
Comment: https://github.com
Comment: Please contact us directly for matters pertaining to abuse.
Comment: Urgent matters including DDoS are handled 24x7.
Ref: https://rdap.arin.net/registry/entity/GITHU
OrgAbuseHandle: GITHU1-ARIN
OrgAbuseName: GitHub Abuse
OrgAbusePhone: +1-415-857-5430
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/GITHU1-ARIN
OrgNOCHandle: GITHU-ARIN
OrgNOCName: GitHub Ops
OrgNOCPhone: +1-415-735-4488
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/GITHU-ARIN
OrgTechHandle: GITHU-ARIN
OrgTechName: GitHub Ops
OrgTechPhone: +1-415-735-4488
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/GITHU-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
#
Issue still persists, Relevant commits (according to
git grep "140\.82\.121\.4" $(git rev-list --all)):1018e571c8ab5a9900da252b4388da12c0376a35 1018e571c8ab5a9900da252b4388da12c0376a35Relevant DNS-Record: lb-140-82-121-4-fra.github.com
whois:
Using server whois.arin.net. Query string: "n + 140.82.121.4" # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. # NetRange: 140.82.112.0 - 140.82.127.255 CIDR: 140.82.112.0/20 NetName: GITHU NetHandle: NET-140-82-112-0-1 Parent: NET140 (NET-140-0-0-0-0) NetType: Direct Assignment OriginAS: AS36459 Organization: GitHub, Inc. (GITHU) RegDate: 2018-04-25 Updated: 2019-06-20 Ref: https://rdap.arin.net/registry/ip/140.82.112.0 OrgName: GitHub, Inc. OrgId: GITHU Address: 88 Colin P Kelly Jr Street City: San Francisco StateProv: CA PostalCode: 94107 Country: US RegDate: 2012-10-22 Updated: 2021-05-20 Comment: https://github.com Comment: Please contact us directly for matters pertaining to abuse. Comment: Urgent matters including DDoS are handled 24x7. Ref: https://rdap.arin.net/registry/entity/GITHU OrgAbuseHandle: GITHU1-ARIN OrgAbuseName: GitHub Abuse OrgAbusePhone: +1-415-857-5430 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/GITHU1-ARIN OrgNOCHandle: GITHU-ARIN OrgNOCName: GitHub Ops OrgNOCPhone: +1-415-735-4488 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/GITHU-ARIN OrgTechHandle: GITHU-ARIN OrgTechName: GitHub Ops OrgTechPhone: +1-415-735-4488 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/GITHU-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2021, American Registry for Internet Numbers, Ltd. #
Bump on this. Specifically 140.82.112.3, 140.82.114.3, and 140.82.121.4. These are single-hosted IP addresses belonging to github.
After two months I conclude that they are clearly uninterested in resolving this (likely upstream) issue. I've now simply dropped using the respective lists.
After having random access issues with github (since not all IPs are being blocked), I finally dug into it and found this list to be the cause. Disappointing it's been going on for this long without getting corrected.
firehol_level3 includes vxvault, vxvault includes 140.82.112.3
vxvault is based on Virustotal, if any URL contains any virus detection, the whole server IP is blocked, then maybe github repo was detected with any virus (Could be a false positive), then, all github is blocked.
Then, vxvault should be moved to firehol_level4, vxvault is not safe. @ktsaou
firehol_level3 includes vxvault, vxvault includes 140.82.112.3
vxvault is based on Virustotal, if any URL contains any virus detection, the whole server IP is blocked, then maybe github repo was detected with any virus (Could be a false positive), then, all github is blocked.
Then, vxvault should be moved to firehol_level4, vxvault is not safe. @ktsaou
The problem is that it wasn’t all of GitHub’s IP address range that was blocked. It was only a couple of their registered ip addresses. Sometimes GitHub would be accessible and sometimes it would be blocked depending on how it resolved. And, a site as big as GitHub with a legit range of registered ips should be easy enough to validate that it doesn’t belong in this block list.
I get the ASN: whois -h whois.cymru.com " -v 140.82.112.3"
I get the IPs of the ASN whois -h whois.radb.net -- -i origin 36459 | grep 'route:' | sed -e 's/route: //' | /usr/local/bin/iprange --ipset-reduce 0 --ipset-reduce-entries 1 140.82.112.0/20 143.55.64.0/20 185.199.108.0/22 192.30.252.0/22
I saved it in a file: echo "140.82.112.0/20 143.55.64.0/20 185.199.108.0/22 192.30.252.0/22" > github.txt
I exclude from the IP lists:
/usr/local/bin/iprange --ipset-reduce 0 --ipset-reduce-entries 1 firehol_* --except github.txt > mycustomlist.txt
mycustomlist.txt includes firehol_1, firehol_2, and firehol_3, but excluding Github.
