issue with a non USA IP getting added to North America IPV4 List

NogBadTheBad

It's a Microsoft IP address range:-

AS details for 20.199.0.1 :-

route:      20.192.0.0/10
descr:      Microsoft
origin:     AS8075
notify:     radb@microsoft.com
mnt-by:     MAINT-AS8075
changed:    mkasten@microsoft.com 20200721
source:     RADB

route:      20.0.0.0/8
descr:      REACH (Customer Route)
tech-c:     RRNOC1-REACH
origin:     AS17916
remarks:    This auto-generated route object was created
remarks:    for a REACH customer route
remarks:    
remarks:    This route object was created because
remarks:    some REACH peers filter based on these objects
remarks:    and this route may be rejected
remarks:    if this object is not created.
remarks:    
remarks:    Please contact irr@team.telstra.com if you have any
remarks:    questions regarding this object.
notify:     irr@team.telstra.com
mnt-by:     MAINT-REACH-NOC
changed:    irr@team.telstra.com 20090917
source:     REACH

bmeeks

@michmoor said in issue with a non USA IP getting added to North America IPV4 List:

@bmeeks is the maintainer so he would have a clearer answer.

No, I have nothing at all to do with pfBlockerNG nor pfBlockerNG-devel. The volunteer maintainer for that is @BBcan177.

I look after only the Snort and Suricata packages.

michmoor

@bmeeks you're right my apologies. To many 'B's :)

igoldstein

@nogbadthebad said in issue with a non USA IP getting added to North America IPV4 List:

It's a Microsoft IP address range

and in what country are the IPs used ?

if its an IP used outside of USA, I don't want it to pass the gate.

Gertjan

@igoldstein
Because Microsoft owned IPs try to connect to you ?

michmoor

@igoldstein what are you trying to prevent? GeoIP blocking is hard enough as it is as you can see. The best you can do is using a high quality IP block list.

igoldstein

@michmoor said in issue with a non USA IP getting added to North America IPV4 List:

The best you can do is using a high quality IP block list.

any setups you can suggest? i currently use pfblocker package which i believe utilizes maxmind

@michmoor said in issue with a non USA IP getting added to North America IPV4 List:

what are you trying to prevent?

currently I have a rules that allows any USA IP, and block everything else

michmoor

@igoldstein As we suggested already IPs aren't necessarily bound to their geographic location. Blocking IPs based on a location is not highly accurate for the reasons listed above. The IP block lists that come with PFblockerNG are good enough if you want to craft a GeoIP rule around it.
If you have no services/applications exposed to the internet than this is a non-issue.
If you do have services/applications exposed to the intenret than IP blocking is fine.

igoldstein

i do have services exposed to the internet
hence why i want to allow ONLY USA IP's

IPs that are used in USA, not just Registered in USA

johnpoz

@igoldstein said in issue with a non USA IP getting added to North America IPV4 List:

IPs that are used in USA, not just Registered in USA

Good luck finding that list... Not sure how many times this needs to be said, there is no such list. There will always be mistakes, IPs move all the time. I could route a network out of Dallas today, and Paris tomorrow..

Your best solution is IPs you find that are not coming from the US put in your own block list, and put this top your rules order. Before you allow of the US IP list.

Still curious how you found this IP was not coming from the US. Did you go through the complete list of networks in the US list?

edit: https://support.maxmind.com/hc/en-us/articles/4407630607131-Geolocation-Accuracy
"It is not possible for us to guarantee 100% geolocation accuracy. Accuracy exhibits high variability according to country, distance, type of IP (cellular vs. broadband, IPv4 vs. IPv6), and practices of ISPs."