2 Replies Latest reply: Nov 29, 2012 2:09 AM by asabban RSS

    Security Risks of category 'Residential IP' - block or coach?

    clausonna

      Hi folks,

       

      I'm looking for some feedback on the 'Residential IP' category.  I've had a bunch of requests from my users for legitimate business sites that are hosted at ISP's that are typically used for consumers/residential networks (e.g. Qwest.)  The sites seem to have static IP addresses, though, which makes me think the sites are just using a Business-class DSL circuit.

       

      So - in general does the community feel that the risks associated with allowed connections to Residential IP's are significant?  Should I move from outright blocking to Coaching?  Should I whitelist the sites ad-hoc?  I assume asking TrustedSource.org to reclassify the sites won't work, since the IP subnets in question technically are residential.

       

      Thanks!

        • 1. Re: Security Risks of category 'Residential IP' - block or coach?
          btlyric

          In the case of Qwest, many of their netblocks that are categorized as Residential IPs are actually Akamai content servers with IPs that resolve back to addresses with the syntax of 63-235-20-2.dia.static.qwest.net.

           

          This includes, but is not limited to, chunks of space in these netblocks:

           

          OrgName                                   org location             NetName                     NetHandle                       NetRange

          AKAMAI TECHNOLOGIES INC (Dallas, TX, US)        Q0127-216-206-30-0 (NET-216-206-30-0-1)     216.206.30.0 - 216.206.30.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0414-65-121-208-0 (NET-65-121-208-0-1)     65.121.208.0 - 65.121.209.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0511-63-233-126-0 (NET-63-233-126-0-1)     63.233.126.0 - 63.233.126.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0512-63-233-112-0 (NET-63-233-112-0-1)     63.233.112.0 - 63.233.112.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0601-216-207-37-0 (NET-216-207-37-0-1)     216.207.37.0 - 216.207.37.127

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0607-204-132-142-0 (NET-204-132-142-0-1)     204.132.142.0 - 204.132.143.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0608-63-151-118-0 (NET-63-151-118-0-1)     63.151.118.0 - 63.151.119.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0613-208-44-255-0 (NET-208-44-255-0-1)     208.44.255.0 - 208.44.255.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0614-216-206-89-0 (NET-216-206-89-0-1)     216.206.89.0 - 216.206.89.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0614-65-112-54-0 (NET-65-112-54-0-1)         65.112.54.0 - 65.112.54.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0617-63-144-98-240 (NET-63-144-98-240-1)   63.144.98.240 - 63.144.98.247

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0723-65-126-84-0 (NET-65-126-84-0-1)         65.126.84.0 - 65.126.84.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0805-72-164-7-0 (NET-72-164-7-0-1)         72.164.7.0 - 72.164.7.127

          AKAMAI TECHNOLOGIES INC     (Dallas, TX, US)     Q0809-63-233-92-0 (NET-63-233-92-0-1)       63.233.92.0 - 63.233.92.127

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0901-63-150-131-0 (NET-63-150-131-0-1)     63.150.131.0 - 63.150.131.255

          AKAMAI TECHNOLOGIES INC     (Dallas, TX, US)     Q0914-63-235-20-0 (NET-63-235-20-0-1)         63.235.20.0 - 63.235.21.255

          AKAMAI TECHNOLOGIES INC        (San Jose, CA, US)  Q0916-63-235-28-0 (NET-63-235-28-0-1)       63.235.28.0 - 63.235.29.255

          Akamai Technologies, Inc.     (Cambridge, MA, US) Q0929-65-120-60-0 (NET-65-120-60-0-1)       65.120.60.0 - 65.120.60.255

          Akamai International B.V.    (Cambridge, MA, US) ORG-AIB6-RIPE                                 213.248.117.0 - 213.248.117.255

           

          twtelecom.net also has chunks that get tagged as Residential IP addresses.

           

          The problem with whitelisting is that I believe that you lose your reputation checking.

           

          An advantage to Coaching is that it returns control to the users and the extra step may serve to prevent infected systems from phoning home.

           

          TrustedSource is pretty good about recategorizing sites if they get the right info. Unfortunately, you have to submit each IP address.

          • 2. Re: Security Risks of category 'Residential IP' - block or coach?
            asabban

            Hello,

             

            one problem with blocking/coaching such contents is that you may have problems with "embedded" objects. If a user accesses a website which has coaching configured he is fine by clicking the button, but especially such servers as listed above are used to load content such as images, media files or similar into other legit websites. In this case the embedded object may not show up and as a user you won't notice that there is a coaching page you may click to proceed. I know from a different customer that he has enabled residental IP addresses and allows access. If you allow the category you still have Web reputation, media type filter and AV to protect you - however I can't make a recommendation, it is up to you to decide.

             

            Best,

            Andre