Partial List of IP Blocks Used by US "Terrorist Surveillance Program"
via http://cryptome.org/ip-tla.htm The following partial list of IP blocks are routinely used by the US government entities (supported by private contractors) to gain access to, to monitor, and in some cases, to destroy IT networks. Such activity is related to the US "Terrorist Surveillance Program." Most of the registrants of the blocks listed below are not aware of these activities. Concerned network admins should examine traffic logs closely. A correlation of traffic from several of these IP blocks likely indicates that a network is under surveillance or has had access attempted by the US intelligence community and affiliated entities. 83.27.0.0 - 83.27.255.255 170.86.0.0 - 170.86.255.255 62.212.234.128 - 62.212.234.255 81.57.102.0 - 81.57.103.255 201.5.0.0 - 201.5.255.255 213.151.160.0 - 213.151.191.255 70.83.15.0 - 70.83.15.255 166.128.0.0 - 166.255.255.255 60.64.0.0 - 60.159.255.255 142.191.0.0 - 142.191.255.255 83.65.121.32 - 83.65.121.39 12.108.2.0 - 12.108.3.255 65.128.0.0 - 65.159.255.255 24.158.208.0 - 24.158.223.255 86.97.64.0 - 86.97.95.255 201.239.128.0 - 201.239.255.255 68.36.0.0 - 68.36.255.255 70.44.0.0 - 70.44.255.255 64.231.200.0 - 64.231.203.255 189.128.0.0 - 189.255.255.255 216.155.192.0 - 216.155.207.255 121.6.0.0 - 121.7.255.255 71.96.0.0 - 71.127.255.255 190.213.196.0 - 190.213.196.255 80.72.230.0 - 80.72.230.255 58.29.0.0 - 58.29.255.255 121.128.0.0 - 121.191.255.255 88.191.3.0 - 88.191.248.255 58.72.0.0 - 58.79.255.255 70.16.0.0 - 70.23.255.255 200.57.192.0 - 200.57.255.255 201.5.0.0 - 201.5.255.255 124.168.0.0 - 124.168.255.255 211.200.0.0 - 211.205.255.255 78.252.0.0 - 78.252.255.255 59.0.0.0 - 59.31.255.255 72.64.0.0 - 72.95.255.255 211.200.0.0 - 211.205.255.255 145.53.0.0 - 145.53.255.255 71.200.0.0 - 71.200.127.255 60.206.0.0 - 60.207.255.255 194.178.125.48 - 194.178.125.55 98.226.0.0 - 98.226.255.255 201.88.0.0 - 201.88.255.255 205.209.128.0 - 205.209.191.255 51.0.0.0 - 51.255.255.255 70.64.0.0 - 70.79.255.255 70.112.0.0 - 70.127.255.255 202.84.96.0 - 202.84.127.255 70.32.0.0 - 70.32.31.255 207.218.192.0 - 207.218.255.255 69.31.88.0 - 69.31.89.255 198.74.0.0 - 198.74.255.255 221.0.0.0 - 221.3.127.255 72.144.0.0 - 72.159.255.255 220.96.0.0 - 220.99.255.255 82.88.0.0 - 82.91.255.255 216.128.73.0 - 216.128.73.255 ---end-cut--- and in cidr format for easy matching: 83.27.0.0/16 170.86.0.0/16 62.212.234.128/25 81.57.102.0/23 201.5.0.0/16 213.151.160.0/19 70.83.15.0/24 166.128.0.0/9 60.64.0.0/10 60.128.0.0/11 142.191.0.0/16 83.65.121.32/29 12.108.2.0/23 65.128.0.0/11 24.158.208.0/20 86.97.64.0/19 201.239.128.0/17 68.36.0.0/16 70.44.0.0/16 64.231.200.0/22 189.128.0.0/9 216.155.192.0/20 121.6.0.0/15 71.96.0.0/11 190.213.196.0/24 80.72.230.0/24 58.29.0.0/16 121.128.0.0/10 88.191.3.0/24 88.191.4.0/22 88.191.8.0/21 88.191.16.0/20 88.191.32.0/19 88.191.64.0/18 88.191.128.0/18 88.191.192.0/19 88.191.224.0/20 88.191.240.0/21 88.191.248.0/24 58.72.0.0/13 70.16.0.0/13 200.57.192.0/18 201.5.0.0/16 124.168.0.0/16 211.200.0.0/14 211.204.0.0/15 78.252.0.0/16 59.0.0.0/11 72.64.0.0/11 211.200.0.0/14 211.204.0.0/15 145.53.0.0/16 71.200.0.0/17 60.206.0.0/15 194.178.125.48/29 98.226.0.0/16 201.88.0.0/16 205.209.128.0/18 51.0.0.0/8 70.64.0.0/12 70.112.0.0/12 202.84.96.0/19 70.32.0.0/19 207.218.192.0/18 69.31.88.0/23 198.74.0.0/16 221.0.0.0/15 221.2.0.0/16 221.3.0.0/17 72.144.0.0/12 220.96.0.0/14 82.88.0.0/14 216.128.73.0/24
On Tue, Feb 06, 2007 at 07:15:25PM -0800, coderman wrote:
So the implicit suggestion is to put those as denial list into the firewall, and live happily ever after? What's the false positives rate in the list? I.e. how large a fraction of the total address space are we walling off?
and in cidr format for easy matching:
83.27.0.0/16 170.86.0.0/16 62.212.234.128/25 81.57.102.0/23 201.5.0.0/16 213.151.160.0/19 70.83.15.0/24 166.128.0.0/9 60.64.0.0/10 60.128.0.0/11 142.191.0.0/16 83.65.121.32/29 12.108.2.0/23 65.128.0.0/11 24.158.208.0/20 86.97.64.0/19 201.239.128.0/17 68.36.0.0/16 70.44.0.0/16 64.231.200.0/22 189.128.0.0/9 216.155.192.0/20 121.6.0.0/15 71.96.0.0/11 190.213.196.0/24 80.72.230.0/24 58.29.0.0/16 121.128.0.0/10 88.191.3.0/24 88.191.4.0/22 88.191.8.0/21 88.191.16.0/20 88.191.32.0/19 88.191.64.0/18 88.191.128.0/18 88.191.192.0/19 88.191.224.0/20 88.191.240.0/21 88.191.248.0/24 58.72.0.0/13 70.16.0.0/13 200.57.192.0/18 201.5.0.0/16 124.168.0.0/16 211.200.0.0/14 211.204.0.0/15 78.252.0.0/16 59.0.0.0/11 72.64.0.0/11 211.200.0.0/14 211.204.0.0/15 145.53.0.0/16 71.200.0.0/17 60.206.0.0/15 194.178.125.48/29 98.226.0.0/16 201.88.0.0/16 205.209.128.0/18 51.0.0.0/8 70.64.0.0/12 70.112.0.0/12 202.84.96.0/19 70.32.0.0/19 207.218.192.0/18 69.31.88.0/23 198.74.0.0/16 221.0.0.0/15 221.2.0.0/16 221.3.0.0/17 72.144.0.0/12 220.96.0.0/14 82.88.0.0/14 216.128.73.0/24 -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
On 2/7/07, Eugen Leitl <eugen@leitl.org> wrote:
... So the implicit suggestion is to put those as denial list into the firewall, and live happily ever after?
presumably the utility of these endpoints will taper off quickly toward almost nothing, so historical more than current utility... :)
participants (2)
-
coderman -
Eugen Leitl