How can I avoid IP Address Blacklisting?

17 August 2021


Share this post:

What is IP Address Blacklisting? 

Public IP addresses are assigned by an Internet Service Provider (ISP) such as GO to client connections. Such IP addresses may be temporarily or permanently assigned to a modem, while whole IP subnets or IP address ranges may be assigned to business connections that host more devices or services. In certain cases, public IP addresses may also be shared between different device connections using Carrier Grade Network Address Translation (CGNAT). In all of the above cases, the public IP address together with the service port is the identifier of your connection towards any website or service on the Internet and having a public IP address is an essential component of any Internet connection. 

While most Internet traffic is legitimate and harmless, certain traffic is related to malicious activity such as the distribution of malware, cyber attacks, distributed denial of service (DDoS), sharing of copyrighted material and other illegal or dangerous activities. Such malicious activity may be initiated by a malicious individual or organisation but in most cases the device participating in such activity may become infected with malware without its owner’s knowledge. In the latter case the device’s owner would also be a victim of such malicious activities, with possible repercussions on the security and privacy of their data. 

Several organisations on the Internet maintain lists of IP addresses involved in such malicious activities. These so called Blacklists would then be used by any other organisation wishing to protect its infrastructure or services from being accessed by such malicious IPs. The effect on connections with blacklisted IPs is that any device originating connections from these IPs would not be able to send out emails or browse any websites or services that apply blacklist filtering. 

How can I avoid being blacklisted? 

There are hundreds of blacklists on the Internet and they vary in the way they detect, list and delist IP addresses. However, certain basic principles will prevent your assigned IP addresses from being blacklisted, thus avoiding adverse impact on your connectivity and possibly your business:

Adopt basic cyber hygiene practices such as:

  • Regular patching of systems connected to the network including mobile devices, PCs and laptops, network equipment, home automation devices, IoT devices, IPTV cameras etc
  • Changing default passwords with strong passwords and not sharing passwords
  • Limiting who has administrator access to your network, devices and servers
  • Secure Wi-Fi access points with WPA2 encryption and a complex password
  • Avoid using public Wi-Fi hotspots as much as possible
  • Using anti-virus/anti-malware software to protect your devices
  • Using Multi Factor Authentication (MFA) on your user accounts wherever possible

Depending on the type of organisation using the Internet connection, the following may be relevant especially for businesses:

  • Setting up a firewall to protect your network and any connected servers and other devices. You may also consider blocking any connections to and from blacklisted and known high risk IPs
  • Ensuring that email servers are correctly configured, especially related forward and reverse DNS entries and applying any available email protection controls such as SPF
  • Limiting the amount of TCP and UDP ports listening on the Internet
  • Not sending out large quantities of emails since these are easily considered as spam by many blacklist operators. It is advisable to send out email campaigns, if necessary, using specialised service providers

Avoiding any malicious or illegal activities

  • Ensure that all users of the internet connection do not carry out activities such as vulnerability scanning on third party networks and attempting to exploit such vulnerabilities, password guessing, attempting to log on to third party servers without the owner’s permission, launching denial of service attacks

What happens if I still get blacklisted? 

Following the basic security steps indicated above will go a long way to prevent most attacks being successful, however there may still be instances where devices become infected and attackers use these devices for their own benefit. In most cases infected devices are joined to so called botnets, which are collections of infected devices that the attackers have control on, and which are used to launch attacks on their behalf. 

It is important to note that GO does not add its own customers’ IPs on these public blacklists nor does GO have access to remove IPs from such blacklists. Third party blacklists will add or remove IPs based on observed activity on the Internet. 

In such cases you may notice that you are blacklisted when you try to legitimately access a website and you are denied access, or when your mail server’s outgoing emails are rejected because the remote mail server will not trust your server. GO may also notify any customers when it detects they have become blacklisted so they can investigate and fix the root cause of such blacklisting actions. 

At this point you would have to look into any devices that are using the blacklisted connection, possibly with the help of IT or cyber security professionals, to identify what caused the blacklisting in the first place and to mitigate any identified issues. This is extremely important for these reasons: 

  • Your cyber securityIn most cases the blacklist would have been triggered by infected devices on your network. It is therefore in your direct interest to identify and fix these issues since the security and privacy of your data as well as the reliability of your connection are at stake. If untreated, attackers may continue abusing your devices by possibly infecting with ransomware, taking over user accounts or launching further attacks
  • Minimising the impact on other customers and on the ISPIf a single blacklisted IP is untreated, this may result in larger IP address subnets becoming blacklisted as well, thus affecting other ISP customers and possibly the ISP infrastructure itself. If this persists for a number of days, the ISP may have no option other than temporarily suspending the Internet service on that connection in order to contain the damage. This would be a last resort option which no ISP takes light-heartedly, but in extreme cases it is the only option to protect other customers. GO’s approach is to reach out to customers identified as having blacklisted IPs and to guide them, providing multiple notifications and warnings before such drastic actions are considered. Customers are also expected to take active steps to monitor their own activity and status and not to solely rely on GO’s notifications.

 Most blacklists will automatically remove (delist) the IP address after a few days as long as the IP remains clean, i.e. with no further related malicious activity. 

Creating a Safer Internet for Everyone 

The Internet has become a critical tool for most individuals and businesses, it is difficult to imagine our lives without it today. We form part of a global community which is becoming increasingly dependent on digital technologies. But making safe use of the Internet also depends on the actions of the community as a whole. If everyone follows basic cyber security principles as described in this article, we should all be safer together. 

By Kenneth Ciangura, CISSP, CISM 

Information Security Manager at GO