
Viasat is aggressively blacklisting Digitalocean IP addresses - jameshilliard
I just talked with the NOC at Viasat and confirmed that they block a huge amount of Digitalocean IP addresses due to malware. I don&#x27;t think their normal support agents are even aware they have IP blacklists so requests for unblocks have to be escalated to their security team(which I&#x27;m still waiting to hear back from regarding removing the block).<p>They seem to be blacklisting entire &#x2F;24 subnets even if only some of the IP&#x27;s are sending malicious traffic. I&#x27;ve found this to be the cause of many websites not working including some of my own.<p>The best way I&#x27;ve come up with to test if Viasat is blacklisting an IP from a non-Viasat connection is to try and ping one of the core routers such as 64.125.54.230.<p>What should one do in situations like these?
======
metildaa
Viasat has likely been sending abuse reports to DigitalOcean, and one too many
abuse reports was ignored, resulting in Viasat nullrouting DO's IPs over this
continued malicious traffic.

~~~
jameshilliard
Yeah, that's basically what their NOC told me, although they didn't really
have much of an explanation into why they were nullrouting /24 subnets when
Digitalocean typically allocates single addresses.

~~~
marcinzm
Wouldn't malware simply spin up a new VM with a new IP to trivially get around
single IP blocks? Wouldn't such blocks also put a lot of strain on the NOC to
maintain.

~~~
jameshilliard
Well since they seem to just block entire /24 subnets it does seem to have
resulted in a large portion of Digitalocean's network being unusable from
Viasat. I guess they think it's worth it to maintain those blacklists.

~~~
metildaa
Its not hard for them to maintain blacklists, especially since they do not
care about network quality.

If I were in your position, I would set up a proxy that appears as http
traffic (so you fly under their radar).

------
joeyh
From the perspective of a DO user or a Viasat user?

As more the latter than the former, I simply am prepared to use a VPN for
any/all traffic at any time when using Viasat.

I have seen their transparent http proxies break when accessing kernel.org,
and have also seen those proxies mess up gzipped data
([https://bugs.debian.org/874321](https://bugs.debian.org/874321))

(They also blatently violated network neutrality before it got its teeth
pulled.)

~~~
jameshilliard
Well both really for me, now that I know what to look for I've been noticing a
bunch of broken Digitalocean hosted websites on Viasat.

