←back to thread

Ban me at the IP level if you don't like me

(boston.conman.org)
597 points classichasclass | 1 comments | 25 Aug 25 04:23 UTC | HN request time: 0.219s | source
Show context
lwansbrough ◴[25 Aug 25 05:55 UTC] No.45010657[source]
We solved a lot of our problems by blocking all Chinese ASNs. Admittedly, not the friendliest solution, but there were so many issues originating from Chinese clients that it was easier to just ban the entire country.

It's not like we can capitalize on commerce in China anyway, so I think it's a fairly pragmatic approach.

replies(6): >>45010748 #>>45010787 #>>45010871 #>>45011590 #>>45011656 #>>45011732 #
lxgr ◴[25 Aug 25 06:10 UTC] No.45010748[source]
Why stop there? Just block all non-US IPs!

If it works for my health insurance company, essentially all streaming services (including not even being able to cancel service from abroad), and many banks, it’ll work for you as well.

Surely bad actors wouldn’t use VPNs or botnets, and your customers never travel abroad?

replies(11): >>45010774 #>>45010777 #>>45010786 #>>45010861 #>>45010879 #>>45010925 #>>45011206 #>>45011711 #>>45012110 #>>45013192 #>>45025318 #
1. sylware ◴[25 Aug 25 08:49 UTC] No.45011711[source]
Won't help: I get scans and script kiddy hack attempts from digital ocean, microsoft cloud (azure, stretchoid.com), google cloud, aws, and lately "hostpapa" via its 'IP colocation service'. Ofc it is instant fail-to-ban (it is not that hard to perform a basic email delivery to an existing account...).

Traffic should be "privatize" as much as possible between IPv6 addresses (because you still have 'scanners' doing the whole internet all the time... "the nice guys scanning the whole internet for your protection... never to sell any scan data ofc).

Public IP services are done for: going to be hell whatever you do.

The right answer seems significantly big 'security and availability teams' with open and super simple internet standards. Yep the javascript internet has to go away and the app private protocols have too. No more whatng cartel web engine, or the worst: closed network protocols for "apps".

And the most important: hardcore protocol simplicity, but doing a good enough job. It is common sense, but the planned obsolescence and kludgy bloat lovers won't let you...