New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It really depends on what my target audience is. But generally, I take scripted actions against bots and do my best to catch spam and reject/ban on abuse. But my biggest problems come from .RU IPs, so I do block that entire range.
I get people ordering from spoofed IPs , pretending to be using one of cloudflare ranges. Not sure whether to block them.
I don't block any country or ASN, even VPNs are allowed. Prevent scams by enforcing 3D Secure authentication on cards.
(except NAT VPS we require IP verification before providing those)
Are you sure you're not missing out on something basic like using the leftmost value of the X-Forwarded-For header, or forgetting to set the realip configuration for some Cloudflare IPs?
IP datagrams are trivially spoofed, however establishing a TCP connection by completing a 3-way handshake is impossible. It's only useful for volumetric and amplification attacks.
Is not spoofed IP, it is someone using WARP free version
RU . most Hackers
I just had a B2B guy from India pay me $2,000 USD, maybe I should unblock India.
I haven't had any serious problems with IPs tracing back to India. It's mostly .RU and .CN
Recently though, I am having problems with SA.COM
Yeah nobody from .CN has money, they're "working" for US companies (never turn down the right man, they have a shit load of money) + .RU is sanctioned, don't touch that shit.
Indians have fuck tons of money if you meet the American Indians.
So I dug into these old records. I found they are spoofing X-Forwarded-For Header
blocked:
(ip.geoip.country eq "CN") or (ip.geoip.country eq "RU") or (ip.geoip.country eq "ID") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "T1") or (ip.geoip.country eq "BR") or (ip.geoip.country eq "IR") or (ip.geoip.country eq "IQ") or (ip.geoip.country eq "US") or (ip.geoip.country eq "CO") or (ip.geoip.country eq "AR") or (ip.geoip.country eq "DZ") or (ip.geoip.country eq "BY") or (ip.geoip.country eq "BO") or (ip.geoip.country eq "BI") or (ip.geoip.country eq "CF") or (ip.geoip.country eq "CG") or (ip.geoip.country eq "CD") or (ip.geoip.country eq "CU") or (ip.geoip.country eq "KP") or (ip.geoip.country eq "KR") or (ip.geoip.country eq "ER") or (ip.geoip.country eq "ET") or (ip.geoip.country eq "GA") or (ip.geoip.country eq "KZ") or (ip.geoip.country eq "KG") or (ip.geoip.country eq "LA") or (ip.geoip.country eq "ML") or (ip.geoip.country eq "NI") or (ip.geoip.country eq "UZ") or (ip.geoip.country eq "VN") or (ip.geoip.country eq "ZW") or (ip.geoip.asnum in {60781 24940 16276 199524})India, Bangladesh, Pakistan, most of Africa is a good start
Never had any issues with russian or chinese customers. I know Stripe is blocking payment from russia so some businesses have just given free services instead in fear of loosing customers
Don't fear it, if it's worth the money they'll pay you alternative means.
I've banned russians on some hobby project.
Sales - increased. Than I've investigate why - and found tons of abuses that has been used by russians for years in hobby project that destroy sales for hobby project.
I'm 99% sure that's just cloudflare warp users
RU CN are a must.
Closely followed by RO.
Then I filter out BG, UA and KZ.
Once 80% of the trash traffic has been filtered per above I get the occasional port knocker from the usual places: HK TW KR maybe once or twice a day, not worth adding them to the filter.
IN and ID can be nasty places too, once in a blue moon, not worth filtering them either.
Lastly a few attacks from NL and the US have been popping left and right from VPS IP ranges, however these must be dealt manually case by case, this is where abuse@ emails are been sent to as the English literacy is at it’s peak: more chances the complaints are being read, acknowledged and acted upon.
None, any IPs that are trying to brute force the login are handled by fail2ban or IPBan
We do partial block for malformed chinese bots(?) for our mirror servers