All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is it a wise decision to block IP ranges of Hosting companies?
I was receiving all sort of attacks, abuse, comments spam and of course those nonsense bots and crawlers visiting all pages of my sites every second and this was all coming from different hosting companies IPs specially OVH, Amazon AWS, Softlayer, Digital Ocean & Online so i blocked most of the IP ranges of known hosts do you think it's a wise decision or should i avoid it because this can also block normal users?
But what are the chances of normal users coming from these IP addresses? This is also helping me block the users coming from VPN/Proxy because most VPN/Proxies are on these host IP addresses.
Also what is the easiest way to block east asian countries VPNs from Japan/Korea/Vietnam etc because VPNGate is full of these country IP addresses but when you lookup for these IP addresses most of them are with the telecom companies of those countries so blocking those ranges mean blocking all normal traffic.
Comments
There's no viable way to block all datacenter/VPNGate IP addresses.
I personally think its largely ineffective and incredibly frustrating for the user to block all datacenter IP addresses. While blocking DC IPs may mitigate some attacks, its a bandaid solution for actual security. A determined attacker is more than capable of bypassing such blocks, and if bots/crawlers are capable of finding holes in your website, its in your best interest to find such holes. Crawlers can be blocked by rate limiting requests.
Yes block them all if you dont care traffic
It just depends on your target audience.
Some things to consider.
Would a lot of legitimate users use VPNs to access your site?
Is your site accessed by people who may have restricted internet and need to use a VPN to access your site?
Are legitimate users likely to come back without a VPN after they are blocked?
However do legitimate users get unblocked, and would they feel it is worth the trouble? Would you be blocking users in networks that do both hosting and residential internet (such as BHN)
Have you tried integrating stuff like SFS/etc to block known spammers?
Aside, http://getipintel.net is a great accurate tool for checking the probability that an IP is a residential IP.
^ but at least we can try and decrease it?
For example if i block all the IP ranges of OVH that means blocking around 1.6 to 1.7 million IP addresses that are with OVH currently. This really helped me block many many VPN because OVH is the biggest platform for all those VPN providers thanks to bandwidth OVH offers.
VPN users are creating more trouble for me than anything because this is a community site with features like comments, chat etc so they keep coming back with different VPN ip addresses after getting ban to abuse to and cause more trouble.
Thanks for recommendation i will check out http://getipintel.net
More like unwanted traffic
Problem is not all VPN traffic is malicious so you could be blocking legitmate users as well.
I for instance often VPN through one of my servers when I'm on public WiFi which is a lot (My personal device connects to the guest network at work)
Wow. I think it's a great idea. Why not block 0.0.0.0/0 and then allow explicitly only the 'wanted' traffic with individual /32 allow statements ? That will surely allow you to get all bots and VPNs out of your website ;-)
You are a host i respect you and i am sure you have a great knowledge in your field but trust me you probably have no idea how much trouble these VPN/Proxy servers create for community and chat related websites regularly and most of them are hosted on big hosting networks like OVH, DO etc. Ban those abusers and spammer and they will keep coming back with different VPN/Proxy IPs to abuse. So you are left with 2 choices spend hours daily handling them or block the whole network which will probably block a few legitimate users as well.
My sites have nothing to offer for east asian countries and there is no chance of normal users from those countries coming on my site because of content and language but guess what i daily receive 100s of visits from those countries IPs (JP,KR,VN etc) thanks to the abusers and spammers using VPNGate.
if it suits your needs I can see nothing in bad in blocking whole ranges as you like. after all it is your decision to narrow down the possibilities to visit your site.
also you probably are the only one to decide if you care about getting every possible visitor by maybe blocking some non malicious ones...
maybe have a further look into ipset and different IP blocklists, good starting point: https://www.lowendtalk.com/discussion/27172/securing-your-server-using-ipset-and-dynamic-blocklists
yet the latter one probably won't help against single members trying to disturb in an active way...
As long as it does not block your target audience that sounds good.
I can see about a dozen ways to get around block like this. If someone will actively try to get through, they will. The only ones you will hurt are the non-malicious visitors using, for example, a VPNs for other reasons.
Take it our case for example. If you'd block Clouvider, you're not only blocking our hosting network, but also the residential and business broadbands/leased lines that we provide, remote desktops that we provide, and all the other legitimate use cases. The worst thing in that is that you won't even notice that you're actually blocking legitimate users thinking you did well by blocking the 'malicious' ranges.
Google is also a hosting provider, are you considering blocking their ranges too?
It sounds like there is a problem with your community. I can't comment too much without having been part of it, but there is a reason these trolls persist. Perhaps you, or other members of your community are feeding them. In any case, what you have is a social problem and not a technical one.
BTW, all my personal browser traffic goes through a VPN. I'm not using OVH or DO, but it is clear that you wouldn't want me to come to your site anyway. I got your message.
Block all IP range and whitelist only your IP sounds better.
this can be a good and bad idea. First you need to analyze your traffic. For example we have a tool that show traffic by AS and is easy to us understand legit traffic abd attacks.
We find a good solution blocking ovh, online.net, hetzner, amazon,hydra and some else only during an attack abd only to target ip
Figure it as a profit loss issue. Do the hits from the hosting IPS cost you more regular visitors then they provide?
Not every site usage requires world wide availability.
Sometimes the pure volume of crap spewing from ranges like say CC and Quadra net makes it more cost effective to block them. It stopped several hundred spammers from trying to comment on small very local forums. Even using SFS you still had hundreds getting through every day.
So the choice is lose real visitors to all of the spam or risk losing a small number of possible visitors maybe could be possibility.
It depends. In theory, web hosting IPs should never connect to your website unless it's a good crawler like google bot. If you just have a blog, then it doesn't really matter. If the content of your website is being stolen by a bot, then you might want to do something. If you're running a promotion on your website, then you probably want to block proxies / VPNs so people don't abuse your promotional offer, but you don't need to block proxies / VPNs for your entire site. If you're selling something or money is involved, it's better to check if they're on a proxy or not. If they are, you should manually review the order. The question comes down to, "can the content I provide be abused by proxies / VPNs to the point where I need to put in effort in protecting it?"
@ALinuxNinja Thanks for the mention. It is a pain to maintain a good list of proxy / VPN IPs, but I went ahead and bit the bullet to make http://getipintel.net. It's very hard to keep up with how fast the internet changes with just ASN ban lists and CIDR bans so I wrote an algorithm that'll generate a probabilistic value of how likely an IP is a proxy / VPN for any given IPv4 address which really lightens the load of manual labor, but I still have to put time into it everyday.
I see you're worried about residential IP proxies, but we do our best to detect that as well.
You're aware, I'm sure, that this is the same justification that spam-friendly providers used to use (maybe still do) to try to get people to allow them to send spam. It is not someone else's responsibility to enable your business model of providing services to spammers. If you want to provide services to legitimate customers, it's your responsibility to get rid of your abusive customers. Hell, I actually have the entire 185.0.0.0/8 you're under blocked due to the excessive abuse I've experienced from that whole range. Clean your shit up.
I don't see what's your point here? My argument was about blocking 'hosting providers' outright, without seeing any abuse from a particular range. Please re-read and taken two deep breaths before you start flame next time. Thanks.
That's one of the last RIPE /8's, block that and you will be blocking a ton of ISP's trying to get a last /22.
My point is that if anyone is seeing abuse from a network, a reputation is being established. The longer it goes on, the more people will begin to accept that the growing reputation is valid; there's often little need to wait for direct abuse before dropping ranges into the firewall. Personally I still wait to see bad behavior, but I'm happy to keep adding larger and larger ranges for providers who refuse to get their act together.
Sucks to be them. Paying RIPE for a dicey IP range doesn't put any money into my security budget. They should be concentrating on pushing IPv6 adoption anyway. So many more addresses and yet still so much less abuse:
I don't think there's going to be less abuse on IPv6. It's statistically true to say that when you increasing the number of IP addresses with the same amount of abusers then there's less abusers per IP address, but you still have the same number of abusers regardless if you're on IPv4 or IPv6. Switching to IPv6 doesn't mean you'll get less abuse. In fact, I think there's going to be way more abuse on IPv6 due to the sheer number of IP addresses. Abusers will be able to easily switch IP addresses and have control over a large set of IP space.
And yet the world still survived this security apocalypse. If you want my IP to ban me, just DM and I'll get that to you.
I block whole countries and about 20 of the largest hosting companies. I also block those that have a high rate of nefarious activity.
One of the best moves I've ever done.
There is no reason for anyone to visit my sites from a server farm IP...none.
I regularly block big chunks of provider Ips when I see crap coming from them.
So i went ahead blocked almost every big provider and in last 2 days saw 3% to 5% decrease in website traffic but also saw a huge improvement because most of those abusers/spammers are finding it hard to change their ips and come back after getting their real IP bans.
Now my biggest worry is these IPs from east asian countries that are assigned to users of VPNGate i didn't block them yet and some of abusers/spammers use them to access my site. The issue is most of those VPNs are hosted on normal home/university internet connections and if i block the range it means all normal users will be blocked as well. My site hardly attracts any real traffic from that region because of the different content and language so should i go ahead and ban those ISP ip ranges or block these few east asian countries like Korea, Japan, Vietnam.
I have a question if people related to SEO can answer? Is Google/Bing and other major search engine bots only using USA ips or they are coming from different countri ip addresses as well?
I think it just drives away legitimate traffic. I'm on a VPN 100% of my surf-time (not because I have something to hide, just because I can) and I just move to the next result in the SERP if I'm getting ASN-blocked.
@Tinku They're most likely anycast IPs so technically they'll come from different locations but the IP address will look the same. As mentioned in my earlier post, http://GetIPIntel.net detects the residential IPs you're worried about,