You should block Cloudfare as well. Cloudfare workers are little more than a bot farm for hire. Allegedly, you can file an abuse report. Maybe. It's behind a captcha that thinks I'm a bot. Fuck them.
For my silly hobby sites I block most VPS providers, especially the low cost providers. For some of my special purpose hobby things I also block wireless providers and anything sending a TCP SYN packet with a TTL greater than 128 or MSS outside of the range of 1220:1460 on IPv4 and I disable IPv6. I do many other things but those quite everything down a lot. To block archive.is I had to also block about 60 ASN's.
The Internet is always gonna have undesirable traffic if you're facing it. The trick is to minimize your surfaces as much as possible:
- Only keep open ports/forward ports for applications you use, drop/block everything else.
- Use strict host-header checking for web services on port 80/443, drop anything to 403/404 that doesn't have a valid host-header for the website(s) you're hosting.
- Move SSH and other remote admin servers to use a non-standard port. (legit, find a random port number between 9000-65535)
- If it doesn't need to be public, allow-list it with iptables.
Unfortunately DO and other providers will never have 100% legit traffic, it's just the nature of the Internet's noise floor.
There is a lot of blocking of AWS. Blocking inbound traffic to AWS would "break the internet" but outbound traffic is mostly automated systems which people don't like today -- despite the occasional desktop virtualization users.
I've self hosted my email on DO for over 10 years on the same IP address. I am registered with Gmail so they don't block. I sometimes get blocked by major sites from whom I receive spam. I am not a fan of group punishment which is what you advocate.
Depending on your app, yes, you can block DO. You can probably block all of AWS and GCP as well. You can take it further and block all non-residential ASNs.
You'll block some legit traffic, but the majority of normal users will not be affected.
What is the persona of your average user? Average people shopping online? None of them are connecting through weird ASNs.
Someone complaining about a VPN being blocked? It's cost-benefit, tell them tough shit.
You should block Cloudfare as well. Cloudfare workers are little more than a bot farm for hire. Allegedly, you can file an abuse report. Maybe. It's behind a captcha that thinks I'm a bot. Fuck them.
At least it's a short list.
https://www.cloudflare.com/ips/
https://www.cloudflare.com/ips-v4/#
For my silly hobby sites I block most VPS providers, especially the low cost providers. For some of my special purpose hobby things I also block wireless providers and anything sending a TCP SYN packet with a TTL greater than 128 or MSS outside of the range of 1220:1460 on IPv4 and I disable IPv6. I do many other things but those quite everything down a lot. To block archive.is I had to also block about 60 ASN's.
The Internet is always gonna have undesirable traffic if you're facing it. The trick is to minimize your surfaces as much as possible:
- Only keep open ports/forward ports for applications you use, drop/block everything else.
- Use strict host-header checking for web services on port 80/443, drop anything to 403/404 that doesn't have a valid host-header for the website(s) you're hosting.
- Move SSH and other remote admin servers to use a non-standard port. (legit, find a random port number between 9000-65535)
- If it doesn't need to be public, allow-list it with iptables.
Unfortunately DO and other providers will never have 100% legit traffic, it's just the nature of the Internet's noise floor.
Hope this helps you or someone else!
There is a lot of blocking of AWS. Blocking inbound traffic to AWS would "break the internet" but outbound traffic is mostly automated systems which people don't like today -- despite the occasional desktop virtualization users.
I've self hosted my email on DO for over 10 years on the same IP address. I am registered with Gmail so they don't block. I sometimes get blocked by major sites from whom I receive spam. I am not a fan of group punishment which is what you advocate.
IP blocking is a losing battle. Malicious actors can easily hop onto residential proxies.
Why do you care about that traffic? What exploits are you worried about? The answers will help you figure out what protection you'll need to set up.
Depending on your app, yes, you can block DO. You can probably block all of AWS and GCP as well. You can take it further and block all non-residential ASNs.
You'll block some legit traffic, but the majority of normal users will not be affected.
What is the persona of your average user? Average people shopping online? None of them are connecting through weird ASNs.
Someone complaining about a VPN being blocked? It's cost-benefit, tell them tough shit.
We block all cloud CIDRs at a financial services firm for public customer facing infra.