[ggm]

What are you going to do, when the addresses are SAAS and your blacklist is now impinging your own use of FAANG and DC cloud hosted services?

What are you going to do when the addresses belong to the US mil and are being promiscuously misused by lots of ISPs?

What are you going to do about politically motivated and other non benign influences on the blacklist like wanting to boycott China?

(I work in a regional internet registry so I should declare my interest i guess)

[cratermoon]

A ton of sketchy stuff comes from people renting time on AWS, GCloud, or some other service provider. One of the ones OP lists -- 44.192.16.204 -- is an AWS ec2 instance. The other one, 52.224.55.198, looks to be an Azure IP served out of Virginia. Today they could be someone doing something sketchy, but tomorrow they could be assigned to completely legit users.

Sure, you could just block any IP that geolocates Russia, China, or whatever locale is the current worst nation-state actor, but IP blocking is worse than Sisyphean.

[cddotdotslash]

It's a bit extreme, but if your service/site is meant to be consumed by physical users (e.g. a B2C type app), you could probably block the entire IP ranges of all the major cloud providers to prevent this kind of behavior. They all publish their CIDRs onlinez, so it wouldn't be difficult.

[Godel_unicode]

Wait until you find out how many people use vpn services whose end points are hosted in a cloud provider. IP address blocking is a fools errand.

[usernamebias]

Maybe we don't filter by ip address, and instead filter requests based on known strings (or regex). That's what i'm currently doing. Ex. If request includes '.env'. Blocked!

I'd love to implement a more aggressive strategy. Rather than a reactive one. I'm currently finding myself going through server logs, and adding new 'keywords' to the 'banned list'.

[jamal-kumar]

you could just use modsecurity locally on whatever's between the internet and your web application if you insist something external like cloudflare is out of your control

https://github.com/SpiderLabs/ModSecurity

but bogging this up at application level is not going to work in anyone's favour

[cratermoon]

Yeah, you're talking about what software like SolarWinds intrusion detection is supposed to do. How well did that work for them?

[kjjjjjjjjjjjjjj]

whats wrong with wanting to boycott china?

[reph2097]

Start with your phone and computer.

[kjjjjjjjjjjjjjj]

Manufacturing is already leaving china in droves, which is awesome. I only buy Apple devices and they have been putting a lot of effort into getting out. I hope everyone else follows suit. China is a dangerous, insane dictatorship that is a threat to humanity.