upvote

points

by BLKNSLVR7 hours ago |
comments
upvoteby Latty6 hours ago|
next
[-]
My first thought is that with CGNAT ever more present, this kind of approach seems like it'll have a lot of collateral damage.
reply
upvoteby BLKNSLVR6 hours ago|
parent|
next
[-]
Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach.

I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.

reply
upvoteby lxgr6 hours ago|
parent|
next
[-]
In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs.

Fortunately, real network admins are smarter than that.

reply
upvoteby BLKNSLVR4 hours ago|
parent|
next
[-]
Pretty much. I think there's also a responsibility on the part of the network owner to restrict obviously malicious traffic. Allow anonymous people to connect to your network and then perform port scans? I don't really want any traffic from your network then.

Yes, there are less scorched-earth ways of looking at this, but this works for me.

As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts.

reply
upvoteby gzread4 hours ago|
parent|
[-]
Do you feel coffee shop WiFi should require you to scan your passport to connect, or that it shouldn't exist at all?
reply
upvoteby perching_aix2 hours ago|
parent|
[-]
Not OP, but the latter sounds pretty good actually, yeah. Never understood the free WiFi craze anyways. Just use cellular?
reply
upvoteby gzread1 hours ago|
parent|
[-]
And you should require your passport to get one of those?
reply
upvoteby 5 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby Gigachad3 hours ago|
parent|
prev|
[-]
If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year.

IP based bans have long been obsolete.

reply
upvoteby gnabgib3 hours ago|
parent|
[-]
No, no they haven't. A bad behaving network still has to answer to 2-3 bad IPs, and if it doesn't.. it's obsolete.

https://news.ycombinator.com/item?id=47246044

reply
upvoteby abofh6 hours ago|
parent|
prev|
[-]
For people that implement it there's less than three people who use it, or agencies supporting it
reply
upvoteby gzread4 hours ago|
parent|
[-]
CGNAT? That's definitely not true. There are whole towns that have to share one IP address. They're mostly in the third world.
reply
upvoteby 56 minutes ago|
prev|
next
[-]
deleted
reply
upvoteby ronsor5 hours ago|
prev|
next
[-]
> can accept that as the cost of security sometimes

And corporate IT wonders why employees are always circumventing "security policies"...

reply
upvoteby BLKNSLVR4 hours ago|
parent|
[-]
Additional explanation: this is primarily a personal setup.

There would be a lot of refinement and contingencies to implement something like this for corporate / business.

Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved.

reply
upvoteby cortesoft4 hours ago|
parent|
[-]
How is this better than blocking after a certain quantity in a range of time instead?

Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either.

reply
upvoteby kevin_thibedeau6 hours ago|
prev|
next
[-]
I perma-ban any /16 that hits fail2ban 100+ times. That cuts down dramatically on the attacks from the usual suspects.
reply
upvoteby BLKNSLVR6 hours ago|
parent|
next
[-]
I haven't manually reviewed my lists for a while, but I did similar checks for X IP addresses detected from within a /24 block to determine whether I should just block the whole /24.

Manual reviewing like this also helped me find a bunch of organisations that just probe the entire IPv4 range on a regular basis, trying to map it for 'security' purposes. Fuck them, blocked!

P.S. I wholeheartedly support your choice of blocking for your reasons.

reply
upvoteby kees996 hours ago|
parent|
[-]
> bunch of organisations that just probe the entire IPv4 range on a regular basis

Yep, #1 source of junk traffic, in my experience. I set those prefixes go right into nullroute on every server I set up:

https://raw.githubusercontent.com/UninvitedActivity/Uninvite...

#2 are IP ranges of Azure, DO, OVH, vultr, etc... A bit harder to block those outright.

reply
upvoteby lxgr6 hours ago|
parent|
prev|
[-]
Sounds like a great idea until you ever try to connect to your own servers from a network with spammy neighbors.
reply
upvoteby kees995 hours ago|
parent|
next
[-]
Back in the day - port knocking was a perfect fit for this eventuality.

Nowadays, wireguard would probably be a better choice.

(both of above of course assume one is to do a sensible thing and add "perma-bans" a bit lower in firewall rules, below "established" and "port-knock")

reply
upvoteby BLKNSLVR5 hours ago|
parent|
prev|
[-]
Good network admins have contingencies for contingencies for contingencies.
reply
upvoteby observationist7 hours ago|
prev|
next
[-]
Nice, thanks for the link. Good to be ruthless about those things when you can.
reply
upvoteby paulddraper6 hours ago|
prev|
[-]
How often do you ask for probes or scans?
reply
upvoteby 5 hours ago|
parent|
[-]
deleted
reply