upvote
The problem is when you block those "residential proxy bots" you also block real people who just happen to have a dumb teenager on their network playing some free games that are monetized by proxies.

The only real solution to bots is making users log in. And even then you have to fight registration bots.

reply
I get what you mean. It happens all the time when some clown trashes an IP's reputation and Cloudflare or Google will send the next lease of that IP into crosswalk fire-hydrant bus traffic light purgatory.

That's why I eventually let those go usually after a kernel update and the git repo for FireHOL gets updated often. The kernels get updated often. I only perma-ban the data-centers which is fine for my silly blog and probably for some peoples hobby sites. People can chose which methods to apply, how to apply them or which ones to skip entirely.

Excellent username btw. Those SNL Celebrity Jeopardy episodes are unforgettable. [1]

[1] - https://www.youtube.com/watch?v=bEghu90QJH4

reply
I would like to learn more how you maintain your table of IP ranges (or CIDR block). How do you decide when to add/remove a range?

I'm most concerned about blocking innocent users, currently I use Cloudflare to block known bad ASNs using a list I found on GitHub.

reply
How do you decide when to add/remove a range?

The only IP's that come and go are the Tor 30 day blocklist and a couple FireHOL attackers from a repo though I will sometimes leave the last entries live until reboot. I do not really need to block tor but I use this silly blog as a testing ground. Tor and some known abusers come from a git repo I refresh periodically.

The data-centers, VPS providers, CDNs, known botnets are perma-banned. For my hobby nodes I personally find this acceptable. I would not do this in a professionally managed data-center. There are better methods for those cases especially for B2B corporate arrangements. Regardless of what daemons I run I never have external dependencies that need to be accessed from my node or from the client with exception of stratum-1 time servers.

I do have to periodically update the CIDR blocks for given ASN's. I have not automated this but I probably should some day. It's not hard to automate, I am just excessively "efficient". I was told to stop calling myself lazy, but I am.

Methods 2, 3 and 5 are the ones I talk about here. [1]

[1] - https://nochan.net/b/Internet-Crap/20260606-How-To-Block-Som...

reply
Thank you for including a link to your blog, very useful read.
reply