upvote
> The last time a server was failing to handle the pressure, we decided to temporarily ban IPs from some Asian regions.

This is something we've been forced to do at work, a LOT. Some weeks it's Huawei Cloud, Tencent, and Alibaba. Other weeks it's all China Telecom. We're using Anubis where possible, but a lot of it is just whack-a-mole with residential proxies. I looked at Datadome and HUMAN, but they would be hundreds of thousands a year at our traffic scale, and I suspect may also have false positives. We abandoned CrowdSec for that reason as well.

I'd love to find a decent k8s native solution to this problem.

reply
iptables has been mostly a wrapper for nftables for some time now. The choice of iptables + ipset with reaction is the difference in their configuration. Compare restart performance between the ipset and nftables example configurations with lists of greater than 1 million IPs.
reply