Ban me at the IP level if you don't like me

Original Article ↗ Hacker News Discussion ↗

IP Blocking, Geoblocking, and ASNs

  • Many operators increasingly block entire countries (often China, Russia) or cloud ASNs (Tencent, Alibaba, etc.) to cut 80–95% of malicious traffic with minimal effort.
  • Some small/local businesses whitelist only domestic ISPs or regions; others block non‑US or non‑local IPs if they see no business upside abroad.
  • Tools like MaxMind, IP2Location, IPinfo, Team Cymru, BGP/ASN lookup sites, and Cloudflare geo features are widely used to derive country/ASN-based rules.
  • Critics note this can become “AS death penalty” and may be hard to maintain as providers constantly reshuffle prefixes.

Residential Proxies, CGNAT, and VPNs

  • A core objection: bad actors increasingly use residential proxies, CGNAT and mobile carriers, so IP blocking risks harming legitimate users while abusers rotate IPs.
  • Others argue short‑lived or /64–/48 IPv6 bans and auto‑expiring blocks make collateral damage acceptable, especially for non‑critical or local services.
  • There’s debate on whether blocking residential proxies is desirable “pressure” on ISPs/users or an unfair externality on innocent customers and travelers.

Bot Behavior and Impact

  • Reports of aggressive crawlers: thousands to hundreds of thousands of requests per day, hammering code-hosting for diffs/snapshots, forums, wikis and blogs.
  • Many disregard robots.txt, use vast IP pools (cloud + residential), spoof User‑Agents, or even hit non‑HTTP ports; some large AI/LLM and social/big‑tech bots are seen as especially noisy.
  • For simple static sites this is often just log noise; for dynamic or diff-heavy endpoints it can overload CPUs, caches and disks.

Mitigations and Defense Strategies

  • Common tactics:
    • Firewall/WAF rules by IP/ASN/country.
    • Fail2ban, tarpits, rate limiting, slow responses, port knocking, moving SSH, blocking unused ports.
    • Special handling of suspicious URLs (e.g., query params, certain paths) or “notbot” query flags.
    • Serving junk or zip bombs to bad UAs; others argue this still wastes bandwidth and complexity.
  • Some advocate allowlist-style architectures (identity‑aware proxies, tokenized gatekeepers, VPN-like access) for personal or small sites.
  • Others see this as an endless whack‑a‑mole and argue the long‑term answer is more efficient applications and infrastructure.

Whitelists, Shared Lists, and Central Repos

  • There are attempts to curate “good bot” lists and country/ASN CIDR sets; some run personal good/bad/data‑center lists feeding nginx or rate limiters.
  • Calls for a neutral, industry‑run bad-IP registry are tempered by concerns over staleness, overlap with legitimate traffic, and xkcd‑style proliferation of competing standards.

Collateral Damage, Ethics, and Law

  • Travelers and VPN users describe severe friction: blocked from buying tickets, cancelling subscriptions, or accessing support when abroad or behind foreign IPs.
  • There’s an extended side debate on card‑network chargebacks and whether geoblocking or blocking cancellation paths is compliant or ethical.
  • Philosophically, many assert “my server, my rules”: HTTP is merely a request, responses are optional; others worry about a fragmented, hostile “intranet” where over‑blocking and pseudo‑security dominate.