DROPing an ASN with iptables
3 views
Skip to first unread message
Danny Robson
Aug 25, 2025, 12:55:13 AMAug 25
to mlug-au
Hi all,
Recently, I received a noticed that someone was hammering my server. It
turned out that someone(s) from an Alibaba associated IP(s) (AS45102)
were letting loose misbehaving scrapers every hour; almost certainly AI
nonsense. (I've literally never seen these notifications before, and the
nginx logs had clearly fake details)
Later that night I wrote a *terrible* script that dropped those IPs with
`iptables`, `whois`, and some `bash`.
I know very little about iptables/nftables/etc. Is there a "correct" way
of doing this? (I know it's overkill, I just want them gone)
Cheers,
Danny Robson.
Recently, I received a noticed that someone was hammering my server. It
turned out that someone(s) from an Alibaba associated IP(s) (AS45102)
were letting loose misbehaving scrapers every hour; almost certainly AI
nonsense. (I've literally never seen these notifications before, and the
nginx logs had clearly fake details)
Later that night I wrote a *terrible* script that dropped those IPs with
`iptables`, `whois`, and some `bash`.
I know very little about iptables/nftables/etc. Is there a "correct" way
of doing this? (I know it's overkill, I just want them gone)
Cheers,
Danny Robson.
Manoj C Menon
Aug 25, 2025, 2:56:03 AMAug 25
to mlu...@googlegroups.com
Hi Danny,
This is exactly what fail2ban was built for. It even allows you to use regular expressions to intercept special patterns in the requests.
However depending on what your situation is, a script might work better.
Are you by any chance planning to put it up on Github or other such sites? It might be interesting to see what your script looks like.
-Manoj.C
PS: You could also preempt such requests by relying on well known malicious IP lists (Like, https://feodotracker.abuse.ch/blocklist/). But it can be a pain keeping them updated.
--
You received this message because you are subscribed to the Google Groups "mlug-au" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mlug-au+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/mlug-au/3eaeec07-1fd9-43d7-85a3-e082e3568ad9%40nerdcruft.net.
Malcolm Herbert
Aug 25, 2025, 4:00:58 AMAug 25
to mlug-au
... I smell an impromptu workshop/presentation incoming ... :)
Malcolm Herbert
mj...@mjch.net
> --
> You received this message because you are subscribed to the Google
> Groups "mlug-au" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to mlug-au+u...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/mlug-au/3eaeec07-1fd9-43d7-85a3-e082e3568ad9%40nerdcruft.net.
--
> You received this message because you are subscribed to the Google
> Groups "mlug-au" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to mlug-au+u...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/mlug-au/3eaeec07-1fd9-43d7-85a3-e082e3568ad9%40nerdcruft.net.
Malcolm Herbert
mj...@mjch.net
Kevin Exton
Aug 26, 2025, 7:45:15 AMAug 26
to mlu...@googlegroups.com
Hi Danny,
Not sure if you have already tried this, but if the traffic is
bursty enough you could rate-limit it with iptables, something
like:
```
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 --connlimit-mask 16 -j DROP
```
Best,
Kevin
Reply all
Reply to author
Forward
0 new messages