Comment by bsder
20 hours ago
If we were all running IPv6, we could just block this crap.
But here we are in 2025 still running IPv4 with CGNAT, so we can't.
20 hours ago
If we were all running IPv6, we could just block this crap.
But here we are in 2025 still running IPv4 with CGNAT, so we can't.
Not sure how this would work, if you blocked those IPv6, the mostly innocent companies and people that are now blocked will be in short order getting a new IPv6 assigned by the ISP after a support call.
I was under the impression that these botnets still rely on vulnerable computers, which have a human that will be calling support asking for the issue to be resolved.
Then it needs an ISP to figure out the issue and ask the client to sort out their compromised computer, but unlikely the ISP will stop a paying customer from internet access especially if it's not clear why their original assigned IPv6 is blocked.
What difference would it make?
You can block the specific offending IPs without collateral damage.
CGNATs reuse IPs so any IP block rule fairly quickly becomes somebody else's IP that you shouldn't be blocking.
If, however, you use IPv6, you don't need CGNAT and, while addresses may change, a blocked address won't suddenly get recycled to an unsuspecting user. In addition, if the allocation is static, you can block the whole network range and the problematic devices can't change their allocation sufficiently to escape the IP block.
While it would allow us to be more specific with the IPs, it would entail blocking 500.000 IPs, or more. That quickly becomes unmanageable as well.
What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed. Right now there's zero incentives to take customers offline, neither for ISP, nor cloud providers.
1 reply →