Comment by Latty
9 hours ago
My first thought is that with CGNAT ever more present, this kind of approach seems like it'll have a lot of collateral damage.
9 hours ago
My first thought is that with CGNAT ever more present, this kind of approach seems like it'll have a lot of collateral damage.
Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach.
I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.
In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs.
Fortunately, real network admins are smarter than that.
Pretty much. I think there's also a responsibility on the part of the network owner to restrict obviously malicious traffic. Allow anonymous people to connect to your network and then perform port scans? I don't really want any traffic from your network then.
Yes, there are less scorched-earth ways of looking at this, but this works for me.
As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts.
4 replies →
If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year.
IP based bans have long been obsolete.
No, no they haven't. A bad behaving network still has to answer to 2-3 bad IPs, and if it doesn't.. it's obsolete.
https://news.ycombinator.com/item?id=47246044
For people that implement it there's less than three people who use it, or agencies supporting it
CGNAT? That's definitely not true. There are whole towns that have to share one IP address. They're mostly in the third world.