Comment by BLKNSLVR
11 hours ago
Yeah, my setup is purely for my own security reasons and interests, so there's very little downside to my scorched earth approach.
I do, however, think that if there was a more widespread scorched earth approach then the issues like those mentioned in the article would be much less common.
Haha, nice, I run something similar.. But more manualy managed and I put those bans pernametly. Currneltly, there are 1360 blocks in drop list and growing. I never really remove them, because even those leased blocks move from one spam/abuse operator to another, so no big loss.
And indeed, if people would fight w/ spam/abuse better and more aggresivly, the problem would be much smaller. I dont care anymore, In my opinion Internet is done. Time to start building overlay networks with services for good guys...
In such a world you can say goodbye to any kind of free Wi-Fi, anonymous proxy etc., since all it would take to burn an IP for a year is to run a port scan from it, so nobody would risk letting you use theirs.
Fortunately, real network admins are smarter than that.
Pretty much. I think there's also a responsibility on the part of the network owner to restrict obviously malicious traffic. Allow anonymous people to connect to your network and then perform port scans? I don't really want any traffic from your network then.
Yes, there are less scorched-earth ways of looking at this, but this works for me.
As always, any of this stuff is heavily context specific. Like you said: network admins need to be smart, need to adapt, need to know their own contexts.
This is how you get really annoying restrictions on public networks, because some harmless traffic will inevitably be miscategorized by an overeager firewall/DPI system.
I’m not saying that there should be zero consequences for allowing bad traffic from your network, but there’s a balance, and I would hate a world in which your policy were more common.
Arguably we are already partially living in that world, as some companies are already blanket-banning entire countries, VPNs etc., rather than coming up with more fine-grained strategies or improving their authentication systems to make brute force login attempts harder. It’s incredibly annoying.
Do you feel coffee shop WiFi should require you to scan your passport to connect, or that it shouldn't exist at all?
5 replies →
If you actually wanted your site or service to be accessible you’d run in to issues immediately since once IP would have cycled between hundreds of homes in a year.
IP based bans have long been obsolete.
No, no they haven't. A bad behaving network still has to answer to 2-3 bad IPs, and if it doesn't.. it's obsolete.
https://news.ycombinator.com/item?id=47246044