Learnings: Identifying and getting rid of unwanted traffic

[ENF]

Why? I don't have an issue with spam oder spammer's signing up successfully on my forum. These kind of annoyances is handled 100% successfully by the spaminator series of @Ozzy47 on my forums, as I lined out earlier. So what exactly would Xon's add on be good for in the topic of this thread?

To be fair, it's our primary tool to filter out various ASN's upon registration. We found that ASN blocks are not 100% in some cases where data is (or is not) updated at the IP level. However, using the ASN configuration in Xon's Addon, we catch 100% of the ASN's we have on our absolutely-do-not-want list. We update data as we find holes, but Xon's tool(s) are the icing on the cake to prevent anyone from registering from a blocked ASN. Anyway, we elected to add his tool to the arsenal because it employed ASN-level exams and rules.

We have blocks at the OS/Network Layer, Border (ingest) & App layers (xf and other business apps where needed). It's basically set at the level of severity. The major issue we came across was people who were traveling and using temp sim or esims... these nonsensical providers route those temp cards through various dirty connections on some of the blocked ASN's. (I know, I got myself blocked by using a temp sim while in Australia and a few other countries...)

 

[smallwheels]

Xon's tool(s) are the icing on the cake

Absolutely, at many occasions.

Anyway, we elected to add his tool to the arsenal because it employed ASN-level exams and rules.

I may do that as well, but only later and as a bonus upon the multiaccount feature that I'm somewhat after.

The major issue we came across was people who were traveling and using temp sim or esims...

Traveling forum members are the main reason why I am not even more rigid in blocking areas.

 

[smallwheels]

I may do that as well, but only later and as a bonus upon the multiaccount feature tha

Well, later was early. I got curious and bought and installed the add on. Impressive. Looks like a swiss army knife.

 

[smallwheels]

Here's a list of the top ASNs that were blocked by my firewall settings - the vast majority of this blocked traffic did indeed come from that Microsoft Datacenter ASN:

As I dive deeper and deeper into the unknown the more noise has been blocked successfully more and more of those come to the surface thad managed to hide successfully until now. Being aware of your screenshot I was curious if I would find the same players - and I did for the most part: There is a little bit of Hetzner in my logs, but not much. However, Huawei Cloud is a big and very nasty one. Someone from there seems to slowly but steadily suck down my forum contents, using a huge range of different IPs and as huge set of different useragents, claiming to be normal browsers:


Whoever does this is not in a hurry and rather tries to hide himself by acting very slowly, distributed and hiding the fact that a bot is used. So next job will be to block out the Huawei cloud IPs at scale as good as possible - sounds like a lot of manual work (the more, as the whois database is inaccurate and missing to display wider parts of these IPs correctly. Arin says they would have been delegated to ripe and ripe says "we don't know a thing", so it is manual work involved as bigger parts of the IP ranges have fallen in kind of a black hole.