Hacker News new | past | comments | ask | show | jobs | submit login

I do this sort of thing, but I'm listening on a few /16s.

1% is a pretty low threshold. There are some v4 networks out there that are complete garbage.. If I was going to do something like that I'd start at closer to 90%.. 230 hosts on a /24.

  $ select subnet, count(distinct(cidr)) as unique_sources from (select set_masklen(cidr,16) as subnet, cidr from stuff where why like 'SSH%' and added > '2017-08-01') as foo group by subnet order by unique_sources desc limit 20;
       subnet     | unique_sources
  ----------------+----------------
   181.211.0.0/16 |          11688
   190.214.0.0/16 |           8486
   31.162.0.0/16  |           8454
   181.196.0.0/16 |           7994
   181.113.0.0/16 |           7892
   188.16.0.0/16  |           7294
   94.51.0.0/16   |           6384
   188.19.0.0/16  |           6077
   31.163.0.0/16  |           5905
   178.47.0.0/16  |           5788
   201.178.0.0/16 |           5620
   190.48.0.0/16  |           5179
   188.17.0.0/16  |           4893
   201.179.0.0/16 |           4812
   188.18.0.0/16  |           4266
   186.178.0.0/16 |           4208
   5.141.0.0/16   |           4203
   186.129.0.0/16 |           3858
   181.112.0.0/16 |           3836
   190.174.0.0/16 |           3836
I think some of those networks are using CGN and have a much smaller number of actually compromised hosts.. ISPs generally just don't give a shit about security.



I don't see why a residential user should be worried about residential users from other ISPs being able to reach their machine usually. I suppose it would be problematic for torrenting and maybe gaming (depending on architecture of the game). But I imagine my grandmother couldn't care less if some other grandmother couldn't connect to her network directly.

90% seems really high... you'd really wait until 230 of 255 possible hosts have attempted a breakin before deciding they were on a network too dangerous to preserve your accessibility from? Are there a lot of networks where 90% of the boxes are launching attacks, but 10% have legitimate need to connect to your personal home machine?


It's problematic because plenty of people host websites and other network services on their own infrastructure at home / work, all in the residential IP space.


If you don't care about ingress connections, then you don't need blocklists anyway. You just keep everything behind NAT or a stateful firewall.


You may as well just block LACNIC IPs wholesale and save the trouble at this point




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: