On Sun, May 26, 2013 at 3:00 PM, Carlos Nepomuceno <carlosnepomuc...@outlook.com> wrote: > ---------------------------------------- >> Date: Sun, 26 May 2013 14:31:57 +1000 >> Subject: Re: Python Magazine >> From: ros...@gmail.com >> To: python-list@python.org > [...] >> I expect that IP blocks will be upgraded to /64 block blocks, if that >> starts being a problem. But it often won't, and specific IP address >> blocks will still be the norm. >> >> ChrisA > > > Blocking a whole network (/65) is totally undesirable and may even become > illegal.
Blocking a /64 is exactly the same as blocking a /32 with NAT behind it. And how could it be illegal? I provide service to those I choose to provide to. > Currently it may not only happen at the target of the DDoS attack, but be > spread all over the internet where block lists are enforced. > > I don't expect that to happen and if it happens I'm surely in favor of > protection against this type of 'solution' because it will block not only > malicious clients but potentially many other legitimate clients. Banning a wide netblock is of course going to lock out legit clients. But IP rotation means that can happen anyway. You block a single IPv4 address that right now represents an abusive user; that user disconnects and reconnects, gets a new IP, and someone else gets the other one. Can happen all too easily. That's why IP-banning is at best a temporary solution anyway. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
