If you are storing blocks per single IP that won't scale (storage wise, searching the list/table, just a bitmap of the whole IPv6 space is 10^19 Exabytes! [2^128 bits in EiB]), if you aggressively block whole ranges you will most likely end up blocking a lot of legitimate potential users.
I also to be honest don't think permabans are useful, the IPs are constantly being recycled so by permabanning you end up with addresses that may be recycled to a legit use being blocked and go troubleshoot why your system doesn't work for them. I like the fail2ban approach of blocking for a certain limited time period after bad behavior was detected, with IPv6 you may want to add some range detection on top of that to block a whole /64 after more than X abuses were detected from more than X different addresses in the range but even that I would timelimit. Just my 2c, Eli PS - even just blocking based on /64 networks is unrealistic 2^64 bits in EiB = 2 EiB. Op wo 4 dec 2024 om 16:21 schreef Marc <m...@f1-outsourcing.eu>: > I hope nobody minds me addressing this off topic question. > > I was thinking about adding ipv6, and when I got a range to try with, I > was actually surprised how many I got. This made me wonder how many ipv6 > are being used and how many ipv4. > > Having these ipv6 so abundantly available made me also think about how I > have currently arranged my abuse mitigation. Currently I am having ipsets > for different subments and use a sort of honeypot approach, anything > automated that scans for vulnerabilities in wordpress or weird files and > ignores the robots.txt is getting blocked. > > Such an approach will lead over years that you block most of azure, > google, amazon, digitial ocean, .cn etc. > > I don't think this will go well for ipv6 to be honest. If there are so > many out there, my ipsets will grow even bigger. > > I was wondering how others are solving this? > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >
