Is this the wrong approach? A losing battle of whack-a-mole?
FWIW I get a not-insignificant amount of malicious traffic from AWS, Azure, and Google but I view these providers as "too big to block" - I can't blacklist large swaths of their IP space without breaking the Internet.
Why do you care about that traffic? What exploits are you worried about? The answers will help you figure out what protection you'll need to set up.
- Only keep open ports/forward ports for applications you use, drop/block everything else.
- Use strict host-header checking for web services on port 80/443, drop anything to 403/404 that doesn't have a valid host-header for the website(s) you're hosting.
- Move SSH and other remote admin servers to use a non-standard port. (legit, find a random port number between 9000-65535)
- If it doesn't need to be public, allow-list it with iptables.
Unfortunately DO and other providers will never have 100% legit traffic, it's just the nature of the Internet's noise floor.
Hope this helps you or someone else!
At least it's a short list.
ecb_penguin•1d ago
You'll block some legit traffic, but the majority of normal users will not be affected.
What is the persona of your average user? Average people shopping online? None of them are connecting through weird ASNs.
Someone complaining about a VPN being blocked? It's cost-benefit, tell them tough shit.