Scaleway formerly known as Online SAS (ASN AS12876, Locations: France, Netherlands and Poland) is a host for a multitude of bad actors who are constantly scraping our website and web-based clients for vulnerabilities. It is also a host, however, for good actors.
What criteria, tools, or data would you recommend that would help us decide whether we should block noted ASN?
Note: Blocking affected IPs instead – individually or by range – is not an option for us (too many bad ones).
If you would like to see first hand how bad the phishing and scraping is, block Scaleway (ASN12876) for a month. Babbar, for example, is one of several nasty bots hosted by Scaleway.
Why not make a firewall rule to issue managed challenges from that ASN? This way bots are likely to blocked but gives legitimate users to still connect to your site.
Scaleway, Hetzner, OVH, Digitalocean… pretty much any cheap hosting is a major hassle when it comes to spam, attacks and other shapes of annoying traffic.
Block them? Sure; however, you might be blocking legitimate visitors that use those providers as VPN.
Usually those IPs have a higher threat score. You could build a firewall rule that does:
if threat score > 0 AND bad_asn → Challenge.
if threat score > 5 AND bad_asn → Block.
Why 0 and 5? No specific reason; from my experience CF is very permissive when it comes to assigning a threat score… many “malicious” IPs have as threat score 0. You could deploy the rules with LOG action and see the behavior with different threat score values.
Great suggestion. If the suggestion provided by @Cyb3r-Jak3 does not work well for us, we’ll definitely switch over to yours.
Mighty impressed with the firewall rule you suggested. Will keep it mind for other bad actors as well.
No decision yet on a final solution. We would like to entertain other “creative” solutions – like yours – and report back later with test results and best solution.