10.000 items is not enough for an IP List
Suggestion
Please, increase the number of items for Custom Lists to more than 10.000 items in the FREE Cloudflare plan. 10.000 items for an IP List is not enough. It should be at least 50.000 items to properly manage a good IP list.
Have you tried using CIDR notation for entries in your lists?
This could massively reduce the number of entries required
Or if you are using a list to block entries add the ASN’s to Security, WAF, Tools
CIDR notation is not a good idea because you might end up blocking IPs that you don’t want.
Right now I am using the ASN blocking via Security, WAF, Tools, but that is a very restrictive and broad measure.
Ideally, it should be possible to handle more than 10.000 IPs in the Free plan.
If you are going to try to block at individual IP level you will need way more than 50,000 entries
Just some examples of the worst of the worst ASN’s:
AS8075 = Number of IPv4 = 65,685,248, Number of IPv6 = 1.11 × 10^31
AS22612 = Number of IPv4 = 75,776, Number of IPv6 = 7.93 × 10^28
AS206216 = Number of IPv4 = 3,584, Number of IPv6 = 4.96 × 10^27
AS200019 = Number of IPv4 = 23,040, Number of IPv6 = 1.11 × 10^30
AS15083 = Number of IPv4 = 43,008, Number of IPv6 = 7.92 × 10^29
AS51167 = Number of IPv4 = 461,824, Number of IPv6 = 4.75 × 10^29
AS14061 = Number of IPv4 = 3,010,304, Number of IPv6 = 3.29 × 10^26
add in the rest, such as Ionos, M27, OVH, Gigaclear, Amazon, Google Cloud, Gyron, DMZHost, CDNext, Blacknight, hostglobalplus, cheapyhost, redheberg, PLIAS, etc., etc. and your 50K doesnt go very far
There are plenty of current Cloudflare option to block using CIDR, Country, and Continent - we block all of the above and many more - you would fill a 50k list in less than a couple of days without blocking the usual suspect ASNs, countries, and continents
Consider turning it around - who do you want to give access to?
And block the rest - e.g. one of our customers sells to three countries so apart from Google bots everything outside those three countries, and all the bad ASNs within them, are blocked
Good point! However, the idea of the 50.000 entries IP List was to add offending IPs recently detected. So the list would be dynamic and only add those IPs that recently performed a malicious behavior in one of my websites. After 7-14 days, the IP would drop from that list automatically, keeping it clean and reduced.
If our traffic is anything to go by 50k entries would fill up in way less than a week or two, sometimes in less than an hour - particularly from the entries in my list above such as AS8075
We never drop IPs, ASN’s, countries, or continents once they have reached a certain level of either repeated or mass abuse which simplifies things and always check new sources of abuse on https://www.abuseipdb.com/ and https://scamalytics.com/ and depending on the attack level from the IP almost never give anyone a second chance
It seems to go around: used to be and mainly is AS8075 in the US as the worst of the worst, not an issue as we block all US traffic, then AS8075 in Ireland, again not an issue as we block all Irish traffic and AS8075 anyway, currently its gone back to the Netherlands as the main source, again a blocked country and continent - thats the beauty of using Cloudflare
You are 100% right Paul! after evaluating the logs, I came to the conclusion that it is much more effective to block entire ASNs rather than individual IPs. These attackers are really changing their IPs too often so it won’t make sense to block IP based.
Glad you got sorted
There are many ASN’s, countries, and even continents where the only traffic we ever see is attack attempts and we always work the other way around: who do we want as visitors/customers, so block everyone else, with exceptions for some parts of Google etc.
It is much easier this way around but obviously depends on which country you are in and which countries you want to allow into your websites
Don’t waste time reporting IP to their ISP’s, just block them, as there are almost no ISP’s who will do anything, and the bigger they are the less they care