Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Blocking IP CIDR
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Blocking IP CIDR

Hopefully you technical gurus can answer this one for me...?

I have been using this site: https://bgp.he.net/ to lookup CIDR of IPs Fail2Ban has blocked and inturn block the entire CIDR.

When it lists, for example:
AS35104 IRR Parent Valid ROA Signed and Valid
217.196.26.0/23 "Kaztranscom" JSC
AS35104 IRR Valid ROA Signed and Valid
217.196.26.0/24 "Kaztranscom" JSC

Would I block BOTH 217.196.26.0/23 AND 217.196.26.0/24, or would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?

But then why would it list both? Is it because the IP is still within both subnets?

Thanks for the clarification!

Comments

  • hzrhzr Member

    /23 covers both

    most specific wins

    some networks only see /23 .

  • yes

  • dfroedfroe Member, Host Rep

    Charles_In_IT said: would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?

    217.196.26.0/23 also includes 217.196.26.0/24.

    Charles_In_IT said: But then why would it list both?

    Because AS35104 is announcing 217.196.26.0/23 and 217.196.26.0/24 via BGP into global routing table.

  • This is probably not the best approach.

    Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

    Anyways, I'd use the /24. You want to do the smallest size possible so you don't spread your net too far.

    However, the /23 would encompass the /24 and another /24.

  • emreemre Member, LIR

    check this subnet calculator if you want to learn more

    http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

    IP address  217.196.26.0
    class   C
    type    PUBLIC
    network 217.196.26.0
    bitmask 23
    netmask 255.255.254.0
    wildcardmask    0.0.1.255
    host range  217.196.26.1-
    217.196.27.254
    broadcast address   217.196.27.255
    total IP addresses  510
    
    
  • Ahhh thanks guys for the clarification. As I suspected the lower number, or /23 in this case, should suffice. Been wondering that for a couple years, and decided to ask!

    @AlyssaD said:
    This is probably not the best approach.

    Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

    Yea, if the subnet belonged to a valid entity, but if it's to a spam company or country, I have no problem banning them for life! LOL

    Happy banning!

    Thanked by 1AlwaysSkint
  • @Charles_In_IT said:
    Ahhh thanks guys for the clarification. As I suspected the lower number, or /23 in this case, should suffice. Been wondering that for a couple years, and decided to ask!

    @AlyssaD said:
    This is probably not the best approach.

    Finding IPs from your fail2ban and then just bulk blocking whole subnets is likely to catch a lot of ok traffic in the mix.

    Yea, if the subnet belonged to a valid entity, but if it's to a spam company or country, I have no problem banning them for life! LOL

    Happy banning!

    If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

  • @AlyssaD said:
    If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

    And what would that be...??? The suspense is killin me...

    Thanked by 1AlwaysSkint
  • @AlyssaD said:
    If you think it is a spamming company, and just want there whole ASN nulled there are easier options.

    The link you sent me: https://asn.ipinfo.app/AS36352
    Is not any different than the URL I provided in the OP.
    HE is transparent, unlike the link you provided which is provided by who, ColoCrossing?
    Are you a mole? LOL

  • @Charles_In_IT said:
    [..] unlike the link you provided which is provided by who, ColoCrossing?

    What are you even asking?

  • @AlyssaD said:

    @Charles_In_IT said:
    [..] unlike the link you provided which is provided by who, ColoCrossing?

    What are you even asking?

    My reply was about the DM you sent me:

    @AlyssaD said:
    AlyssaD
    You could use something like: https://asn.ipinfo.app/downloads/AS36352
    1 message October 28

    AS36352 = ColoCrossing

  • @Charles_In_IT said:

    @AlyssaD said:

    @Charles_In_IT said:
    [..] unlike the link you provided which is provided by who, ColoCrossing?

    What are you even asking?

    My reply was about the DM you sent me:

    @AlyssaD said:
    AlyssaD
    You could use something like: https://asn.ipinfo.app/downloads/AS36352
    1 message October 28

    AS36352 = ColoCrossing

    Yes...

    and here is HE.net's https://asn.ipinfo.app/AS6939.

    and here is one from your original post: https://asn.ipinfo.app/AS35104.

    I still do not grasp your post or what you are asking.

  • LOL I thought it was pretty straight forward:

    Would I block BOTH 217.196.26.0/23 AND 217.196.26.0/24, or would 217.196.26.0/23 be sufficient because 217.196.26.0/24 is still inside the subnet of the other?

    Other people understood without issue, and answered already, before your spam/fluff.

  • Toodles then.

  • JordJord Moderator, Host Rep

    Thanked by 1AlyssaD
Sign In or Register to comment.