Blog

Current ASN Block List

For those who are interested, here is the current the ASN Block List that is used in my local server firewall setup. Let me know if you think of some that should be added; or if you are on the list and you don’t think you should be!

===========================================================================
ENTERPRISE SHIELD: AUTONOMOUS SYSTEM NUMBER (ASN) INTEL PROFILE
===========================================================================

[STATUS KEY]
[BLOCK]  Active Firewall Mitigation (Traffic dropped at edge)
[REVIEW] Deactivated/Bypassed (High collateral damage risk, requires audit)

---------------------------------------------------------------------------
1. TRANSIT / BACKBONE NETWORKS (High Risk of Downstream Collateral Damage)
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
174      [BLOCK]   US            Cogent Communications - Major transit backbone
1299     [BLOCK]   SE            Arelion Sweden AB - Tier 1 backbone
3209     [BLOCK]   DE            Vodafone Germany - Regional infrastructure
3257     [BLOCK]   US            GTT Communications Inc. - Global carrier
6939     [BLOCK]   US            Hurricane Electric - Large transit network
7979     [BLOCK]   Global        SoftLayer / IBM Cloud
11042    [BLOCK]   US            Network Transit Holdings LLC

---------------------------------------------------------------------------
2. CHINESE STATE CARRIERS & EAST ASIAN TECH GIANTS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
4134     [BLOCK]   CN            ChinaNet - China Telecom primary backbone
4811     [BLOCK]   CN            China Telecom (Group) - Shanghai MAN
4831     [BLOCK]   CN            China Telecom (CTTNET) - Core state carrier
4837     [BLOCK]   CN            China Unicom (CNC Group) - Industrial state line
9808     [BLOCK]   CN            China Mobile Communications Group Co., Ltd.
24445    [BLOCK]   CN            Henan Mobile Communications Co. Ltd
37963    [BLOCK]   CN            Alibaba Cloud (Aliyun) - Mainland China clusters
38365    [BLOCK]   CN            Baidu - Beijing Netcom Science & Tech
45102    [BLOCK]   APAC          Alibaba Cloud APAC infrastructure node
58461    [BLOCK]   CN            CT-HangZhou-IDC
63199    [BLOCK]   CN/HK         CDS Global Cloud Co., Ltd
132203   [BLOCK]   CN            Tencent Cloud compute infrastructure
135354   [BLOCK]   SG            NAVER Business Platform Asia Pacific Pte. Ltd.
136907   [BLOCK]   CN            Huawei Cloud computing platforms
138699   [BLOCK]   SG/CN         TikTok Pte. Ltd. application edge ingestion
211443   [BLOCK]   HK            Sino Worldwide Trading Limited proxy ingress
213802   [BLOCK]   HK            TF - Tianfeng Communications Limited
214669   [BLOCK]   HK            Starlight Tech Trading Co. Limited
396986   [BLOCK]   US/CN         Bytedance Inc. platforms crawler edge
55933    [BLOCK]   HK            CLOUDIE-AS-AP - Cloudie Limited

---------------------------------------------------------------------------
3. RUSSIAN / CIS CARRIERS & HOSTING NODES
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
12389    [BLOCK]   RU            Rostelecom - Russian state carrier
33993    [BLOCK]   RU            UFO Hosting LLC - Unregulated VPS space
35048    [BLOCK]   RU            BITERIKA-AS - Biterika Group LLC
41853    [BLOCK]   RU            LLC NTCOM corporate hosting & transit
44050    [BLOCK]   RU            Petersburg Internet Network Ltd cloud node
45055    [BLOCK]   RU            Dontechsvyaz LLC commercial communications
47913    [BLOCK]   RU            Moshonkin Ilia Sergeevich - Private operator
48030    [BLOCK]   RU            Martynova Irina Nikolaevna - Private register
48031    [BLOCK]   RU            Ivanov Vitaliy Sergeevich - Private register
48043    [BLOCK]   RU            Ozyorsk Telecom CJSC regional industrial node
48467    [BLOCK]   RU            Pronet LLC standard commercial broadband
48507    [BLOCK]   RU            LTD SibMediaFon multi-service network
48515    [BLOCK]   RU            Praktika Ltd business infrastructure
49505    [BLOCK]   RU            JSC Selectel - Bare-metal hosting provider
197695   [BLOCK]   RU            REG.RU - Domestic web host & registrar
200328   [BLOCK]   RU            Bakhtin Evgenii Valerevich private network
200350   [BLOCK]   RU            YandexCloud - Yandex.Cloud LLC enterprise core
202269   [BLOCK]   AM            BitCommand LLC proxy-friendly hosting
205196   [BLOCK]   RU            BIG CORE LLC budget cloud infrastructure
210644   [BLOCK]   RU            AEZA GROUP LLC high frequency scanning vector

---------------------------------------------------------------------------
4. CENTRAL ASIA INFRASTRUCTURE
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
8193     [BLOCK]   UZ            Uzbektelekom Joint Stock Company state carrier
8200     [BLOCK]   KZ            Uplink LLC commercial broadband backbone
35682    [BLOCK]   UZ            Best Internet Solution alternative host
48716    [BLOCK]   KZ            PS Internet Company LLP web & cloud host
203044   [BLOCK]   KZ            Telepatiya Ltd virtualization platform
210006   [BLOCK]   KZ            Shereverov Marat Ahmedovich private register
210976   [BLOCK]   KZ            Timeweb LLP shared hosting/VPS cluster

---------------------------------------------------------------------------
5. EASTERN EUROPE / UKRAINE / BALTICS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
24651    [BLOCK]   LV            JSC BALTICOM regional internet provider
30860    [BLOCK]   UA            Virtual Systems LLC high-privacy offshore VPS
42159    [BLOCK]   UA            Zemlyaniy Dmitro Leonidovich private operator
61424    [BLOCK]   SK            ESERVER-SK-AS - eServer s.r.o. professional host
204957   [BLOCK]   UA            GREEN FLOID LLC corporate cloud cluster
211736   [BLOCK]   UA            FOP Dmytro Nedilskyi commercial network

---------------------------------------------------------------------------
6. MIDDLE EAST & LEVANT
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
8697     [BLOCK]   JO            Jordan Telecommunications PSC routing core
9038     [BLOCK]   JO/BH         BATELCO / Al Bahrainia al Urdunia multi-transit
202670   [BLOCK]   UAE           CLOUDZME FZE free-zone hosting arrays
206446   [BLOCK]   IL            CLOUD LEASE Ltd specialized provisioning
211273   [BLOCK]   UAE           csoft - Cloud Software FZCO (US footprint)

---------------------------------------------------------------------------
7. TURKEY (REGIONAL BACKBONES & DATACENTERS)
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
9121     [BLOCK]   TR            TTNet - Turk Telekomunikasyon Anonim Sirketi
12735    [BLOCK]   TR            TurkNet major independent high-speed ISP
205733   [BLOCK]   TR            HOSTIFOX Bilisim Hizmetleri game server VPS
208913   [BLOCK]   TR            Kitsune Bilisim Sistemleri platform space
211557   [BLOCK]   TR            TAYNET TEKNOLOJI TICARET LTD server housing
212193   [BLOCK]   TR            VIVA INTERNET LIMITED SIRKETI (Active attack)
213407   [BLOCK]   TR            Uzmansoft Bilisim Web Yazilim Hizmetleri
213488   [BLOCK]   TR            Inoxweb Datacenter ve Hosting colocation center
214000   [BLOCK]   TR            Voxnet Bilisim Teknolojileri delivery platform

---------------------------------------------------------------------------
8. CLOUD / HYPERSCALER INFRASTRUCTURE (B2B Integrations Impact Risk)
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
2639     [BLOCK]   Global        Zoho Corporation business CRM/mail endpoints
8075     [REVIEW]  Global        Added to AZURE-RATELIMIT rule List
14618    [REVIEW]  US            Added to CLOUD-RATELIMIT rule List
16509    [REVIEW]  Global        Added to CLOUD-RATELIMIT rule List
31898    [REVIEW]  Global        Added to CLOUD-RATELIMIT rule List
63949    [REVIEW]  US            Added to CLOUD-RATELIMIT rule List
208172   [BLOCK]   CH            Proton AG privacy email/VPN endpoint
395747   [REVIEW]  US            Added to CLOUD-RATELIMIT rule List
396982   [REVIEW]  Global        Added to CLOUD-RATELIMIT rule List

**Note:** Main Google Search crawler (AS15169) is fully whitelisted.

---------------------------------------------------------------------------
9. SOCIAL MEDIA PLATFORMS CRAWLER INGRESS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
32934    [BLOCK]   US            Facebook Inc. (Meta) crawler asset block 1
54115    [BLOCK]   US            Facebook Inc. (Meta) crawler asset block 2
63293    [BLOCK]   US            Facebook Inc. (Meta) crawler asset block 3

---------------------------------------------------------------------------
10. EUROPEAN HOSTING & VPS PROVIDERS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
1101     [BLOCK]   NL            IP-EEND BV commercial cloud block
3920     [BLOCK]   EE            PUSHPKT OU (Note: Mislabeled as RIPE NCC)
6724     [BLOCK]   DE            Strato GmbH consumer web host & storage
8560     [BLOCK]   DE            IONOS SE / 1&1 European business host cloud
8896     [BLOCK]   NO            GlobalConnect AS strategic transport core
9009     [BLOCK]   UK/EU         M247 Europe low-cost multi-region nodes
12488    [BLOCK]   UK            Krystal Hosting Ltd green cloud shared app
12552    [BLOCK]   SE            GlobalConnect AB high capacity transit
12574    [BLOCK]   DE            Hosting.de GmbH regional cloud infrastructure
12816    [BLOCK]   DE            Leibniz-Rechenzentrum university research node
12876    [BLOCK]   FR            Scaleway SAS cloud developer instances
13213    [BLOCK]   UK            UK-2 Limited / Iomart corporate web clusters
14576    [BLOCK]   EU            Hosting Solution Ltd. general multi-tenant host
14670    [BLOCK]   UK            WHG Hosting Services Ltd engine (4 of 4)
15967    [BLOCK]   PL            Nazwa.pl Sp.z.o.o. domestic enterprise cloud
16276    [BLOCK]   FR            OVHcloud largest European host (high bot density)
20738    [BLOCK]   UK            Heart Internet Ltd legacy reseller platform
20857    [BLOCK]   NL            TransIP BV / Signet B.V. cloud cluster (2 of 2)
20860    [BLOCK]   UK            IOMART Cloud Services Limited business servers
21499    [BLOCK]   DE            Host Europe GmbH managed web node matrix
24768    [BLOCK]   PT            ALMOUROLTEC Servicos informatics management node
24940    [BLOCK]   DE            Hetzner Online GmbH core machine node (1 of 3)
24961    [BLOCK]   DE/CH         WIIT AG premium enterprise cloud engine
26141    [BLOCK]   EU            CubePath unmapped cloud network pathways
28753    [BLOCK]   DE            Leaseweb Deutschland GmbH throughput host
29066    [BLOCK]   DE/FR         velia.net Internetdienste GmbH unmanaged iron
29222    [BLOCK]   CH            Infomaniak Network SA eco-friendly cloud core
29522    [BLOCK]   PL            Cyber_Folks S.A. hosting group array (CF-KRK)
29550    [BLOCK]   UK            SIMPLYTRANSIT Team Blue Carrier transit
30781    [BLOCK]   FR            Free Pro SAS corporate broadband hosting
30823    [BLOCK]   DE            aurologic GmbH specialized colocation housing
30893    [BLOCK]   SE            No ACK Group Holding AB dense dev clusters
31034    [BLOCK]   IT            Aruba S.p.A. dominant consumer & enterprise host
31229    [BLOCK]   PL            Beyond.pl sp. z o.o. Tier III datacenter
34081    [BLOCK]   DE/IT         INCUBATEC GmbH - Srl corporate app host
34360    [BLOCK]   PL            Cyber_Folks S.A. hosting group array (OGICOM)
34549    [BLOCK]   DE            meerfarbig GmbH & Co. KG agile testing staging
35470    [BLOCK]   NL            Signet B.V. Dutch cloud cluster (1 of 2)
35779    [BLOCK]   RS            mCloud doo dynamic SSD virtual systems
39122    [BLOCK]   IE            Blacknight Internet Solutions registrar host
39351    [BLOCK]   SE            31173 Services AB commercial VPN exit routes
39392    [BLOCK]   CZ            SH.cz s.r.o. / SuperNetwork aggregation node
39572    [BLOCK]   NL            DataWeb Global Group B.V. SLA enterprise fiber
39704    [BLOCK]   NL            CJ2 Hosting B.V. regional multi-server housing
41564    [BLOCK]   UK            Orion Network Limited computing node (1 of 2)
41608    [BLOCK]   ES            NextGenWebs S.L. consumer web host server
42525    [BLOCK]   DE            GlobalConnect A/S northern European fiber
42708    [BLOCK]   SE            Portlane AB unmanaged raw data transport
42831    [BLOCK]   UK            UK Dedicated Servers Limited bare-metal systems
43037    [BLOCK]   CZ            Seznam.cz a.s. domestic search engine crawler
43289    [BLOCK]   MD            Trabia SRL offshore datacenter proxy target
43350    [BLOCK]   NL            NForce Entertainment BV high-bandwidth stream
43357    [BLOCK]   UK            Owl Limited corporate platform route block
43578    [BLOCK]   ES            bitNAP carrier neutral colocation facility
43641    [BLOCK]   PL            Sollutium EU Sp. z o.o. custom network assets
44477    [BLOCK]   MD            PQ Hosting Plus S.R.L. Stark Industries affiliate
44803    [BLOCK]   DK            Webdock.io ApS lightweight developer VPS frame
46805    [BLOCK]   UK            Angelnet Limited cloud infrastructure (4 of 4)
47544    [BLOCK]   PL            IQ PL Sp. z o.o. transaction performance host
47583    [BLOCK]   LT            Hostinger International global shared host matrix
48024    [BLOCK]   EU            NEROCLOUD LTD privacy-centric hosting arrays
48047    [BLOCK]   PL            Krakowskie Centrum Przetwarzania regional node
48057    [BLOCK]   MK            ITV DOOEL Skopje multi-tenant infrastructure
48090    [BLOCK]   EU            TECHOFF SRV LIMITED offshore cloud compute
48137    [BLOCK]   NL            PI-GROUP BV network infrastructure system
48505    [BLOCK]   PL            Kylos sp. z o.o. localized development spaces
48854    [BLOCK]   DK            team.blue Denmark A/S application cloud space
49453    [BLOCK]   NL            Global Layer BV mass raw bandwidth platform
49592    [BLOCK]   UK            Pipe Networks LTD datacenter transport links
49635    [BLOCK]   ES            Cloudi Nextgen SL automated virtualization
49683    [BLOCK]   UK            MASSIVEGRID LTD high availability platform
49981    [BLOCK]   NL            WorldStream B.V. low-cost commodity iron housing
50300    [BLOCK]   UK            CustodianDC Limited eco-efficient server space
50304    [BLOCK]   NO            Blix Solutions AS customized server housing
50599    [BLOCK]   PL            DATASPACE P.S.A. scalable compute clusters
50926    [BLOCK]   ES            AXARNET Comunicaciones S.L. managed systems
51167    [BLOCK]   DE            Contabo GmbH high density developer VMs provider
51396    [BLOCK]   DE            Pfcloud UG boutique private cloud frames
51430    [BLOCK]   NL            AltusHost B.V. managed business host arrays
51852    [BLOCK]   CH            Private Layer INC offshore bulletproof net
51859    [BLOCK]   RS            Mainstream doo Beograd corporate hosting grid
56322    [BLOCK]   HU            ServerAstra Kft. privacy cloud servers ecosystem
57043    [BLOCK]   NL            HOSTKEY B.V. scraping automation compute block
57858    [BLOCK]   UK            Angelnet Limited cloud infrastructure (3 of 4)
58065    [BLOCK]   UK            Orion Network Limited computing node (2 of 2)
59651    [BLOCK]   Global        AS QualityNetwork global transport pathways
59943    [BLOCK]   BE            Level 27 BVBA managed app staging clouds
60068    [BLOCK]   Global        CDN77 / Datacamp Limited massive distribution CDN
60223    [BLOCK]   UK            Netiface international deployment grid (2 of 3)
60404    [BLOCK]   NL            Liteserver NVMe high performance virtual environments
60781    [BLOCK]   NL            LeaseWeb Netherlands BV data distribution core
60798    [BLOCK]   IT            Servereasy Srl agile Linux hosting frames
62240    [BLOCK]   UK            Clouvider Ltd colocation host space (2 of 2)
63119    [BLOCK]   UK            Angelnet Limited cloud infrastructure (2 of 4)
133944   [BLOCK]   LT            trafficforce UAB high-volume traffic node (2 of 2)
141995   [BLOCK]   APAC          Contabo Asia Private Limited developer clouds
197540   [BLOCK]   DE            netcup GmbH consumer cloud systems platform
198139   [BLOCK]   DE            Lucas Vossberg private independent routing
199524   [BLOCK]   LU            G-Core Labs S.A. global edge CDN infrastructure
199404   [BLOCK]   UK            WHG Hosting Services Ltd engine (2 of 4)
200019   [BLOCK]   MD            ALEXHOST SRL anonymous bulletproof web host
201341   [BLOCK]   LT            trafficforce UAB high-volume traffic node (1 of 2)
201579   [BLOCK]   UK            HostGnome Ltd budget Windows/Linux NVMe VPS
201814   [BLOCK]   PL            MEVSPACE sp. z o.o. efficient bare metal iron
203446   [BLOCK]   UK            Smartnet Limited business production host
203476   [BLOCK]   FR            GANDI SAS web registrar and cluster workspace
203516   [BLOCK]   UK/DE         AltunHOST LTD distributed game server system
204240   [BLOCK]   EU            REXE localized system virtualization endpoint
204646   [BLOCK]   DE            web2objects GmbH e-commerce dev sandboxes
204770   [BLOCK]   LT            UAB Cherry Servers cloud developer host (1 of 2)
204800   [BLOCK]   UK            WHG Hosting Services Ltd engine (3 of 4)
205948   [BLOCK]   DE            creoline GmbH premium SSD cluster arrays
206092   [BLOCK]   UK            F.N.S. Holdings Limited infrastructure assets
206238   [BLOCK]   EU            Unknown European Provider - Direct audit recommended
206264   [BLOCK]   EU            Amarutu Technology Ltd offshore routing profile
206305   [BLOCK]   RO            SC ITNS.NET SRL regional datacenter pathways
206892   [BLOCK]   HU            Rendszerinformatika Zrt. corporate applications
206996   [BLOCK]   DE            ZAP-Hosting GmbH automated rental game cloud
207179   [BLOCK]   NL            WilroffReitsma B.V. managed IT workspace cloud
207567   [BLOCK]   EU            Intezio Worldwide Limited proxy provisioning
207569   [BLOCK]   UK            I-SERVERS LTD direct-access environment hosting
207957   [BLOCK]   UK            Serv.Host Group Ltd wholesale virtual machines
208046   [BLOCK]   FR            KOGLER Gabin private boutique developer lab
208137   [BLOCK]   RO            Feo Prest SRL localized routing nodes network
209242   [BLOCK]   UK            Clouvider Ltd colocation host space (1 of 2)
209373   [BLOCK]   CH/Global     SWISSNET LLC secure corporate cloud network
209605   [BLOCK]   LT            UAB Host Baltic regional server configurations
209709   [BLOCK]   LT            UAB code200 dynamic testbeds framework (1 of 2)
209847   [BLOCK]   NL            WorkTitans B.V. SaaS developer sandbox iron
210403   [BLOCK]   FR            Groupe LWS SARL consumer web & shared compute
210457   [BLOCK]   EU            Kyonix Networks Limited server array optimizations
210558   [BLOCK]   DE            1337 Services GmbH privacy anonymous proxy node
210743   [BLOCK]   FR            BABBAR-AS - Babbar SAS framework systems
210785   [BLOCK]   DE            KAPELAN Medien GmbH digital media crawlers
210906   [BLOCK]   LT            UAB Bite Lietuva domestic broadband carrier
211298   [BLOCK]   UK            Driftnet Ltd active security honey-scanner
211381   [BLOCK]   LV/NL         Podaon SIA cross-border virtual computing
211590   [BLOCK]   FR            Bucklog SARL micro-node VPS structures
212220   [BLOCK]   SE            Kepler Technologies AB automated virtual arrays
212238   [BLOCK]   Global        Datacamp Limited multi-region CDN delivery
212286   [BLOCK]   UK            LonConnect Ltd metropolitan interconnection
212317   [BLOCK]   DE            Hetzner Online GmbH performance engine (3 of 3)
213230   [BLOCK]   DE            Hetzner Online GmbH performance engine (2 of 3)
213535   [BLOCK]   EU            YottaSrc dynamic on-demand system hosting
213702   [BLOCK]   UK            QWINS LTD web automation staging nodes
213755   [BLOCK]   EU            LUNORY CLOUD SOLUTIONS LTD flexible structures
213790   [BLOCK]   EU            Limited Network LTD virtual testing ranges
213887   [BLOCK]   UK            WAIcore Ltd AI-oriented acceleration clusters
213896   [BLOCK]   LT            UAB Cherry Servers cloud developer host (2 of 2)
214238   [BLOCK]   UK            HOST TELECOM LTD enterprise cloud engine
214503   [BLOCK]   SE            QuxLabs AB advanced networking lab systems
214716   [BLOCK]   UK            WEYRO LTD corporate computing platforms
214902   [BLOCK]   DK            Philip Fjaera PFWeb Solutions micro hosting
215125   [BLOCK]   NL            Church of Cyberology high privacy proxy nodes
215439   [BLOCK]   EU            PLAY2GO INTERNATIONAL LTD app environments
215540   [BLOCK]   UK            Global Connectivity Solutions multi-transit
215730   [BLOCK]   EU            H2NEXUS LTD technical system virtualization
215747   [BLOCK]   NL            NubaCloud B.V. emerging platform architecture
202412   [BLOCK]   EU            Omegatech LTD high density framework grids

---------------------------------------------------------------------------
11. LEASEWEB GROUP CONSOLIDATED INFRASTRUCTURE
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
7203     [BLOCK]   US            Leaseweb USA Inc. enterprise compute (4 of 7)
19148    [BLOCK]   US            Leaseweb USA Inc. enterprise compute (5 of 7)
27411    [BLOCK]   US            Leaseweb USA Inc. enterprise compute (6 of 7)
30633    [BLOCK]   US            Leaseweb USA enterprise compute (1 of 7)
32613    [BLOCK]   CA            Leaseweb Canada Inc. regional distribution hub
393886   [BLOCK]   US            Leaseweb USA Inc. enterprise compute (7 of 7)
394380   [BLOCK]   US            Leaseweb USA Inc. enterprise compute (3 of 7)
395954   [BLOCK]   US            Leaseweb USA enterprise compute (2 of 7)
396190   [BLOCK]   US            Leaseweb USA Inc. enterprise compute (8 of 7)
396362   [BLOCK]   US            Leaseweb USA enterprise compute (3 of 3)

---------------------------------------------------------------------------
12. GMO INTERNET GROUP / SAKURA (JAPAN)
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
7506     [BLOCK]   JP            INTERQ - GMO Internet Group Inc. flagship hub
7684     [BLOCK]   JP            SAKURA Internet Inc. cloud clusters (2 of 2)
9370     [BLOCK]   JP            SAKURA Internet Inc. cloud clusters (1 of 2)
58791    [BLOCK]   JP            GMO Internet Group Inc. regional infrastructure
131921   [BLOCK]   JP            GMO GlobalSign Holdings K.K. identity routing
131965   [BLOCK]   JP            Xserver Inc. high density shared web hosting

---------------------------------------------------------------------------
13. US & NORTH AMERICAN HOSTING / VPS PROVIDERS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
7393     [BLOCK]   US            CYBERCON INC. industrial colocation server yard
7489     [BLOCK]   US            HostUS virtual machine provisioning clusters
9115     [BLOCK]   CA            Internet Names for Business Inc. (1 of 2)
10439    [BLOCK]   US            CariNet Inc. unmanaged bare-metal iron tracks
10557    [BLOCK]   US            Connect Northwest Internet Services LLC
11320    [BLOCK]   US            LightEdge Solutions compliant continuity center
11706    [BLOCK]   US            Telefônica Brasil S.A (US asset structures)
11878    [BLOCK]   US            tzulo inc. high bandwidth dedicated server fields
13332    [BLOCK]   US            Hype Enterprises software hosting frameworks
13768    [BLOCK]   CA            Aptum Technologies hybrid cloud systems
14061    [BLOCK]   US            DigitalOcean LLC developer cloud droplets
14131    [BLOCK]   US            DataYard managed enterprise network hosting
14555    [BLOCK]   US            LiquidNet US LLC reseller app hosting frames
14956    [BLOCK]   US            RouterHosting LLC custom VPS provisioning
15003    [BLOCK]   US            Nobis Technology Group high performance nodes
16628    [BLOCK]   US            DedFiberCo point-to-point data links
18450    [BLOCK]   US            WebNX Inc. extreme performance high cooling host
18501    [BLOCK]   US            CyberCloud Professionals LLC corporate staging
18779    [BLOCK]   US            EGIHosting wholesale unmanaged server arrays
19084    [BLOCK]   US            ColoUp regional colocation & rack operations
19318    [BLOCK]   US            Interserver Inc. standard low-cost shared cloud
20278    [BLOCK]   US            Nexeon Technologies Inc. internet transit node
20473    [BLOCK]   US            Vultr / AS-CHOOPA on-demand global hardware
21769    [BLOCK]   US            Colocation America Corporation secure data rooms
21859    [BLOCK]   US            Zenlayer Inc. boundary acceleration cloud (1 of 2)
22295    [BLOCK]   US            Advin Services LLC lightweight virtual arrays
22611    [BLOCK]   US            InMotion Hosting Inc. web optimized core (1 of 2)
22612    [BLOCK]   US            Namecheap Inc. shared hosting & infrastructure
23033    [BLOCK]   US            Wowrack.com global managed cloud systems
23470    [BLOCK]   US            ReliableSite.Net LLC dedicated DDoS limited iron
25820    [BLOCK]   CA            IT7 Networks Inc. systems automation endpoints
26347    [BLOCK]   US            DreamHost mainstream web properties space
26464    [BLOCK]   US            Joyent Inc. container-native computing environments
26496    [BLOCK]   US            GoDaddy.com LLC retail consumer web hosts core
26548    [BLOCK]   US            PureVoltage Hosting Inc. customized server racks
27257    [BLOCK]   US            Webair Internet Development medical cloud grids
27589    [BLOCK]   US            MOJOHOST high throughput media streaming engine
29802    [BLOCK]   US            HIVELOCITY Inc. bare metal compute spaces (1 of 2)
29873    [BLOCK]   US            Newfold Digital Inc. parent host brand pool
30058    [BLOCK]   US            FDCservers.net cheap unmetered bandwidth lines
30447    [BLOCK]   CA            Internet Names For Business Inc. (2 of 2)
32244    [BLOCK]   US            Liquid Web LLC managed premium corporate host
32489    [BLOCK]   CA            Amanah Tech Inc. secure offshore Canadian vault
33182    [BLOCK]   US            HostDime.com Inc. global edge execution clusters
35916    [BLOCK]   US            Multacom Corporation advanced engineering hosts
36007    [BLOCK]   US            Kamatera Inc. modular hourly billed global cloud
36352    [BLOCK]   US            ColoCrossing high density unmanaged budget cells
36680    [BLOCK]   US            Netiface LLC international deployment grid (1 of 3)
40021    [BLOCK]   US            Contabo Inc. North American arm of Contabo cloud
40065    [BLOCK]   US            CNSERVERS LLC intelligent data delivery tracks
40300    [BLOCK]   US            DR Fortress LLC mid-Pacific Hawaiian transit hub
40676    [BLOCK]   US            Psychz Networks active line filtering nodes
46261    [BLOCK]   US            QuickPacket LLC budget hardware deployment arrays
46475    [BLOCK]   US            Limestone Networks Inc. solid-state cloud iron
46562    [BLOCK]   US            Performive LLC mid-market operational environments
46606    [BLOCK]   US            UNITAS Global software defined access routes
46844    [BLOCK]   US            Sharktech original heavy scrubbing DDoS limits
46918    [BLOCK]   US            GlobalHostingSolutions Inc. safe compute environments
46995    [BLOCK]   US            Jump Wireless LLC wireless data edge cells
50219    [BLOCK]   US            Valence Technology Co. software testbeds
53667    [BLOCK]   US            FranTech Solutions / BuyVM budget storage slabs
53755    [BLOCK]   US            Input Output Flood LLC raw compute engine iron
54600    [BLOCK]   US            PEG TECH INC broad distribution network spaces
54641    [BLOCK]   US            InMotion Hosting Inc. web optimized core (2 of 2)
55286    [BLOCK]   US            B2 Net Solutions / ServerCheap budget VMs set
51317    [BLOCK]   US            Hivelocity LLC bare metal compute spaces (2 of 2)
62468    [BLOCK]   US            VpsQuan L.L.C. offshore-facing virtualization
62610    [BLOCK]   US            Zenlayer Inc. boundary acceleration cloud (2 of 2)
62874    [BLOCK]   US            Web2Objects LLC corporate app deployment fields
62904    [BLOCK]   US            Eonix Corporation efficient distributed system pods
63023    [BLOCK]   US            GTHost instant bare metal hardware nodes
63150    [BLOCK]   US            BAGE CLOUD LLC developer micro testing nodes
63410    [BLOCK]   US            PrivateSystems Networks isolation security grids
64200    [BLOCK]   US            VIVID-HOSTING LLC performance customized grids
64249    [BLOCK]   US            Charles River Operation private computing segments
64267    [BLOCK]   US            Sprious LLC automated scraping residential proxy
64286    [BLOCK]   US            LogicWeb Inc. integrated security host platform
149042   [BLOCK]   US            Silicon Cloud Global trans-Pacific business paths
150303   [BLOCK]   US            SoloRDP Indian firm - US registered desktop host
202425   [BLOCK]   US            IP Volume Inc. bulk asset allocation blocks
209372   [BLOCK]   US            WS Telecom Inc enterprise carrier alternative
214036   [BLOCK]   US            Ultahost Inc. fast virtual machine chains
399275   [BLOCK]   US            Solid Systems LLC industrial infrastructure maps
394474   [BLOCK]   US            WhiteLabelColo unbranded data room leasing blocks
396073   [BLOCK]   US            Majestic Hosting Solutions LLC cloud instances
396356   [BLOCK]   US            Latitude.sh API-driven metal automation provider
396998   [BLOCK]   US            Path Network Inc. Anycast DDoS scrubbing line
397423   [BLOCK]   US            Tier.Net Technologies LLC storage room arrays
398019   [BLOCK]   US            Dynu Systems Incorporated dynamic infrastructure
398781   [BLOCK]   US            Oculus Networks Inc. VR heavy compute sandboxes
399073   [BLOCK]   US            BUNNY TECHNOLOGY LLC fast static asset CDN
399629   [BLOCK]   US            BL Networks fast transaction environments
399804   [BLOCK]   US            Hostodo low-end storage proxy nodes
400587   [BLOCK]   US            Ryamer LLC script execution automation cells
400940   [BLOCK]   US            Railway container-native cloud PaaS structures
401152   [BLOCK]   US            Ace Data Centers II LLC high density yards
401626   [BLOCK]   US            Netiface America Inc. deployment grid (3 of 3)
401696   [BLOCK]   US            cognetcloud INC enterprise application space

---------------------------------------------------------------------------
14. LATIN AMERICAN CARRIERS & HOSTING INFRASTRUCTURE
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
1916     [BLOCK]   BR            Rede Nacional de Ensino e Pesquisa academic net
17222    [BLOCK]   BR            Mundivox do Brasil Ltda corporate fiber fields
26599    [BLOCK]   BR            Telefônica Brasil S.A. national broadband lines
28573    [BLOCK]   BR            Claro NXT Telecomunicacoes Ltda mobile data switching
53107    [BLOCK]   BR            EVEO S.A. premium domestic bare metal cloud
53158    [BLOCK]   BR            Net Turbo Telecom regional consumer broadband
8151     [BLOCK]   MX            UNINET S.A. de C.V. Telmex core routing layer
17072    [BLOCK]   MX            Total Play Telecomunicaciones FTTH fiber paths
18809    [BLOCK]   PA            Cable Onda principal Panamanian consumer grid
23520    [BLOCK]   Caribbean     Columbus Networks USA Inc. automated scan risk
27947    [BLOCK]   EC            Telconet S.A. major corporate industrial fiber
30689    [BLOCK]   JM            FLOW domestic consumer broadband routing
48721    [BLOCK]   PA            Flyservers S.A. Panama corp; hosted inside EU
52485    [BLOCK]   HN            networksdelmanana.com enterprise communications
141039   [BLOCK]   PA            PacketHub S.A. global deployment (2 of 2 / APAC)
206971   [BLOCK]   BR            BedHosting BR data center server fields
207137   [BLOCK]   PA            PacketHub S.A. global deployment (1 of 2)
209854   [BLOCK]   PA            Cyberzone S.A. protected offshore arrays
262688   [BLOCK]   BR            MHNET Telecom rural internet transport grids
263792   [BLOCK]   EC            IN.PLANET S.A. Andean carrier data lines
264750   [BLOCK]   DO            TELEOPERADORA DEL NORDESTE S.R.L. regional block
264850   [BLOCK]   HN            TODAS LAS REDES SA Central American transit
266572   [BLOCK]   BR            WORLDNET Telecomunicações regional routing links
266827   [BLOCK]   HN/Global     BOHO BEACH CLUB S.A. distributed leisure network
268136   [BLOCK]   BR            P J A Telecomunicacoes Ltda private business net
268372   [BLOCK]   BR            WISESITE Comunicacao e Tecnologia application arrays
270716   [BLOCK]   BR            GOVISTA Telecomunicao Importacao transport logistics
271935   [BLOCK]   DO            AIRTIME TECHNOLOGY SRL West Indies localized systems
3132     [BLOCK]   PE            Red Cientifica Peruana academic/research core
21826    [BLOCK]   VE            Corporación Telemic C.A. commercial broadband
44382    [BLOCK]   LACNIC        Fiba Cloud Operation Company virtual host clusters
52393    [BLOCK]   PA            Corporacion Dana S.A. business app staging
263735   [BLOCK]   LACNIC        SOCIEDAD BUENA HOSTING, S.A. shared frameworks
263740   [BLOCK]   LACNIC        Corporacion Laceibanetsociety operations facility
263821   [BLOCK]   LACNIC        Soluciones Favorables system provisioning targets

---------------------------------------------------------------------------
15. AFRICAN TELECOMMUNICATIONS & HOSTING
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
37153    [BLOCK]   ZA            xneelo (Pty) Ltd major domestic web host core
37611    [BLOCK]   ZA            Afrihost SP (Pty) Ltd consumer broadband systems
43444    [BLOCK]   ZA/Global     Fast Servers (Pty) Ltd agile deployment clouds
204300   [BLOCK]   ZA            D2CLOUD NETWORK SERVICES automated framework
329184   [BLOCK]   ZA            Host Africa (Pty) Ltd data center group track

---------------------------------------------------------------------------
16. ASIA-PACIFIC HOSTING & TELECOM
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
3462     [BLOCK]   TW            HiNet / Data Communication core national transit
5065     [BLOCK]   KR            Bunny Communications app development clusters
9329     [BLOCK]   LK            Sri Lanka Telecom Internet national state backbone
9465     [BLOCK]   SG            AGOTOZ PTE. LTD. Southeast Asian hosting cells
17451    [BLOCK]   ID            Biznet Networks premium corporate broadband cloud
38136    [BLOCK]   HK            Akari Networks resilient developer servers
38623    [BLOCK]   KH            Viettel Cambodia Metfone national carrier line
45187    [BLOCK]   AU/APAC       Rackspace IT Hosting managed enterprise computing
45237    [BLOCK]   MN            Magicnet LLC domestic commercial host provider
45370    [BLOCK]   KR            BROADBANDIDC Seoul metropolitan data infrastructure
45753    [BLOCK]   HK            Netsec Limited proxy network edge paths
45899    [BLOCK]   VN            VNPT Corp national post & telecommunications core
47810    [BLOCK]   GE            Proservice LLC strategic institutional data center
56030    [BLOCK]   NZ            Voyager Internet Ltd. Kiwi business virtualization
56038    [BLOCK]   AU/Global     RackCorp hardened high-resilience cloud arrays
132056   [BLOCK]   HK            SCICUBE regional small business web host tiers
133159   [BLOCK]   AU            Mammoth Media Pty Ltd cloud systems engineering
133380   [BLOCK]   HK            Layerstack Limited high speed developer arrays
133499   [BLOCK]   IN            HostRoyale Technologies Pvt Ltd node array (1 of 5)
134240   [BLOCK]   TH            Super Broadband Network Company AIS delivery grid
134450   [BLOCK]   IN            HostRoyale Technologies Pvt Ltd node array (2 of 2)
135357   [BLOCK]   HK            Hong Kong Kowloon Telecom metropolitan fiber ring
137409   [BLOCK]   AU/Global     GSL Networks Pty LTD content scaling pipelines
149440   [BLOCK]   MY            Evoxt Sdn. Bhd. low cost global VM deployment sets
152194   [BLOCK]   HK            CTG Server Limited cross boundary data nodes
153656   [BLOCK]   HK            OWGELS INTERNATIONAL CO. wholesale global routing
153671   [BLOCK]   HK            Liasail Global Hongkong Limited automated virtual
203020   [BLOCK]   IN            HostRoyale Technologies Pvt Ltd node array (3 of 5)
203999   [BLOCK]   IN/US         Geekyworks IT Solutions Pvt Ltd application sandboxes
204287   [BLOCK]   IN            HostRoyale Technologies Pvt Ltd node array (4 of 5)
207990   [BLOCK]   IN            HostRoyale Technologies Pvt Ltd node array (5 of 5)
212512   [BLOCK]   HK            Detai Prosperous Technologies server housing
213438   [BLOCK]   SC            ColocaTel Inc. offshore privacy server spaces
215929   [BLOCK]   HK            Data Campus Limited virtualization testbeds
135377   [BLOCK]   HK            UCLOUD INFORMATION TECHNOLOGY review recommended
150436   [BLOCK]   SG            Byteplus Pte. Ltd. Bytedance corporate enterprise arm

---------------------------------------------------------------------------
17. SECURITY SCANNERS, RESEARCH NETWORKS & PRIVACY INFRASTRUCTURE
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
16417    [BLOCK]   US            Cisco Systems IronPort Division email scanner
42969    [BLOCK]   DE            Alpha Strike Labs GmbH active vulnerability probing
57860    [BLOCK]   DK            Zencurity ApS academic threat mapping research
60729    [BLOCK]   Global        TORSERVERS-NET Tor anonymity network exit nodes
200107   [BLOCK]   CH            Kaspersky Lab Switzerland GmbH malware analyzer
209366   [BLOCK]   CY            SEMrush CY Ltd commercial SEO search crawler
211680   [BLOCK]   PT            NSEC Sistemas Informaticos BitSight risk tracker
213412   [BLOCK]   FR            ONYPHE SAS active reconnaissance defense engine
396319   [BLOCK]   LT            Oxylabs global automated scraping proxy pool
398722   [REVIEW]  US            Censys Inc. continuous internet infrastructure scans

---------------------------------------------------------------------------
18. CRITICAL FLAG: HIGH RISK POTENTIAL COLLATERAL DAMAGE TARGETS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
15699    [BLOCK]   ES            Adam EcoTech S.A. traditional technology firm
15830    [BLOCK]   NL            Equinix (EMEA) / Telecity infrastructure manager
28682    [BLOCK]   SI            Posta Slovenije d.o.o. national postal services
47101    [REVIEW]  US            City of Yakima municipal local government link
47661    [REVIEW]  DE            Deloitte GmbH financial consulting corporate core
47861    [REVIEW]  BE            Peter E. J. Durieux independent routing entry
48037    [REVIEW]  NL            SSC-ICT Haaglanden core Dutch government IT hub
48059    [REVIEW]  BA            Konzum d.o.o. Sarajevo regional retail logistics
48075    [REVIEW]  BE            S.W.I.F.T. SC global secure interbank banking wire
48135    [BLOCK]   IT            Leonardo S.p.A. major national aerospace supplier
48447    [REVIEW]  UK            Sectigo Limited critical global SSL auth vendor
48451    [REVIEW]  CZ            Prazska energetika, a.s. metropolitan power grid
48452    [REVIEW]  BG            Telco power Ltd regional electricity utility link
48455    [BLOCK]   UK            Man Investments Limited corporate asset manager
48468    [REVIEW]  CH            Triumph Intertrade AG commercial trade systems
48469    [REVIEW]  NO            mnemonic AS strategic enterprise cybersecurity
48512    [REVIEW]  DE/FR         EPEX SPOT S.E. wholesale power energy exchange
48514    [REVIEW]  SE            Stiftelsen Chalmers Studenthem university housing
48517    [BLOCK]   BE            Destiny N.V. domestic business broadband ISP
48518    [BLOCK]   FR            ADD-ON MULTIMEDIA SAS commercial media publisher
45562    [REVIEW]  HK            Hutchison International Ltd trade core arrays
46602    [REVIEW]  US            PLAIN DEALER PUBLISHING CO. traditional newsprint
395064   [REVIEW]  CA            Douglas College public higher education campus

---------------------------------------------------------------------------
19. FRAMEWORK EXTENSIONS & UNCLASSIFIED NETWORKS
---------------------------------------------------------------------------
ASN      STATUS    GEOGRAPHY     PROVIDER / CONTEXT
402226   [BLOCK]   US            OnlyScans LLC automated asset spider indexing
64160    [BLOCK]   Belize        NimblyNet Limited global virtualized footprint
202053   [BLOCK]   FI            UPCLOUD UpCloud Ltd enterprise cloud cluster
402253   [BLOCK]   KN            SKN Subnet & Telecom Ltd Caribbean deployment
216071   [BLOCK]   UAE/NL        VDSINA - SERVERS TECH FZCO hosted in Netherlands
215607   [BLOCK]   DE            DF-Transit - dataforest GmbH network backbone
206216   [BLOCK]   US            ADVIN-AS - Advin Services LLC virtualization
52449    [BLOCK]   Belize        My Tech BZ localized commercial system blocks
9597     [BLOCK]   JP            Unknown - KDDI Web Communications host layer
400529   [BLOCK]   US            Infraly, LLC automated infrastructure engine
399244   [BLOCK]   US            AME Hosting LLC isolated server setups
401322   [BLOCK]   US            NetO Corp enterprise communication platform
400810   [BLOCK]   US            BreezeHost custom virtualization architectures
394814   [BLOCK]   US            ISP4Life INC high volume unmanaged transit
263744   [BLOCK]   HN            Udasha S.A. infrastructure platform node
42366    [BLOCK]   DE            TERRATRANSIT-AS - TerraTransit AG backbone
132817   [BLOCK]   BD            DZCRD-AS-AP - DZCRD Networks Ltd
150493   [BLOCK]   ID            Indonesia Network Info PT Gunung Sedayu Sentosa
24560    [BLOCK]   IN            Bharti Airtel Ltd. Telemedia Services core
56511    [BLOCK]   PL            GAMP-AS - GAMP Sp. z o.o. platform space
42220    [BLOCK]   ES            SIAPI-AS - TREVENQUE SISTEMAS DE INFORMACION
30900    [BLOCK]   IE            WEBWORLD-AS - Sternforth Ltd WebWorld
4811     [BLOCK]   CN            CHINANET-SHANGHAI-MAN - China Telecom
135951   [BLOCK]   VN            WEBICO-AS-VN - Webico Company Limited
51247    [BLOCK]   LT/NL         serveriotechnologijos-AS Serverio MB
203098   [BLOCK]   LT            tech-internet-broadband trafficforce UAB
61098    [BLOCK]   CH            exoscale - Akenes SA high performance framework
21013    [BLOCK]   AT            ITANDTEL-AS - eww ag infrastructure service
263753   [BLOCK]   CL            SERVICIOS DE DATACENTER DATANETWORKS LIMITADA
141968   [BLOCK]   ID            Indonesia Network Info PT Industri Kreatif
22363    [BLOCK]   US            Powerhouse Management Inc. global footprint
203003   [BLOCK]   FI            magna-capax - Magna Capax Finland Oy

===========================================================================
END OF DATA PROFILE
===========================================================================

2026-05-27

Peak Bots: Is your site ready?
No, this isn’t just clickbait. In my work with very large retailers, I have seen how the threat/annoyance of bots has become an everyday topic.

[DISCLOSURE: I work at Akamai, primarily analyzing data from mPulse RUM Service.]

I started investigating the effects of bots on Web Performance data last year and how I can help customers eliminate the noise of this traffic from the RUM data that they rely on so that they can then get a true sense of their actual performance.

A lot of this work also occurred in parallel with the same organizations working with security products and services to try to eliminate and respond to ever-changing bot traffic.

When I began my analysis of the effects of bot traffic on RUM data in early 2025, the logical starting point was the data that was easiest to remove: ASNs that are known Hosting & Cloud Providers with services that allow for running of scripted Real Browser Bots for purposes that were banal (synthetic web performance measurement and other testing), annoying (price scrapers and other site information collection services), and malicious (fraud, DDoS, etc.).

[NOTE: The data I work with excludes stupid bots, which are bots that do not run a headless browser but are completely code-based, usually running with the HTTP Library of whatever language they were developed with. Simple rule: No JS execution, no data for me to work with.]

In general, a lot of the major retailers I work with saw that 15-20% of their daily traffic originated from Real Browser Bots. At times within a day, this could spike to over 50%.

Once I removed those from the data, I then went back and added another set of bot signals — old browser versions. Often the Cloud & Hosting Providers overlapped with old browser versions, but there were always a few cases where I would see massive bursts of traffic from retail ISPs that should not be sending this level of traffic from a truly ancient version of Chrome.

When I factored in the Real Browser Bots running from retail ISPs identifying as old browser versions, another 3-7% of daily traffic could be flagged as being from non-human sources.

But then, I got to the hardest to detect and mitigate population of bots: Shadow Bots. These are the bots running modern browser versions from retail ISPs in volumes and with performance that make their visits stand out against traffic from the rest of the ISP.

An example of this would be a segment of modern Chrome users on Comcast showing performance data that is completely out of line with other Comcast users, either in general or for their region.

Shadow Bots are very difficult to control or filter within RUM data, and the detection and mitigation effort falls to specialty security services that can fingerprint and identify specific cohorts of traffic that are not real users. I am still experimenting with ways to flag this data, but they haven’t been completely successful (yet).

By this point, you are thinking that RUM should be changed to BUM (you’re smart; you can figure it out).

Now, there are the AI/Agentic Bots,and these will be much harder to deal with. Some of this traffic will be valid and will be necessary to let through (real visitors initiating real transactions through their new Agents); however, a significant percentage of AI-driven agent traffic will likely come from malicious actors performing tasks that they previous did through browsers.

A number of reports on the effect that Agentic Bot traffic are out and I suggest you review them:
- Akamai: Publishing Industry Under Attack: Global AI Bot Activity Surges by 300%, Akamai Report Finds – LINK
- Imperva: Bad Bot Report 2026: The Internet Is No Longer Human and It’s Changing How Business Works – LINK
- Human Security: The 2026 State of AI Traffic & Cyberthreat Benchmark Report – LINK
The future of Bot Management will be complex. What to allow and what to deny will become even harder than it is today. In fact, I foresee a future in which the very concept of the Web, as we know it today, will fade away, replaced with personalized agents performing scheduled and ad-hoc tasks by interacting with other agents, APIs, and bots.

At that point, how do you measure performance?

And who is the Real User in RUM?
2026-05-11
On 22 years of posts

I am always amazed that there are 22 years of history on this blog.

I know that these days I go years between posting bursts, but in the early days, I was putting up new posts 1-2 times a day. Ah, the early days of blogging — the B.T. (Before Twitter) era.

A lot of those early posts are personal musings on topics of the day, goings on in my family, discussion on GrabPERF, my experiment in developing a distributed web performance measurement system while I worked at a company that did that for real, and Web Performance.

Now its primarily Web Performance, Climate Change, and how to protect a system that runs on coal and steam from the idiocy of the modern internet.

Still, 22 years is a long time. Especially now when the news cycle is compressed into minutes, the availability of information is staggering, and the ability to take a breath and think about what is happening is non-existent.

Welcome to the next decade of history this week.

2026-05-09

Enterprise Shield: The flow and general process

So, for those who are interested here is the current processing flow and update cycles for my Enterprise Shield and Bot Filtering setup.

Currently this setup comfortably supports blocking 425,000 CIDR Blocks and 10K AbuseIPDB IPs, with additional processing for cloud providers that depends on the rate they send traffic through.

Attackers, do what you will.

Enterprise Shield — Component Update Cycles

Scheduled refresh intervals and out-of-band injection methods for each protection layer.

🕐 All scheduled times are UTC

Component	What it controls	Update cycle (UTC)	Out-of-band injection
blocked_asns ipset Kernel	IP ranges for all ASNs in blocklist_asns.txt, resolved via RADB WHOIS using 8 parallel threads	Nightly — 02:00	Penalty box (temporary): sudo block_asn.sh AS9009 Live inject. Cleared at next 02:00 UTC run. Permanent block: sudo block_asn.sh --permanent AS9009 Writes to blocklist and injects live. Persists forever.
Country IP blocks Kernel	IPv4 CIDRs for blocked countries from the ipverse GitHub feed, merged into the same blocked_asns ipset	Nightly — 02:00	CIDR penalty box: sudo block_asn.sh --cidr 1.2.3.0/24 Live inject only. Cleared at next 02:00 UTC run. Add country permanently: Edit BLOCK_COUNTRIES in enterprise_shield.sh and re-run. Takes effect immediately; persists.
SHIELD_PENALTY ipset Kernel	Top abusive IPs from AbuseIPDB API (≥ 90% confidence). Evaluated before the ASN chain in iptables INPUT	5x Daily — :00	No manual add. The set is atomically replaced each run. To block an IP immediately, use block_asn.sh --cidr <IP>/32 against the main ipset instead. Force early refresh: sudo /usr/local/bin/abuseipdb_penaltybox.sh
AI bot verifier Kernel	Python daemon on NFQUEUE 10. Intercepts known AI crawler UAs (GPTBot, ClaudeBot, Google-Extended) and verifies via rDNS before allowing or dropping	On service restart	Add a new AI bot UA: Edit the NFQUEUE rules in enterprise_shield.sh, then: sudo systemctl restart shield-ai-bot.service Rebuild the full chain: sudo /usr/local/bin/enterprise_shield.sh
mod_rewrite UA rules Apache	Apache-level .htaccess and VirtualHost rewrite rules blocking by UA string, version ranges, empty UAs, and attack patterns. Returns 403 GO AWAY! inline — no PHP, no WordPress bootstrap	Manual	Add bot string: Append a RewriteCond to .htaccess, then: sudo apachectl graceful Takes effect immediately with no dropped connections. Update browser version range: Edit the version regex, then run apachectl graceful. Must cover the ESR floor and current version ceiling. IP block at Apache layer: Add Require not ip <addr> to the VirtualHost config.
Wordfence WAF WordPress	PHP-layer WAF bootstrapped before WordPress via waf/bootstrap.php. Independently evaluates every request surviving Apache, checks Wordfence’s threat database, and serves its own 403 pages from wp-content/wflogs/	Automatic Free: 30-day rule delay. Premium: real-time feed.	Block an IP immediately: WP-Admin → Wordfence → Blocking → Create a Block → Block by IP No server restart required. Add a custom firewall rule: WP-Admin → Wordfence → Firewall → Custom Patterns Can match on IP, UA, referrer, URL, or request parameter. Force rule sync: WP-Admin → Wordfence → Firewall → Sync Firewall Rules

Boot persistence: shield-ipset-restore → ufw.service → shield-iptables-restore → shield-ai-bot.service. All ipsets and chains restored on reboot. All times UTC.

2026-05-08

Tuning Traffic: Aggressive Rewrite Rules
The great thing about running your own hardware is that you can do anything you want with it. I don’t support any customers beyond people who may want to read my blog (I count those the tens per month) and Bots/Crowlers/Attackers.

As the server is mine and I get to dictate the people who get to visit it, I set some simple ground rules:
- Use a modern browser
- Don’t launch probing attacks or attempt traversal attacks
- Don’t be a dick.
Based on that, I set up the following User-Agent Rewrite rules to filter out old browser, known scanners, and other bringers of mayhem.
```
# UA blocks
RewriteCond %{HTTP_USER_AGENT} Bytespider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Gort [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zgrab [NC,OR]
RewriteCond %{HTTP_USER_AGENT} okhttp [NC,OR]
RewriteCond %{HTTP_USER_AGENT} python-requests [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE.*" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libredtail-http [NC,OR]
RewriteCond %{HTTP_USER_AGENT} GPTBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} OAI-SearchBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ChatGPT-User [NC,OR]
RewriteCond %{HTTP_USER_AGENT} CMS-Checker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} UCBrowser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} "Opera/" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ".*Edge/.*" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ".*Edg/(14[0-5]|1[0-3][0-9]|[1-9][0-9]|[1-9])\..*" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ".*Chrome/(14[0-5]|14[5-6]|1[0-3][0-9]|[1-9][0-9]|[1-9])\..*" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ".*Firefox/(14[1-6]|1[0-3][0-9]|[1-9][0-9]|[1-9])\..*" [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ".*Version/(2[0-5]|1[0-7]|19|[0-9])\..*Safari/.*" [NC]
RewriteRule .* - [F,L]
```
The items highlighted above may cause you pause, but see rule number 3 above.

You will also notice some carve-outs for odd browser versions. There are LTS versions of most browsers, and I wanted to ensure that they can get through the rewrites unscathed.

All of these rules produce HTTP/403 responses, which I am very happy with. Even with a 403 response code, so many of these keep coming back for more.

I am also amazed at how lazy some teams are with spoofing browser versions. If your are going to take the time to create a browser that is going to trawl the web for riches and data, at least take the time to try and be the most recent versions of the browser you can be, or else people like me will just shut you down.
2026-05-07
Slowing The Flood: Firewall Tuning – Month 1
On Apr 01 2026, I reset my Apache server collection tracking so that the noisiest data prior to the implementation of my new firewall configuration would be eliminated. Since then, the firewall has seen some tuning and iteration.
- Apr 01-03 2026: Initial tuning phase of the firewall and addition of largest blocks of known Hosting Providers and other malicious actors
- Apr 04-28 2026: Steady-state of firewall with occasional additions of new ASNs to the blocklist. During this period, all the major cloud providers (AWS, GCP, & Azure) were in a complete block state.
- Apr 29 2026 – May 07 2026: Impose rate limiting on Amazon/AWS and Google/GCP ASNs and much stricter rate-limiting on the Microsoft/Azure ASN. As well, integrated a process to add the AbuseIPDB Top 10K IPs dynamically on a schedule.
This process has had some noticeable effects on the volume of traffic captured in my logs. Although I pruned the data prior to Apr 01 2026, I will just say that the volume was much higher than you see at the start of the chart below.

Vistitor Traffic – Apr 01 – May 07 2026

I can say that the new tuned firewall deployment is working extremely well on my ancient hardware and that working alongside my friend Claude has got this system to a state where it will likely continue to support a great deal of traffic for hopefully years to come.
2026-05-07
Apache and 403 Responses — HTTP/2.0 v. HTTP1.1
I’ve spent a good part of the last two days trying to track down an issue that was bothering me. My server is tuned to send a lot of annoying bots to the scrap heap with Rewrite rules that return a 403 response. I also just converted the server to HTTP/2.0 (yeah, I know; quiet in the back).

However, many of the bots use HTTP/1.1. What was weird is that when you look at the logs in Apache, you get the following items.
```
172.232.187.115 - - [06/May/2026:18:51:26 +0000] "GET / HTTP/1.1" 403 2877 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1 like Mac OS X) AppleWebKit/534.39.5 (KHTML, like Gecko) Version/3.0.5 Mobile/8B116 Safari/6534.39.5"

172.232.187.115 - - [06/May/2026:18:51:42 +0000] "GET / HTTP/2.0" 403 90 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1 like Mac OS X) AppleWebKit/534.39.5 (KHTML, like Gecko) Version/3.0.5 Mobile/8B116 Safari/6534.39.5"
```
Can anyone spot the issue? Well, if you look closely, you’ll see that HTTP/1.1 response is recorded as being much larger than that of the HTTP/2.0 response for the same 403 response.

Guess what? This is an artifact of the way that Apache processes these requests! My friend Claude described it this way:

For HTTP/1.1, when [F] fires, Apache generates the full default error page first (2911 bytes), logs that size via %b, then ErrorDocument substitutes it with the 44-byte response before sending. The log records the pre-substitution size.

For HTTP/2.0, mod_http2 logs the post-substitution size (plus HTTP/2 frame overhead accounting for the extra 82 bytes above 44).

It’s always fun to go off on a Snipe Hunt and learn a lot about the internals of software you use every day.
2026-05-06
Attack Vector: Turkish ASNs

Over the last 3 weeks my new firewall deployment has seen a number of sustained HTTP attack attempts from AS212269, AS203771, AS212193, and a few others. All of these originate from Turkiye.

My local firewall is very aggressive — it’s my server and I can do what I want! — and I block large sections of the internet in an attempt to limit traffic to real humans as much as possible. So it was only through monitoring my live firewall stats that I was able to see these attack attempts.

These scanners aren’t particularly graceful. After encountering a DROP rule, they just…keep….going…and…going. They run for 2-4 hours (sometimes longer) without checking to see if they get a response. So why Turkiye and why now?

Turkiye has recently started appearing the top attacking countries list for a number of security providers. This appears to be a result of a large number of compromised IoT devices that have been integrated into “DDoS-as-a-Service” (DDoSaaS) organizations to make it very easy for organizations to use this as a starter kit for whatever purposes they are trying to achieve.

This is further amplified by the current geopolitical situation in the Persian Gulf (Iran/US conflict, closing of the Strait of Hormuz, etc.). One customer of these DDoSaaS is likely groups within Iran that are looking for a way to attack or annoy western organizations.

I will continue to monitor this, but it is always interesting to see how effective some experimentation with local firewall setups can lead to interesting cyber findings.

2026-05-01
Enterprise Shield on Dinosaur Hardware
There’s a certain kind of satisfaction that comes from taking something old and making it do something remarkable. This is the story of how a 2008 MacBook 13” aluminum — a machine that predates the iPhone App Store — ended up running a multi-threaded, self-healing, boot-persistent IP threat blocking system protecting a production web server on Ubuntu 24.04. It took a full day of iterative development, a fair amount of debugging, and one very honest conversation about an 18-year-old piece of hardware.

The Starting Point

The project began with a script called Enterprise Shield v11.4. On paper it did what it promised: it blocked traffic from hostile Autonomous System Numbers (ASNs) and geographic regions by maintaining a massive ipset of known-bad IP ranges, then dropping packets matching that set at the firewall level. In practice, it was held together with duct tape.

The first code review found problems at every layer. There was a truncated grep statement in the country block loop — a literal syntax error that prevented the script from ever completing. The leading-zero stripping logic for CIDR normalisation ran in the wrong order, cleaning data after the validation regex had already rejected it. The script injected custom iptables rules directly while also running ufw --force reset, meaning UFW silently wiped those rules on every reload. And perhaps most practically damaging: it fetched IP data for every ASN serially, sleeping two seconds between each query, making a large blocklist a multi-hour operation.

The objective was clear: fix everything, make it fast, make it resilient, and make it understand its own hardware.

Understanding the Hardware

Before optimising anything, we needed to understand what we were working with. The machine is a 2008 MacBook with a Core 2 Duo processor — a 64-bit dual-core chip from the era when 4GB of RAM was considered ambitious. This one has been upgraded to 8GB, which turned out to matter significantly for one specific decision later.

The Core 2 Duo changes the calculus on parallelism. Modern CPUs handle process spawning cheaply. On a processor from 2008, every subprocess fork is measurably expensive, and context switching between background jobs has real overhead. This shaped nearly every optimisation decision that followed: eliminate unnecessary subprocess forks, use bash builtins instead of external binaries wherever possible, and be conservative with thread counts.

It also runs Ubuntu Server 24.04, which introduced a subtle wrinkle: the system ships with iptables-nft, a compatibility shim that translates iptables commands into nftables rules. Early in the project we suspected this would break the ipset integration — specifically the --match-set rule that does the actual packet dropping. A quick check of the live chain output confirmed it was working:
```
93  5448 DROP  ...  match-set blocked_asns src
```
Those 93 drops told us the integration was solid. We moved on.

Phase 1: Making It Correct

The first rewrite — v11.5 — focused entirely on correctness before touching performance.

The truncated grep was fixed. The UFW/iptables conflict was documented and mitigated by injecting the ipset DROP rule into /etc/ufw/before.rules, making it survive UFW reloads. The leading-zero stripping was reordered so it ran before validation, not after. The ipset restore file was given a flush directive so stale entries from previous partial runs couldn’t accumulate. The country feed fetches were given --fail flags so 404 error pages didn’t silently pass through as IP data.

Most importantly: the script was given a proper trap ... EXIT so temp files were always cleaned up, the root check was moved to the absolute first line, and every (( counter++ )) was replaced with counter=$(( counter + 1 )) — because in bash, arithmetic that evaluates to zero returns exit code 1, which set -e interprets as a fatal error.

Phase 2: Making It Fast

With a correct foundation, the next challenge was the whois lookup bottleneck. The serial version queried RADB one ASN at a time with a two-second sleep between each. With 152 ASNs in the blocklist, that’s over five minutes of wall clock time before any actual data processing begins.

The first parallel version — v11.6 — used export -f to pass a bash worker function into xargs -P subshells. It looked right. It wasn’t. On many systems, xargs subshells don’t reliably inherit exported bash functions. Workers spawned successfully, registered their completion files, and wrote nothing. The blocklist came back at roughly one-third of its expected size. The failure was completely silent.

The fix was architectural. Instead of relying on function inheritance, the worker logic was written to a self-contained bash script at runtime — /tmp/shield_whois_worker.sh — and each background job executed that file directly. No inheritance, no environment dependencies, no silent failures.

The second parallel problem was subtler: all threads were hitting RADB simultaneously, triggering connection throttling that caused empty responses with no error code. RADB doesn’t say “rate limited.” It just stops returning data. The solution was per-worker random jitter (0–2.5 seconds) combined with inter-batch pausing — every 20 dispatches, all active workers drain and a 3-second pause lets RADB’s connection count settle before the next batch opens.

The final thread count settled at 4. Eight threads was causing the silent data loss. Four threads with batching gives full coverage with no throttling, and on a Core 2 Duo the overhead of managing 4 concurrent background jobs is well within budget.

Phase 3: Making It Resilient

A firewall system that runs once nightly creates a specific failure mode: if something goes wrong with a data source — RADB is slow, a country feed returns an error, the network hiccups — the next scheduled run could silently shrink the blocklist without anyone noticing.

The delta check was the answer. After every run, the entry count is written to /var/lib/shield/last_entry_count. The following night, before committing the new ruleset, the script compares. If the new count is more than 10% below the previous run, the atomic swap is aborted entirely — the existing live ipset is preserved untouched — and an alert is written to a separate log file.

“Atomic swap” is the key phrase here. The shield script never modifies the live ipset directly. It builds a complete replacement set in /tmp, populates it, then executes ipset swap blocked_asns-temp blocked_asns — a single kernel operation that is instantaneous and never leaves the firewall in a partially-updated state. The machine is always either running the old ruleset or the new one. There is no window where it’s running neither.

Phase 4: Surviving Reboots

This is where the project surfaced its most interesting architectural gap.

The ipset kernel module stores its data entirely in memory. Every reboot wipes it. The script saves a snapshot to /etc/ipset.conf after each run, but nothing was loading that snapshot back on boot. The result: after every reboot, the machine came up with an empty blocked_asns set. UFW loaded its rules, including the DROP rule that referenced blocked_asns — but the set it referenced didn’t exist. Traffic flowed freely until 2AM when the cron job fired.

The fix required two systemd services with precise ordering:
```
shield-ipset-restore.service   (Before ufw.service)
    └── ufw.service
          └── shield-iptables-restore.service  (After ufw.service)
```
The ipset service runs before UFW and loads the saved set. The iptables service runs after UFW and rebuilds the custom SHIELD-LOGIC iptables chain using iptables-restore --noflush, which merges the saved rules into UFW’s ruleset without disturbing UFW’s own chains.

Both services include first-boot guards: if their respective state files don’t exist yet (fresh install before the first cron run), they exit cleanly rather than failing and potentially delaying UFW startup.

After the first reboot with both services running, verification was clean:
```
Active: active (exited)   ← correct for a oneshot service
status=0/SUCCESS
shield-ipset-restore: blocklist restored from /etc/ipset.conf
```
Phase 5: The Operational Tooling

A blocking system is only as useful as its ability to respond to threats that aren’t in the scheduled blocklist. The companion tool — block_asn.sh — evolved through five versions across the session.

The original script had several problems: it saved to the wrong path (meaning penalty box entries vanished on reboot), it validated IP addresses with a pattern that accepted octets above 255, and it made one kernel call per route which was painfully slow for large ASNs.

The rewrite introduced two distinct modes:

Penalty box — adds ASN routes directly to the live ipset. No file writes. Effective immediately. Cleared automatically on the next 2AM cron run when the ipset is rebuilt from scratch.

Permanent — does everything the penalty box does, plus appends the ASN to /etc/blocklist_asns.txt with a timestamp and an operator-supplied reason note. Persists forever.

Later, a third mode was added: --cidr accepts a single IP range for penalty box injection. CIDRs are never written to the permanent blocklist by design — they’re too specific and ephemeral for a long-term list.

The most important optimisation was replacing the per-route injection loop with a single ipset restore call. For a 500-route ASN, the old approach was 500 process forks and 500 kernel netlink calls. The new approach is one of each. The practical difference is roughly 5 seconds versus 50 milliseconds.

A before/after entry count snapshot provides transparent reporting on every injection — you know exactly how many routes were genuinely new versus already present.

The Bug That Was Hiding Everywhere

Late in the project, a test with CIDR 186.179.0.0/18 failed validation with “Invalid CIDR.” Tracing through the normalisation pipeline revealed a bug that had been quietly corrupting data all along.

The perl zero-stripping substitution s/(^|\.)0+\./$1./g was intended to fix malformed octets like 023. → 23. from RADB output. Instead, it matched any zero octet followed by a dot — including valid ones. 103.0.0.0/24 became 103..0.0/24. 5.0.0.0/8 became 5..0.0/8. Both silently failed validation and were dropped.

Every network with a zero in a non-terminal octet position — and there are many — had been invisible to the blocklist since the normalisation code was written.

The fix changes 0+ to 0+([0-9]), requiring the match to include at least one additional digit after the leading zeros. Lone zeros are left alone. The fix was applied to both enterprise_shield.sh and block_asn.sh.
```
# Before (broken)
perl -pe 's/(^|\.)0+\./$1./g'

# After (correct)
perl -pe 's/(^|\.)0+([0-9])\./$1$2./g'
```
Results

At the end of the session, the system was running with:
- 343,966 blocked IP ranges loaded in the live ipset, consuming approximately 9.8MB of kernel memory
- Boot-persistent protection — full blocklist restored within 3 seconds of kernel start, before UFW processes its first rule
- Nightly automated updates at 2AM with delta checking, atomic swaps, and structured logging
- On-demand injection for immediate response via block_asn.sh
- Full documentation covering installation, operation, monitoring, and uninstall
The final cron run after all fixes produced:
```
[INFO ] --- Run complete: status=SUCCESS entries=343966 elapsed=76s ---
```
76 seconds. On an 18-year-old machine. For a complete rebuild of a 344,000-entry firewall blocklist from live external data sources.

What Made It Work

Looking back across the session, a few principles drove the outcomes:

Fix correctness before optimising. The original script had bugs that would have made any performance work meaningless. Getting it right first meant the parallel version had a solid foundation to build on.

Understand the failure modes of your tools. export -f failing silently. RADB returning empty responses instead of errors when rate-limited. ipset restore erroring on an existing set without -exist. None of these produced clear error messages. Each required understanding what the tool was supposed to do versus what it actually did under pressure.

Instrument everything. The structured logging, delta checks, and before/after entry counts weren’t cosmetic additions. They were what allowed us to diagnose the shrinking entry count issue (thread pressure), the double-logging issue (cron redirect + direct file append), and the missing public IP (lookup happening during UFW teardown).

Respect the hardware. Reducing threads from 8 to 4, using bash builtins instead of forking date on every log line, sorting in RAM with a 1GB buffer — these decisions were driven by understanding that a Core 2 Duo is not a cloud VM. It has constraints. Working within them produced a faster, more stable result than ignoring them.

The Machine

The 2008 MacBook 13” aluminum is not a recommended platform for production server workloads. It draws more power than a modern ARM server, runs warmer, and has a shorter remaining hardware lifespan than purpose-built server equipment.

It’s also, as of this writing, blocking nearly 344,000 hostile IP ranges, rebuilding its blocklist every night, surviving reboots gracefully, and responding to threats on demand in under a second.

Sometimes the best server is the one you already have.
2026-04-02
The overuse of no-store in Cache-Control Headers

Many of the sites that I work with have this habit of using a browser Cache-Control header without fully understanding what it means:

cache-control: max-age=0, no-cache, no-store, private

Everything in that header is moot once no-store is added, as Cache-Control rules always default to the most restrictive directive in the list. So the effective set of caching rules defined by that group of directives equals

cache-control: no-store

Now, the issue comes when the visitor refreshes the page. They do not get the opportunity to REVALIDATE the content, as the browser has been told to completely block the content from being stored anywhere.

If the goal is to actually force a visitor to REVALIDATE the content on every page view, then use this instead:

cache-control: max-age=0, no-cache, private

While this set of directives would seemingly prevent any caching, its actual objective is to force the browser to process the content as if it is stale, and send an if-modified-since (including any relevant ETag information) to the server confirming if the content it has stored in a transitory state is still valid.

Performance a REVALIDATE rather than a full load reduces the amount of data transferred between client and server and can improve performance and reduce CDN costs, especially at scale.

2025-11-21

Blog

Enterprise Shield — Component Update Cycles

The Starting Point

Understanding the Hardware

Phase 1: Making It Correct

Phase 2: Making It Fast

Phase 3: Making It Resilient

Phase 4: Surviving Reboots

Phase 5: The Operational Tooling

The Bug That Was Hiding Everywhere

Results

What Made It Work

The Machine