Blocking ASNs with Nginx for Site Traffic Control

Founder 'lim' detailed a technical playbook for blocking unwanted traffic by Autonomous System Number. This method uses Nginx, shell scripts, and public data sources to manage site access and mitigate abuse.

Unwanted bot traffic and abuse attempts consume server resources and distort analytics. Founder 'lim', operating as Dracos, published a detailed technical playbook for blocking entire Autonomous System Numbers (ASNs) from accessing web properties. This approach leverages Nginx's geo module and a series of shell scripts to dynamically manage IP blacklists.

The system, outlined on dracos.co.uk, provides a granular method for site owners to control inbound connections, moving beyond individual IP blocks to broader network ranges. It offers a repeatable process for identifying problematic ASNs and integrating their associated IP ranges directly into web server configurations.

Identifying Unwanted Traffic

The initial step involves identifying the source of undesirable traffic. 'lim' describes using standard server logs to pinpoint suspicious IP addresses. Once an IP is flagged, tools like whois or dig are employed to determine its associated ASN. For instance, querying whois with an IP address reveals its originating ASN, often presented as AS<NUMBER>. The founder states that this manual identification is crucial for targeting specific bad actors rather than broad geographic blocks.

Automated IP Range Retrieval

After identifying a target ASN, the next phase involves programmatically fetching all IP ranges (CIDR blocks) associated with it. 'lim' provides a get_asn_ips.sh shell script for this purpose. This script queries whois databases, specifically whois.radb.net, to retrieve all IPv4 and IPv6 prefixes registered to the specified ASN. The output is a list of CIDR blocks, formatted for direct use in Nginx configuration files. The script ensures that the IP lists are current, reflecting any changes in the ASN's allocated ranges.

Nginx Geo-Blocking Implementation

The retrieved IP ranges are then integrated into Nginx using the geo module. The get_asn_ips.sh script generates an Nginx configuration snippet that defines a geo block. This block maps incoming client IP addresses to a variable, for example, $is_blocked. If a client's IP falls within one of the blocked CIDR ranges, $is_blocked is set to 1; otherwise, it defaults to 0. This variable is then used within Nginx's server or location blocks to deny access, typically returning a 403 Forbidden status. The founder reports that this method allows for efficient, server-level blocking without relying on application-layer logic.

What We'd Change

While 'lim's playbook offers a functional, direct approach to ASN blocking, its manual and script-heavy nature introduces several considerations for modern deployments. The reliance on whois queries and shell scripts for IP range retrieval can become a maintenance burden as the number of blocked ASNs grows or as IP allocations change frequently. This system requires consistent monitoring and manual intervention to ensure the blacklists remain accurate and current.

Blocking entire ASNs carries a risk of false positives, potentially denying access to legitimate users who share an ASN with malicious actors. This is particularly relevant for large internet service providers or cloud hosting ASNs. A more sophisticated system would incorporate real-time threat intelligence feeds or behavioral analysis to minimize collateral damage. For many founders, the operational overhead of managing these scripts and monitoring for false positives may outweigh the benefits compared to commercial Web Application Firewalls (WAFs) or CDN-level security services that offer managed threat intelligence and more nuanced blocking rules.

Landing

This playbook offers a direct, server-level approach to traffic management for founders with specific abuse vectors. While effective for targeted issues, its manual overhead and potential for collateral blocking necessitate careful implementation and ongoing monitoring. For those prioritizing direct control over third-party services, this method provides a robust foundation for custom traffic filtering.

The investor read

The detailed technical solution for ASN blocking highlights a common pattern among bootstrapped founders: building bespoke infrastructure to manage costs and maintain granular control over their stack. While commercial Web Application Firewalls (WAFs) and CDN-level security services (e.g., Cloudflare, AWS WAF) offer managed solutions, this approach demonstrates a preference for direct server-side control and cost avoidance. For investors, this signals a market segment where founders are willing to invest engineering time in self-hosting security rather than paying for SaaS, indicating either high price sensitivity or specific, unaddressed needs within existing offerings.

Pull quote: “The founder reports that this method allows for efficient, server-level blocking without relying on application-layer logic.”