forked from brianhama/bad-asn-list
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
24 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,26 @@ | ||
| # bad-asn-list | ||
| An open source list of ASNs known to belong to cloud, managed hosting, and colo facilities. | ||
|
|
||
| ## The Problem | ||
|
|
||
| This list came after spending far too long searching for a good way to keep automated bots, spammers, and scammers off the social network I created, Nearby. I found that after we hit a certain size (around 500K monthly active users), the flood of these bad actors became entirely unmanagable. I tried countless detection methods, but most of them resulted in too many missed and/or false positives. | ||
|
|
||
| I tried offloading the account creation process to depend on the user having a Facebook profile, thinking that would solve the problem. It didn't help at all. Next I tried Google sign-in, but it also was entirely ineffective. I eventually tried to outsource the problem to a company called MaxMind. Their API actually worked very well, but it was prohibitively expensive for our purposes. | ||
|
|
||
| ## The Solution | ||
|
|
||
| I continued to deepen my understanding of the bad traffic and I eventually realized that almost all the bad traffic was coming from hosting/colo facilities and cloud service providers. Even traffic coming from VPNs was originating from a hosting facility where the VPN provider was located. I built a list of ASNs which belong to known hosting/colo/cloud providers. Whenever a new account was being created, I looked-up the ASN that owns the IP address. I then checked if that ASN was included in the list I had created and if so, prevented the account from being created. | ||
|
|
||
| You might think that this would block a lot of good traffic, but from all of my tests, that doesn't appear to be the case at all. Furthermore, the problem was about 90% solved. Almost all the bad traffic vanished. | ||
|
|
||
| I've been testing out this solution for a few months now and it's been going amazingly well. I know that I am not the only person who has faced this problem, so I decided to open-source my list. Feel free to submit pull requests if you have any updates to the list you'd like to share. | ||
|
|
||
| ## Implementation | ||
|
|
||
| 1. Load this list into a database or in-memory. | ||
| 2. When a request comes in, determine the ASN for the request's ip address. There are a number of ways to do this. For example, MaxMind offers a free database that maps IP address to ASN: http://dev.maxmind.com/geoip/geoip2/geolite2/ | ||
| 3. Check if the IP address' ASN is included in the list from step 1. If so, block the request, increase fraud score, etc. | ||
|
|
||
| Hopefully this will help save someone from wasting as many hours I have trying to solve this problem! | ||
|
|
||
| Brian Hamachek ([email protected]) |