hi, On Fri, Aug 02, 2024 at 01:24:39PM +0200, Daniel Suchy via db-wg wrote:
On 5/15/24 1:28 PM, Edward Shryane via db-wg wrote:
But of course you could also switch IP address and continue to query, it's difficult to prevent this if the queries are anonymous. We account by /32 prefix for an IPv4 address and by /64 prefix for an IPv6 address.
I think this is bad approach. Why on IPv4 you block only single host, but on IPv6 whole subnet?
The argument that the source address can be changed is equally valid for IPv4 and IPv6.
Not really. Do the math. In v4, even if you change your IP, the amount of addresses a single bad actor has available is always small - while in v6, inside a single /64 subnet, the number of addresses is obviously vastly beyond what you can store in a blocklist. OTOH it would make sense to follow a staged approach here - for the first hit, block the /128, and if there are more than <threshold> hits in a /64, block the whole /64. This would cover "single host errors" while at the same time protecting the RIPE DB from intentional abuse. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279