hi, On Fri, Aug 02, 2024 at 01:24:39PM +0200, Daniel Suchy via db-wg wrote: > On 5/15/24 1:28 PM, Edward Shryane via db-wg wrote: > > But of course you could also switch IP address and continue to query, > > it's difficult to prevent this if the queries are anonymous. We account > > by /32 prefix for an IPv4 address and by /64 prefix for an IPv6 address. > > I think this is bad approach. Why on IPv4 you block only single host, but on > IPv6 whole subnet? > > The argument that the source address can be changed is equally valid for > IPv4 and IPv6.
Not really. Do the math. In v4, even if you change your IP, the amount
of addresses a single bad actor has available is always small - while
in v6, inside a single /64 subnet, the number of addresses is obviously
vastly beyond what you can store in a blocklist.
OTOH it would make sense to follow a staged approach here - for the first
hit, block the /128, and if there are more than <threshold> hits in a
/64, block the whole /64.
This would cover "single host errors" while at the same time protecting
the RIPE DB from intentional abuse.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla,
Karin Schuler, Sebastian Cler
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
signature.asc
Description: PGP signature
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
