More people have been working on blocking whole ranges of IP numbers, since that catches hosting providers that give bots access to the whole range they control. They switch IP numbers all the time so a filter based on IP numbers won't catch them. But if we can determine their autonomous system number (ASN), for example, we can block all the IP number ranges they control.
Now, since these hosting providers also host nice things like other fediverse instances, I don't want to block them forever. I want to block them for 10min, and if they continue after a few of these shorter blocks, I want to block them for a week. Hopefully, their clients have ended their Internet slurping and things are back to normal. This is how fail2ban works, but only for individual IP numbers.
I want code that bridges this gap.
This script here tries to guess (!) IP ranges and bans those using fail2ban. I need to investigate more.
https://github.com/WKnak/fail2ban-block-ip-range
I'm still fascinated by asncounter. It might even work without logfiles, using tcpdump!
https://anarc.at/blog/2025-05-30-asncounter/
There's also the problem of how deep to go into the rabbit hole. Here's somebody who calls whois to determine the networks:
https://unix.stackexchange.com/questions/181114/how-can-i-teach-fail2ban-to-detect-and-block-attacks-from-a-whole-network-block