Ask HN: Do You Block DigitalOcean?

There is a lot of blocking of AWS. Blocking inbound traffic to AWS would "break the internet" but outbound traffic is mostly automated systems which people don't like today -- despite the occasional desktop virtualization users.

The Internet is always gonna have undesirable traffic if you're facing it. The trick is to minimize your surfaces as much as possible:

- Only keep open ports/forward ports for applications you use, drop/block everything else.

- Use strict host-header checking for web services on port 80/443, drop anything to 403/404 that doesn't have a valid host-header for the website(s) you're hosting.

- Move SSH and other remote admin servers to use a non-standard port. (legit, find a random port number between 9000-65535)

- If it doesn't need to be public, allow-list it with iptables.

Unfortunately DO and other providers will never have 100% legit traffic, it's just the nature of the Internet's noise floor.

Hope this helps you or someone else!

IP blocking is a losing battle. Malicious actors can easily hop onto residential proxies.

Why do you care about that traffic? What exploits are you worried about? The answers will help you figure out what protection you'll need to set up.

Depending on your app, yes, you can block DO. You can probably block all of AWS and GCP as well. You can take it further and block all non-residential ASNs.

You'll block some legit traffic, but the majority of normal users will not be affected.

What is the persona of your average user? Average people shopping online? None of them are connecting through weird ASNs.

Someone complaining about a VPN being blocked? It's cost-benefit, tell them tough shit.

We block all cloud CIDRs at a financial services firm for public customer facing infra.

I've self hosted my email on DO for over 10 years on the same IP address. I am registered with Gmail so they don't block. I sometimes get blocked by major sites from whom I receive spam. I am not a fan of group punishment which is what you advocate.