Why don't ISPs block IP addresses that are known bots?

Within hours of setting up my website, I started getting requests from bots, trying to find WordPress vulnerabilities. And they continue to this day.

It seems pretty obvious that these are malicious actors and not just search engine crawlers.

Because most of the bots out there come from compromised personal devices like smart thermostats and random hacked servers.

They don’t typically come from a known, well-defined IP space, that’d ruin their usefulness.

@Zion
And to double down, IP can be shared.

IPv4 run out and some ISPs (especially from some countries) need to give the same IP to multiple users.

For servers, you can share a server with multiple users.

So at that point, just block the internet, it will be faster! /S

@Ash
That’s like when Austria tried to block 14 pirate websites, but accidentally blocked a quarter of the web because they targeted Cloudflare’s IP addresses.
The unintended consequences of blocking IP addresses

@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

Vitt said:
@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

That’s what shared hosting is—multiple (small) websites from different companies on the same IP address is common enough. Typically the HTTP requests use SNI to specify what host they want to talk to.

Vitt said:
@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

Wait until you learn about CGNAT.

Vitt said:
@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

They mean most hosts ‘recycle’ IP numbers from one user to another.

Example: you buy a VPS with its IP and you host some websites for a year. Then one day you don’t pay anymore, the VPS shuts down and its associated IP is now ‘free’ to be used by another client.

This is why sometimes you buy a fresh VPS with its own IP and you notice it’s already blacklisted, despite being brand new.

Vitt said:
@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

There’s a reason why most websites don’t use IP addresses for moderation. You can’t confirm that it’s a specific individual or device. You can just tell that a device or a person has used that IP address at some point.

That could be a compromised device, or a bad actor, or a VPN or any number of sources. There just is no good way to confirm a specific device with the way the internet was created. That has its benefits but also its downsides.

Vitt said:
@Ash
You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

You can share a server with multiple users but I don’t know of any reputable host that will give two users the same IP address. That would make hosting something like a website impossible.

Cloudflare, Netlify, Vercel, Squarespace, Shopify…

@Harley
I didn’t know that using web hosting platforms are considered the same as renting a VPS. Clearly my message didn’t have enough context attached to it.

Vitt said:
@Harley
I didn’t know that using web hosting platforms are considered the same as renting a VPS. Clearly my message didn’t have enough context attached to it.

Plenty don’t offer a unique IPv4 without extra charge.

@Zion
If you use a free VPN you’re letting someone sell your device as a proxy.

@Zion
That’s actually not true.

Most (about 75%) of the hacking attacks I see on my bank of servers come from well-known VPS hosting companies like Hetzner, and OVS. The rest are from other, lesser-known hosting companies, and then maybe 1-5% are from local/mobile ISPs.

@Ainsley
There are both white-hat and black-hat residential IP botnets you can rent by the hour. The product sites at my work get slammed all the time by them - far more than any other source.

@Ainsley
Those will be the ‘random hacked servers’ I mentioned.

Zion said:
@Ainsley
Those will be the ‘random hacked servers’ I mentioned.

They’re not necessarily ‘random hacked servers’, though. There’s no way to make that distinction.

And they certainly don’t mostly come from ‘compromised personal devices.’ You put that one first, for some reason, which just makes it seem more important for people casually reading through. But, it’s incorrect.

You also said ‘They don’t typically come from a known, well-defined IP space’ but, in fact, most of them DO come from a known, well-defined IP space.

@Ainsley
By the way, if you’re curious about how UfoNet utilises the sites, it finds websites using dorks & looks for known vulnerable parameters & bruteforces them to find websites to temporarily add into a ‘botnet’, this botnet is just temporary. And then it sends the same command through the link to each site at once, similar to how LFI works, but instead it does a [cmd] ping of sorts, which is essentially to flood the IP address. All in conjunction with each other.

@Ainsley
Whilst, correct, most do come from a known, well-defined IP space. He is also correct in proposing that a whole lot of them are from compromised devices, randomly hacked servers. Look at UfoNet for instance… Very old ‘botnet’ tool which scrapes the web for hosted sites vulnerable to attack, accumulates them & allows you to hit an IP or server with them. Now, not saying I’ve personally done this, but think about 0days. Depending on the threat actor, most 0days can go undiscovered for a long time. In this time, they typically automate it against a large amount of servers. Or even backdooring people in some way, right. A lot of these infected machines get used to scrape the web looking for servers vulnerable to the 0day in question, often times not even a 0day since a lot of sites are out there which aren’t updated correctly and there are a bunch of CVEs to choose from, and this operates almost like a worm, to find & infect more servers, thusly accumulating a larger ‘botnet’. This applies of course for WordPress RCEs too, SQLI, HTMLI, there are hundreds upon thousands of different applications to why exactly a threat actor would do this, what exactly they are trying to achieve.

@Ainsley

They’re not necessarily ‘random hacked servers’, though. There’s no way to make that distinction.

Either hacked servers or people running servers on stolen credit cards. No one is legitimately buying servers from AWS to run malware.

And they certainly don’t mostly come from ‘compromised personal devices.’

Bullshit. https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

You also said ‘They don’t typically come from a known, well-defined IP space’

Meaning there’s no ‘this is bot-world’ IP space. ISPs can’t go ‘lots of hacked EC2 servers, block the IP range’ or half the internet goes down.