Blocking tens of thousands of IP's

lists at lists at
Tue Nov 1 22:26:40 UTC 2016

  Original Message  
From: Cox, Eric S
Sent: Tuesday, November 1, 2016 8:16 AM
To: nginx at
Reply To: nginx at
Subject: Blocking tens of thousands of IP's

Is anyone aware of a difference performance wise between using
return 403;
deny all;
When mapping against a list of tens of thousands of ip?


I started a thread on blocking via nginx a while ago. I will most assuredly get the terminology wrong here, but what I noticed is nginx reads the data from the IP then blocks the actual processing.
‎The fact you see the IP in your nginx access log indicates nginx spent some time on the IP request.

It is more efficient to block the IP space at the firewall.  For one thing, it keeps the access.log cleaner since the requests never show up.

I still maintain a file compatible with nginx, but have a script to convert the file to an IPFW table. 

I receive nothing but grief when I mention in forums about blocking the IP space of what consider not to be eyeballs. I just see no reason to serve AWS, OVH, etc. OVH has been documented in nation state hacking as command and control. 

I block one or two commercial sites every time I process the log. (Obviously sites I haven't seen before since are not in the ipfw table.)I flag the obvious hacking and have scripts to display all the entries or just the IPs.

More information about the nginx mailing list