I am considering creating a restriction preventing free credits from being doled out on my SaaS to users originating from a cloud-based IP address (AWS, Google, Azure, Etc.)<p>Curious what any pitfalls of this approach might be?<p>And any suggestions as to how to go about it?<p>Simply adding all cloud based company ips to a blacklist would be a good start. Do any half-decent ones already exist before I create my own?
I don't have a complete answer for you and I can't really comment whether this is good or bad, but you can get some netblocks from the cloud providers themselves. I am missing the ipv6 method. This only covers ipv4. Here are some bash snippets.<p>Google:<p><pre><code> for line in $(dig +short txt _cloud-netblocks.googleusercontent.com | tr " " "\n" | grep include | cut -f 2 -d :)
do
dig +short txt "${line}"
done | tr " " "\n" | grep ip4 | cut -f 2 -d : | sort -n | uniq | xz -9ecv > ./_GOOGLE.netset.xz
</code></pre>
Amazon:<p><pre><code> curl --url "https://ip-ranges.amazonaws.com/ip-ranges.json" -o ./aws.json
grep ip_prefix ./aws.json | awk -F "\"" '{print $4}' | sort -n | uniq | xz -9ecv > ./_AWS.netset.xz
</code></pre>
I don't have one for Azure handy at this time. Skip the xz compression step if you just want plain text. If some day they remove these services, you can also look up all the CIDR blocks using sites like this [1] Put in a name or IP to start with, then click on the AS number link, then click on prefixes v4 and prefixes v6.<p>[1] - <a href="https://bgp.he.net/" rel="nofollow">https://bgp.he.net/</a>
You can lookup the AS of an IP and blacklist thr cloud providers you care about by AS Number.<p>Maxmind has a free database as part of GeoLite2 [1], but you can also put together a database from IP assignments or BGP data or ?<p>Most larger clouds publish their IPs as well.<p>Pitfalls are that you do need to update your database frequently, and it is difficult to validate changes. You're likely to get some real people who are using a VPN or something in cloud ranges, and some abuse/automation that is using residential ISPs, so it's not perfect, but it may help somewhat.<p>[1] <a href="https://dev.maxmind.com/geoip/geolite2-free-geolocation-data" rel="nofollow">https://dev.maxmind.com/geoip/geolite2-free-geolocation-data</a>
Depending on how motivated your users are, this could be a difficult battle for you. Even if you use a paid service like MaxMind to identify residential IP addresses, your users can tunnel their traffic through residential proxies to skirt detection.<p>I’d recommend tackling the issue from another angle if possible.