Here's my current state of the EC2. I last updated it in early Feb 2012. These things are subject to periodic change.

[Amazon EC2 - US East - Northern Virginia]
23.20.0.0/14 (23.20.0.0 – 23.23.255.255)
50.16.0.0/15 (50.16.0.0 - 50.17.255.255)
50.19.0.0/16 (50.19.0.0 - 50.19.255.255)
67.202.0.0/18 (67.202.0.0 - 67.202.63.255)
72.44.32.0/19 (72.44.32.0 - 72.44.63.255)
75.101.128.0/17 (75.101.128.0 - 75.101.255.255)
107.20.0.0/15 (107.20.0.0 - 107.21.255.255)
107.22.0.0/16 (107.22.0.0 - 107.22.255.255)
174.129.0.0/16 (174.129.0.0 - 174.129.255.255)
184.72.64.0/18 (184.72.64.0 - 184.72.127.255)
184.72.128.0/17 (184.72.128.0 - 184.72.255.255)
184.73.0.0/16 (184.73.0.0 – 184.73.255.255)
204.236.192.0/18 (204.236.192.0 - 204.236.255.255)
216.182.224.0/20 (216.182.224.0 - 216.182.239.255)

[Amazon EC2 - US West - Northern California]
50.18.0.0/16 (50.18.0.0 - 50.18.255.255) NEW
184.72.0.0/18 (184.72.0.0 – 184.72.63.255)
184.169.128.0/17 (184.160.128.0 - 184.169.255.255) NEW
204.236.128.0/18 (216.236.128.0 - 216.236.191.255)

[Amazon EC2 - US West - Oregon]
50.112.0.0/16 (50.112.0.0 - 50.112.255.255)

[Amazon EC2 - EU - Ireland]
46.51.128.0/18 (46.51.128.0 - 46.51.191.255)
46.51.192.0/20 (46.51.192.0 - 46.51.207.255)
46.137.0.0/17 (46.137.0.0 - 46.137.127.255)
46.137.128.0/18 (46.137.128.0 - 46.137.191.255) NEW
79.125.0.0/17 (79.125.0.0 - 79.125.127.255)
176.34.64.0/18 (176.34.64.0 – 176.34.127.255) NEW
176.34.128.0/17 (176.34.128.0 - 176.34.255.255)

[Amazon EC2 - Asia Pacific - Singapore]
46.51.216.0/21 (46.51.216.0 - 46.51.223.255)
46.137.224.0/19 (46.137.224.0 - 46.137.255.255) NEW
122.248.192.0/18 (122.248.192.0 - 122.248.255.255)
175.41.128.0/18 (175.41.128.0 - 175.41.191.255)

[Amazon EC2 - Asia Pacific - Tokyo]
46.51.224.0/19 (46.51.224.0 - 46.51.255.255)
46.137.192.0/18 (46.137.192.0 - 46.137.255.255)
103.4.8.0/21 (103.4.8.0 - 103.4.15.255)
175.41.192.0/18 (175.41.192.0 - 175.41.255.255)
176.32.64.0/19 (176.32.64.0 - 176.32.95.255)
176.34.0.0/18 (176.34.0.0 - 176.34.63.255) NEW

[Amazon EC2 - South America - Sao Paulo]
177.71.128.0/17 (177.71.128.0 - 177.71.255.255) NEW

I guess annie's been twiddling her thumbs for everyone's benefit [webmasterworld.com]

Of course all these will start to change in a few weeks when IP6 gets fully implemented across the networks, so get ready to redo your entire defense strategy.

keyplr,
There's an old thread either here or in the Apache Forum, where somebody explained the simplicity of converting IPV4 to IPVG ranges.

Wish I'd saved the info and URL ;)

AFAIK there's no way to "convert" IP4 to IP6 on the receiving end - it doesn't make sense.

You won't even see IP6 until your server changes to support them. Then, there will be no relation to the old IP4, they will be all new. The good news is, IP6 is backward supportive, meaning when your server does switch, you will still see the old IP4 from those servers that haven't switched yet, so we can still block those IP4 addresses, but we'll need to again trace the IP6 addresses.

FWIW - I already have most of mine ready, just waiting for the witching hour.

bakedjake - you can begin by blocking our lists of IPs given in pfui's latest amazon thread at [webmasterworld.com...] - I think that covers all known ranges up to a month or so ago. If anyone can add to those lists I'd be interested.

iamzippy - some of your ranges are incorrectly assigned. 46.most things are Europe not Asia and 46.51.224.0/19, for example, is registered to the Dublin, Ireland branch of amazon; as is 46.137.224.0/19 although actually registered in france, according to my registry checks. In reality, though, I don't suppose location really matters: it's the existence that's important.

dstiles - thanks for that, point taken. I never got round to doing the necessary per-RIR, all I know is they work ;)

I'll get on to it.

FYI,

Current catch list. Extracted from my database, and all networks looked up manually again this morning for validation of ranges and location.

Some of @iamzippy's ranges were smaller subnets. They are embedded in the below registrations.
They (likely) have more than these, but I have not seen and added them yet.

The European ones are (formally) spread across NL, FR, an IE. Although only Amazon's internal routing can tell where individual pieces are actually being used.


'Amazon_EC2_Asia', '103.4.12.0/22'
'Amazon_EC2_Asia', '103.4.8.0/22'
'Amazon_EC2_N_America', '107.20.0.0/14'
'Amazon_EC2_N_America', '107.22.0.0/16'
'Amazon_EC2_S_America', '122.248.192.0/19'
'Amazon_EC2_N_America', '174.129.0.0/16'
'Amazon_EC2_S_America', '175.41.128.0/19'
'Amazon_EC2_S_America', '175.41.192.0/19'
'Amazon_EC2_Asia', '175.41.224.0/19'
'Amazon_EC2_Europe', '176.32.64.0/21'
'Amazon_EC2_Europe', '176.34.0.0/21'
'Amazon_EC2_S_America', '177.71.128/17'
'Amazon_EC2_N_America', '184.169.128.0/17'
'Amazon_EC2_N_America', '184.72.0.0/15'
'Amazon_EC2_N_America', '204.236.128.0/17'
'Amazon_EC2_N_America', '216.182.224.0/20'
'Amazon_EC2_N_America', '23.20.0.0/14'
'Amazon_EC2_Europe', '46.137.0.0/17'
'Amazon_EC2_Europe', '46.137.128.0/18'
'Amazon_EC2_Europe', '46.137.192.0/21'
'Amazon_EC2_Europe', '46.137.224.0/21'
'Amazon_EC2_Europe', '46.51.192.0/20'
'Amazon_EC2_Europe', '46.51.216.0/21'
'Amazon_EC2_Europe', '46.51.224.0/21'
'Amazon_EC2_N_America', '50.112.0.0/16'
'Amazon_EC2_N_America', '50.16.0.0/14'
'Amazon_EC2_N_America', '67.202.0.0/18'
'Amazon_EC2_N_America', '72.44.32.0/19'
'Amazon_EC2_N_America', '75.101.128.0/17'
'Amazon_EC2_Europe', '79.125.0.0/18'

BTW.. The attached page shows a dynamic Map of the offender IPs across the US.

The blob on top of Seattle, WA should make it clear why we block EC2. :-)

[riskyinternet.com...]

DeeCee - The lines you give are not compacted enough for me. :)

My database lists the following, without countries included:

8.18.144.0 - 8.18.145.255
23.20.0.0 - 23.23.255.255
46.51.128.0 - 46.51.255.255
46.137.0.0 - 46.137.255.255
50.16.0.0 - 50.19.255.255
50.112.0.0 - 50.112.255.255
67.202.0.0 - 67.202.63.255
72.21.192.0 - 72.21.223.255
72.44.32.0 - 72.44.63.255
75.101.128.0 - 75.101.255.255
79.125.0.0 - 79.125.127.255
87.238.80.0 - 87.238.87.255
103.4.8.0 - 103.4.15.255
107.20.0.0 - 107.23.255.255
122.248.192.0 - 122.248.255.255
174.129.0.0 - 174.129.255.255
175.41.128.0 - 175.41.255.255
176.32.64.0 - 176.32.127.255
176.34.0.0 - 176.34.255.255 (latest entry dated Feb 23)
184.72.0.0 - 184.73.255.255
199.255.192.0 - 199.255.195.255
204.236.128.0 - 204.236.255.255
207.171.160.0 - 207.171.191.255
216.182.224.0 - 216.182.239.255

:)

Thanks!

You had some tagged on ranges inside yours that I did not have.. Added... Thanks..

A few makes me a little apprehensive. But I added a the couple I did not have, except for your first one.

8.18.144.0 - 8.18.145.255 is

Amazon Inc. LVLT-AMAZON-5-8-18-144 (NET-8-18-144-0-1) 8.18.144.0 - 8.18.144.255
Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) 8.0.0.0 - 8.255.255.255

I have not seen bots from that net, and the slight issue I have is that I don't really want to block "Amazon" the company (all its networks), but rather just the Amazon EC2 cloud.

So, for example office type IPs there is really no reason to block. Don't want to kick out their people, only the cloud.

Have you seen attacks from all the nets?

DeeCee, I block that entire range and all other Level 3 ranges; have for years. I used to be an Amazon affiliate (until they dumped California accounts and reneged on payments owed) and never had an issue with the block.

@keyplyr,

Cool. Appreciate the info.

DeeCee - I did forget to mention that one or two might not be cloud. Sorry. I block amazon completelty. If any of the ranges I block are office-broadband then tough.

Wish there was a better way to block them without having to keep up with all the blasted IP addresses.

# Amazon AWS/Elastic Cloud
deny from 8.18.144.0/23
deny from 23.20.0.0/14
deny from 46.51.215.0/25
deny from 46.51.215.128/26
deny from 46.51.215.192/27
deny from 46.51.215.224/28
deny from 46.51.215.240/29
deny from 46.51.215.248/30
deny from 46.51.215.252/31
deny from 46.51.215.254/32
deny from 46.51.128.0/18
deny from 46.51.192.0/20
deny from 46.51.208.0/22
deny from 46.51.212.0/23
deny from 46.51.214.0/24
deny from 46.51.216.0/21
deny from 46.51.224.0/20
deny from 46.137.0.0/16
deny from 50.16.0.0/14
deny from 50.112.0.0/16
deny from 54.224.0.0/11
deny from 63.92.12.0/22
deny from 63.238.12.0/22
deny from 63.238.16.0/23
deny from 64.15.138.160/27
deny from 64.15.156.64/27
deny from 66.7.64.0/19
deny from 67.202.0.0/18
deny from 67.205.69.32/27
deny from 70.38.0.0/17
deny from 72.21.192.0/19
deny from 72.29.185.0/24
deny from 72.44.32.0/19
deny from 72.55.128.0/18
deny from 75.101.128.0/17
deny from 79.125.0.0/16
deny from 87.231.235.2/32
deny from 107.20.0.0/14
deny from 174.129.0.0/16
deny from 184.72.0.0/15
deny from 204.74.108.0/24
deny from 204.236.128.0/17
deny from 204.246.160.0/22
deny from 204.246.167.0/24
deny from 204.246.168.0/23
deny from 204.246.176.0/21
deny from 204.246.184.0/22
deny from 207.171.160.0/19
deny from 208.47.248.0/23
deny from 209.201.96.0/22
deny from 216.137.32.0/20
deny from 216.137.48.0/21
deny from 216.182.224.0/20