Everyone has their own logic. I keep it simple. YMMV

Melbourne Dedicated Hosting (melbourne.co.uk)
92.63.128.0/20
92.63.128.0 - 92.63.143.255

Scrapers from these guys started showing up again...

Turnkey Internet Servers:

67.231.240.0/20
67.231.240.0 - 67.231.255.255

173.198.192.0/18
173.198.192.0 - 173.198.255.255

208.85.0.0/21
208.85.0.0 - 208.85.7.255

Turnkey has some type of affiliation with Bright House, with the later growing into a fairly large and legitimate network.

This used to be Aussie/Zealand directly. They may be expanding index to WWW.

103.14.41.23 - - [28/Feb/2015:06:25:30 -0800] "GET /robots.txt HTTP/1.0" 200 1472 "-" "KiwiStatus/0.3 (NZS.com New Zealand Search; [nzs.com...]

Well behaved, however they are crawling from a notorious server farm chain:

DigiWeb New Zealand (digiweb.co.nz)
103.14.40.0/22
103.14.40.0 - 103.14.43.255

Other DigiWeb ranges:

78.137.163.128/25
78.137.163.128 - 78.137.163.255

80.93.16.0/20
80.93.16.0 - 80.93.31.255

I think I have a couple more on my other machine (currently in need of a power source.)

78.137.163.128/25

That may be the Kiwi part, but it's an improbably small range. Some random spot-checking suggests that the whole 78.137.128.0/18 is DigiWeb Ireland. (But what, exactly, DigiWeb is or does remains a bit of a mystery. One IP that I made up at random came up as concurrently Broadband and "Suspended Customers VPN Range" making it sound like an Internet holding cell.)

Elsewhere...
64.71.192.0/20
Solution Pro. Is it just coincidence, or are there a lot of robots operating out of Idaho lately?

If the above IP looks familiar, you may be thinking of
64.71.128.0/18 (Hurricane Electric)
and/or
64.71.224.0/20 (Webhosting.net)
The bad news is that I've already got 64.71.240.0/20 identified as Rogers Cable, meaning humans, so there's no fast-forwarding to 64.71.128.0/17 this time :(

I have a new discovery route. Some robot, somewhere, learned the name of my host's default 403 page, and now they all-- i.e. assorted unwanted badbots, and notably also all three Baidu IPs-- ask for it by name. Doesn't work on my "real" sites, where all the custom pages live in a /boilerplate/ directory, but sooner or later it crops up on any new site. Obviously I can't block them, as it would lead to an infinite loop, so when they ask for the page by name they get a 410.

That may be the Kiwi part, but it's an improbably small range. Some random spot-checking suggests that the whole 78.137.128.0/18 is DigiWeb Ireland. (But what, exactly, DigiWeb is or does remains a bit of a mystery...)

Thanks Lucy. My notes say much the same. The (small) range I posted is confirmed as servers.

WebAir

74.206.224.0/19
74.206.224.0 - 74.206.255.255

209.200.0.0/18
209.200.0.0 - 209.200.63.255

216.130.160.0/19
216.130.160.0 - 216.130.191.255

********

T-N-Media

91.234.22.0/24
91.234.22.0 - 91.234.22.255

@keyplyr

I don't. I use php all over my sites, love it

Bummer keyplyr, it is so much easier if you don't except requests to .php extension as a part of a blocking rules. I am pretty sure You are aware that it does not have to be .php. I personally don't use PHP.

JAVA, ColdFusion and .NET, but learned a while back to rewrite all extensions to / or .html and possibly no query strings where allowed.

In my book any request that comes with extensions is a hack attempt, SQL Injection via query string or probe.

On the side of hacking: 6 Tor nodes are attacking a site right now, massive, and for the past 3 days are being blocked.

104.232.3.33 - tor-exit.mensrea.org
128.52.128.105 - tor-exit.csail.mit.edu
128.6.224.107 - tor-node.rutgers.edu
129.123.7.6 - tor-exit-node.cs.usu.edu
64.113.32.29 - tor.t-3.net
64.113.44.206 - tor2.t-3.net

Over 1400 requests so far.

it is so much easier if you don't except requests

I'm trying to figure out if, when your fingers typed "except", your brain actually meant "accept". Slight difference!

I don't personally "do" extensionless. But I think rewriting to/from html is even better because then the rewrite isn't obvious. Especially on a site where at least 95% of pages really are hand-rolled html. Another possible THE_REQUEST lockout is /includes/, because the directory exists but nobody should ever be asking for its files by name.

Bummer keyplyr, it is so much easier if you don't except requests to .php extension as a part of a blocking rules. I am pretty sure You are aware that it does not have to be .php. I personally don't use PHP.

Bummer Blend27:)

There's absolutely no issue using a .php extension. It's fast and effective. OTOH parsing every single page for PHP just so you can use the .html extension is unnecessary management of server resources IMO. This approach arose partly from newbie use of vulnerable cookie-cutter PHP Bulletin forums/blogs years ago to hide from hackers, however I don't use out-of-the-box code.

I also avoid unnecessary rewrites, redirects, renames, etc. Google has several articles advising web masters against all this. My approach has always been to keep file paths direct and simple. Just because one can does not mean one should :)

parsing every single page for PHP just so you can use the .html extension

Who said anything about parsing for php?

RewriteRule ^(specific-page-names)\.html /$1.php [L]

It's none of the user's business which pages are "really" html and which are actually php.

And, ahem, Google, nobody's forcing you to make all those with-and-without-slash or "index.html" requests.

Who said anything about parsing for php?

I did, you just quoted me. Eat more fish :)

Eat more fish :)

Fish is on Fridays from what I remember ;)

212.143.156.0 - 212.143.156.255

it's a part of a larger range.

UA: www.socialayer.com Agent 0.1

@Lucy

I meant "accept", EN is not my first lang(sometimes), sorry.

I did

The question was why you said it, since nobody ever suggested parsing html (actual files, not the URL) for php.

root SA (root.lu) servers in Luxembourg

94.242.192.0/18
94.242.192.0 - 94.242.255.255

195.26.4.0/23
195.26.4.0 - 195.26.5.255

212.117.160.0/19
212.117.160.0 - 212.117.191.255

root SA (server.lu formerly webzilla.com) in Singapore

188.42.252.0/22
188.42.252.0 - 188.42.255.255

Note:188.42/16 is root.lu network but not all servers.

cccomm.com
64.113.160.0/20
64.113.160.0 - 64.113.175.255

Sinobot on Astutehosting in BC
162.245.144.195 ASTUTEHOSTING3 162.245.144.0 - 162.245.147.255 162.245.144.0/22 ber...locked

And Astute Hosting hosts at:

Peer1
69.172.192.0/18
69.172.192.0 - 69.172.255.255

More Peer1:

64.34.0.0/16
64.34.0.0 - 64.34.255.255

64.45.0.0/18
64.45.0.0-64.45.63.255

64.65.0.0/18
64.65.0.0 - 64.65.63.255

64.69.64.0/19
64.69.64.0 - 64.69.95.255

64.224.0.0/14
64.224.0.0 - 64.227.255.255

65.39.128.0/17
65.39.128.0 - 65.39.255.255

66.33.0.0/17
66.33.0.0 - 66.33.127.255

66.40.0.0/16
66.40.0.0 - 66.40.255.255

66.111.64.0/19
66.111.64.0 - 66.111.95.255

66.132.128.0/17
66.132.128.0 - 66.132.255.255

66.155.0.0/17
66.155.0.0 - 66.155.127.255

66.199.128.0/18
66.199.128.0 - 66.199.191.255

66.234.0.0/20
66.234.0.0 - 66.234.15.255

67.211.192.0/20
67.211.192.0 - 67.211.207.255

69.0.128.0/17
69.0.128.0 - 69.0.255.255

69.28.192.0/18
69.28.192.0 - 69.28.255.255

69.90.0.0/16
69.90.0.0 - 69.90.255.255

69.172.192.0/18
69.172.192.0 - 69.172.255.255

70.33.192.0/18
70.33.192.0 - 70.33.255.255

72.51.0.0/18
72.51.0.0 - 72.51.63.255

76.74.128.0/17
76.74.128.0 - 76.74.255.255

83.222.224.0/19
83.222.224.0 - 83.222.255.255

107.6.0.0/18
107.6.0.0 - 107.6.63.255

176.74.160.0/19
176.74.160.0 - 176.74.191.255

198.244.48.0/20
198.244.48.0 - 198.244.63.255

206.223.127.0/24
206.223.127.0 - 206.223.127.255

209.15.0.0/16
209.15.0.0 - 209.15.255.255

209.25.128.0/17
209.25.128.0 - 209.25.255.255

209.203.224.0/19
209.203.224.0 - 209.203.255.255

209.213.96.0/19
209.213.96.0 - 209.213.127.255

216.25.0.0/17
216.25.0.0 - 216.25.127.255

216.65.0.0/17
216.65.0.0 - 216.65.127.255

216.122.0.0/16
216.122.0.0 - 216.122.255.255

216.150.0.0/19
216.150.0.0 - 216.150.31.255

216.152.128.0/20
216.152.128.0 - 216.152.143.255

216.157.0.0/18
216.157.0.0 - 216.157.111.255

216.157.64.0/19
216.157.0.0 - 216.157.111.255

216.157.96.0/20
216.157.0.0 - 216.157.111.255

216.187.64.0/18
216.187.64.0 - 216.187.127.255

216.195.32.0/19
216.195.32.0 - 216.195.63.255

I may have left out one :)

[edited by: keyplyr at 1:37 pm (utc) on Mar 6, 2015]

Roya Hosting LLC 104.143.16.0 - 104.143.31.255 104.143.16.0/20 ber...locked!

You can combine Versaweb, Klayer & Roya:

104.143.0.0 - 104.143.47.255
104.143.0.0/19
104.143.32.0/20

Ta! :)

The Globaltap Corporation
GLOBALTAP-ASHBURN-GLOBALTAP-BALTIMORE 173.45.128.0 - 173.45.159.255 173.45.128.0/19
GLOBALTAP-ASHBURN 204.9.136.0 - 204.9.143.255 204.9.136.0/21
GLOBALTAP 208.93.16.0 - 208.93.23.255 208.93.16.0/21
GT-67-209-176-0-183-255 67.209.176.0 - 67.209.183.255 67.209.176.0/21
GLOBALTAP-ASHBURN-GLOBALTAP-BALTIMORE 67.22.32.0 - 67.22.63.255 67.22.32.0/19
GLOBALTAP-IPV6 2607:3A00:: - 2607:3A00:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

surftown.com
212.97.128.0/19
212.97.128.0 - 212.97.159.255

tektonic.net
108.161.128.0 - 108.161.143.255 NETWORLD 108.161.128.0/20

That is what they(scrapers) get later on for hiding behind human UA: [i.imgur.com...] :)

I have a proposition to make. Lets post the ranges from now on in a same format

something like that:

ipstart ipend cidr [net name]

I have a proposition to make. Lets post the ranges from now on in a same format

You're funny :)

I prefer having the CIDR on a line by itself. Or, at least, a line with nothing but numbers. Makes it easier to edit it down to the part I use. (The format keyplyr uses tends to work for me.)

I tend to post in the same format as I keep record (notes.)

I just thought it funny that blend27 would suggest people on the internet agree on anything :)

I know wilderness tends to cut'n paste the info found at WhoIs and that's fine with me.

The only thing I think is handy is the CIDR *and* the range be posted as that saves me a bit of time figuring it out, but I always verify the information anyway so it's not a big deal either way.

Frankly, I appreciate any/all posts about possible threats, then I make my own adjustments.

scorpiondata.com
82.118.24.0/21
82.118.24.0 - 82.118.31.255

tektonic.net
108.161.128.0 - 108.161.143.255 NETWORLD 108.161.128.0/20

TekTonic has more ranges, however they are sub-leased from Colo4.