A 100kb htaccess is serious obesity possibly compulsive?

That's a typical statement from someone who does not understand what they are talking about; judging by a number instead of knowing what the number represents.

I've seen lots of discussion about the pros and cons of htaccess files, but very little in the way of actual numbers.
I have a web server on my laptop at the moment, so I created a 9MB htaccess file with a lot of repeats of 'deny from 8.8.8.8' in it. It takes between 4 and 5 seconds to load a webpage from the server when that htaccess is in place, and is pretty well instantaneous without it.
That's about 2MB per second on my newish but not very high-end machine.
So keyplyr's 100kb htaccess (it it were largely simple 'deny from' lines) would load on my laptop web server in about 50ms.
That seems plenty fast enough.

EDIT: @keyplyr: you posted while I was replying...

Know that there are htaccess files and there are htaccess files. 99% of my htaccess file is IP ranges blocked by a mod_setenvif directive, then less than a dozen simple rewrites. That's it. Very fast.

Some of these simple rewrite rules can instead be accomplished using any number of asynchronous scripting languages, run concurrently with server response (htconfig on dedi or VPS.)

It doesn't matter how big your htaccess file is. What matters is that it exists at all. The moment you have an AllowOverride directive in the config file, every single request has to be preceded by every single Apache mod, in sequence, running all the way up to the requested file and all the way back again just to check for htaccess in every directory along the way.

A handful of processes are really more labor-intensive in htaccess than in config-- notably anything involving Regular Expressions, which have to be re-compiled each time rather than stored in memory. But in general, size of htaccess is a red herring. After all, you'd have to block unwanted visitors somewhere.

As long as you don't do something foolish like
Deny from 5.0.0.0
Deny from 5.0.0.1
Deny from 5.0.0.2
Deny from 5.0.0.3
et cetera, et cetera, it probably isn't worth thinking about.

It doesn't matter how big your htaccess file is

That's very nice of you to say.

reg.ru
31.31.192.0/20
31.31.192.0 - 31.31.207.255
37.140.192.0/21
37.140.192.0 - 37.140.199.255

It will matter how big it is eventually.
I have about 55000 IP ranges in my identification database, covering about 2 billion addresses. If I put these in my htaccess file then it would be about a megabyte, and every request would be lagging by about 500ms. If I protected all the supporting files the same way (e.g. the window dressing, images, CSS, JS, etc) that would add up to a serious slowdown.
As it is my htaccess file is empty, and my IP range database is not actually consulted by my robot blocker. I only use it for offline analysis - to figure out who's getting blocked.
My unwanted visitors are blocked solely by their behaviour and appearance. The blocking software doesn't know where they are from.

If I protected all the supporting files the same way (e.g. the window dressing, images, CSS, JS, etc) that would add up to a serious slowdown.

Well, if you block the IP, you block the IP.

-----

Probably my fault, but lets get back to the topic of identifying server farm ranges :)

By way of apology:

more Virtuzo:
104.222.128.0/19 Virtuzo
Trying to spam me.

In fact looking them up on ipinfo.io I find:
104.128.128.0/20 Virtuzo
104.156.192.0/19 Virtuzo
104.222.128.0/19 Virtuzo
104.247.96.0/19 Virtuzo
167.88.96.0/20 Virtuzo
45.41.0.0/18 Virtuzo

the last one being the one Lucy spotted in her survey of 45./8
@Lucy24

_{Five, and it's a movement.}

_{It is when it's Thanksgiving... :)}

More PowerUpHosting
104.254.212.0/22

Aggregated IPv4 range for ColoCrossing (well known spammer network):

23.94.0.0/15
65.99.193.0/24
65.99.246.0/24
66.225.194.0/23
66.225.198.0/24
66.225.231.0/24
66.225.232.0/24
69.31.134.0/24
72.249.94.0/24
72.249.124.0/24
75.102.10.0/24
75.102.27.0/24
75.102.34.0/24
75.102.38.0/23
75.127.0.0/22
75.127.5.0/24
75.127.6.0/23
75.127.8.0/21
96.8.112.0/22
96.8.116.0/23
96.8.119.0/24
96.8.120.0/23
96.8.122.0/24
96.8.125.0/24
96.8.126.0/23
104.168.0.0/17
107.172.0.0/14
108.174.48.0/20
172.245.0.0/16
192.3.0.0/16
192.210.128.0/18
192.210.192.0/20
192.210.208.0/23
192.210.212.0/23
192.210.216.0/21
192.210.224.0/19
192.227.128.0/17
198.12.64.0/18
198.23.128.0/17
198.46.128.0/17
198.144.176.0/20
199.21.112.0/22
199.188.100.0/22
205.234.152.0/23
205.234.159.0/24
205.234.203.0/24
206.123.95.0/24
206.217.128.0/20
207.210.239.0/24
216.246.49.0/24
216.246.108.0/23

That's very nice of you to say.

I'm not being nice. I looked it up once after a series of people in assorted subforums asked simmilar questions. As I remember, one of them involved an htaccess file in the multi-megabyte range, which everyone agreed was too big, no matter where those megabytes are located. Hence the point about "Deny from 5.0.0.1" etc.

if you block the IP, you block the IP

Possibly he's got the whole thing inside a FilesMatch envelope?

Edit:
Things like this
192.210.128.0/18
192.210.192.0/20
192.210.208.0/23
192.210.212.0/23
192.210.216.0/21
192.210.224.0/19
and this
205.234.152.0/23
205.234.159.0/24
205.234.203.0/24
should lead to immediate suspicion. Quick look at my own notes turns up
192.210.128.0/17
and
:: detour to free lookup because I didn't have anything in 205.234 marked ::
205.234.128.0/17

I had someone from poneytelecom proxying in from:

netcup:
46.38.224.0/20
in Germany

Netcup have:
185.16.60.0/22 netcup GmbH
188.68.32.0/19 netcup GmbH
37.120.160.0/19 netcup GmbH
37.221.192.0/21 netcup GmbH
46.38.224.0/20 netcup GmbH
46.38.240.0/21 netcup GmbH
46.38.248.0/22 netcup GmbH
5.45.96.0/20 netcup GmbH

I see no mention of proxying on netcup's (German) website, so I'm assuming this is a client of theirs.

@lucy24

Possibly he's got the whole thing inside a FilesMatch envelope?

Not clear who you're referring to here...

Not clear who you're referring to

The side discussion about blocking IPs vs blocking access to supporting files.

fastwebserver.de
83.136.86.0/24
83.136.86.0 - 83.136.86.255

Parent:
fibre1.net
83.136.80.0/21
83.136.80.0 - 83.136.87.255

TulsaConnect
208.135.238.0/23
208.135.238.0 - 208.135.239.255
208.136.160.0/20
208.136.160.0 - 208.136.175.255
208.137.184.0/22
208.137.184.0 - 208.137.187.255
208.152.96.0/21
208.152.96.0 - 208.152.103.255
208.165.96.0/20
208.165.96.0 - 208.165.111.255

MultaCom
208.162.36.0/22
208.162.36.0 - 208.162.39.255

Disclaimer: The ranges I list anywhere in these forums are for information only. I am not suggesting these ranges should or should not be blocked, or any other action taken. If you do choose to block any of these ranges, you do so at your own risk.

It does occur to me that if you're just looking for lists of IP addresses that come from server farms and are not interested in their behaviour, you could do worse than look here: [ipinfo.io...] and scan down the lists for keywords like "hosting" or "colo". Probably a lot of them are already listed here, but you may find some new ones.

@trintragula good info on that website.

I typically go to Hurricane Electric's bgp.he.net but it's always good to have more options.

What I have been trying to find are unix shell commands to get the ASN CIDR ranges straight from ARIN, RIPE etc.

scan down the lists for keywords like "hosting" or "colo".

The problem with that is "colo" does not tell you just "what" is being collocated. ISPs are often collocated across networks. Another buzz word that had former negative connotation is "cloud." These are just the means in which data is transmitted.

@keyplyr Yes of course, in the context of ISPs, the word colo could be collocating TV sets or even collocating glass slippers or even the state "Colorado".

@mrtonyg - I was directing my comment to trintragula's statement, the one I quoted. That has nothing to do with TV sets or glass slippers, nor does this thread.

@keyplyr I know full well the comment was to trintragula's statement, hence my response.

Sure enough, colo is not very specific, but it's a good lead. If you're hunting for server farms a little research from the company name in the list will often come up with the goods. And yes, filtering out anything matching Colorado will save a lot of false leads.
The fifth or sixth match for 'colo' down the list is coloblox, which I've never heard of, and can find no trace of here... And they're ordered by size...

I used to use free look-ups, but for the last couple years have been using the pro version of Domain Dossier which gives access to the Whois API. Makes it nice to get info using mobile when not at my desk. Also includes email validation, server ping, traceroute & graphical traceroute via HexIcmp & HexLookup, Finger and Echo queries, and other tools.

hostex.lt
92.61.32.0/20
92.61.32.0 - 92.61.47.255

networkredux.com
209.191.184.0/21
209.191.184.0 - 209.191.191.255

webhotelli.fi
217.149.62.0/25
217.149.62.0 - 217.149.62.127
Parent: nebula.fi
217.149.48.0/20
217.149.48.0 - 217.149.55.255

Thanks for the info on Domain Dossier - will look into that.

I'm still unclear about what it's worth posting on this thread. Seems like it really ought to be a shared database.

I'm still unclear about what it's worth posting on this thread. Seems like it really ought to be a shared database.

What should be a shared database? There are lots of those online. This is a discussion about what you find on those databases (IP range look-ups) after you discover a hit from a server farm and look it up.

Granted this thread is not of HUGE importance, but I have actually got lots of info from this thread that's helped block many threats. Just a couple days ago a threat was posted here, I installed the block, and a few hours later it stopped a malicious vulnerability attempt.

Quite often I learn of new server farm ranges I didn't know about. I haven't been scraped in quite a long time partially due to the info I get from this and other threads at WW.

Oh, and BTW - I only have this one range for coloblox.com:

209.195.0.0/18
209.195.0.0 - 209.195.63.255

You have others trintragula?

- - -

WebWeb.com
14.1.20.0/22
14.1.20.0 - 14.1.23.255
205.144.171.0/24
205.144.171.0 - 205.144.171.255