Thanks, had a quick look, but I run IIS not apache and I need something I can access easily and automatically within an ASP-coded script.

But wasn't the point to include the CIDR in WW posts?

If only kind Mr. Stiles had included the cidrs too. - Angonasec

Whether you do or not is of course your choice for whatever reason. I was just responding to that with a convenient tool to get the CIDR easily & fast.

Nexeon Technologies, Inc.

2602:ffc8::/32

96.9.192.0/18
216.107.144.0/24
172.93.128.0/17
104.237.192.0/19
104.200.48.0/20
and
167.88.0.0/20

with in last one:

Salim El-Kilani (NET-167-88-7-128-1) 167.88.7.128 - 167.88.7.255
Duplex 1678812024 (NET-167-88-12-0-1) 167.88.12.0 - 167.88.12.255

Both ranges are currently active, scanned several of my sites, blocked. Incoming requests sending FAKE HOST header.

adding Host Next 16788106426 (NET-167-88-10-64-1) 167.88.10.64 - 167.88.10.127 to a pool of scanners.

seems like a consistent FAKE Host header is dns.aegins.com

keyplyr - I automatically display the ip ranges by clicking a control panel button. I then copy/paste from the display into WW. The script producing that display would need to have ASP in-script access to the converter.

I've already said you can pin it anywhere you like. I access it when I have editors open. It pops-up as a little child window.

@blend27 - thanks for the Nexeon ranges.

I have...
216.107.144.0/24
216.107.144.0 - 216.107.144.255
inside of: Continuum (continuumdatacenters.com)
216.107.144.0 - 216.107.159.255
216.107.144.0/20

conoha.jp
133.130.48.0 - 133.130.49.255
133.130.48.0/23

Biting on scraper bait: 2 hits on two sites in 24 hrs.
INTERGENIA - PlusServer AG
Sub-Allocation to Mass Hosting DE
85.93.88.0/22
85.93.80.0 - 85.93.95.255

@ not@easy

That PlusServer range is actually:
85.93.64.0 - 85.93.95.255
85.93.64.0/19

depo40.ru
146.185.203.0/24
146.185.203.0 - 146.185.203.255

I've seen a LOT of activity from depo40 recently, as well as a fair bit in the past.

depo40.ru
146.185.203.0/24

:: detour to notes ::
I've got 146.185.192.0/18 marked as Samusev (Russia), 146.185.232 ProHoster (Ukraine, blocked) and 146.185.239 as CubeHost (Luxembourg, blocked). Is it possible "Samusev" is Russian for "server sublets"?

Is it possible "Samusev" is Russian for "server sublets"?

If I drink enough Vodka, that's what it ends up sounding like.

I've got 146.185.192.0/18 marked as Samusev

My look-up source says they're all subnets of Elvis Tel (thank you very much ala Presley impersonation) but admin is pinspb.ru... so I am assuming that the servers are run by pinspb.ru with a lot of the ranges for ISP and some for business (like most net blocks.)

I have Ukraine Servers
146.185.232.0 - 146.185.239.255
146.185.232.0/21
(which includes ProHoster, CubeHost and several other hosting companies)

packetflip.com anonymous proxies
74.91.32.0 - 74.91.47.255
74.91.32.0/20

FWIW, Packet Flip via ARIN WHOIS offers three other ranges that are subnets of Simplelink.
Simplelink is a bulletproof hosting service, which may offer another term and/or ballgame.

Yup, they even sell/lease routers with anon IPs already loaded. Then the customer can DL more as they become identified. Where there's a dollar to be made, a product is born.

NOC4Hosts Inc.
162.254.144.0 - 162.254.151.255
162.254.144.0/21

Another cloud/server farm new to me, and now blocked

RE: noc4hosts.com
I let the iPhone, Android, etc through. Most cloud services host mobile ranges & apps.

This is what I have for Simplelink (I know there are more) Trouble is, like most large hosting companies nowadays, there are sub-ranges leased for mobile & residential. That last range below has several*

45.41.128.0/18
45.41.128.0 - 45.41.191.255

45.56.128.0/18
45.56.128.0 - 45.56.191.255

104.37.24.0/21
104.37.24.0 - 104.37.31.255

104.143.80.0/20
104.143.80.0 - 104.143.95.255

104.194.192.0/19
104.194.192.0 - 104.194.223.255

*104.238.32.0/19
104.238.32.0 - 104.238.63.255

They register as a German company but their TLD is: simplelink.us.

Fairly fresh MSFT range for me:

NetRange: 40.126.128.0 - 40.127.255.255
CIDR: 40.127.0.0/16, 40.126.128.0/17
NetName: MSFT
RegDate: 2015-02-23
Updated: 2015-05-27

40.127.102.226 got caught using - Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28

Fairly fresh MSFT range

I thought they had all of
40.64.0.0/10

I thought they had all of
40.64.0.0/10

Agree - I allow 40.64.0.0/10 (which includes the range blend27 posted.)

In that /10 are several M$ sanctioned agents which may or may not be beneficial to your particular site schema. I then filter by UA what they are allowed to do.

After a closer look at the headers:

-----------------------------
ip: 40.127.102.226
RDNS: 40.127.102.226
RDNS Lookup Time(-4)
method: HEAD
protocol: HTTP/1.1

Referer: http:// www.mydomain.com
X-Original-URL: /
Host: www.mydomain.com
Keep-Alive: 300
Content-Length: 0
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28

It seems that there was 16 HEAD requests(now allowed). There is no RDNS(known MSFT range) and time to look up RDND took longer that 3 seconds . Referer DOMAIN field value is just a domain(and without / at the end = fake). All hits are to DOMAIN root and have a Referer as a domain root in which case it is an automatic BAN, there are no links on a homepage pointing back to homepage on ANY of the sites I build.... and of course the version of Firefox 3.6.28.

All requests got 400, starting from the first one, but kept going.

and of course the version of Firefox 3.6.28.

Not to argue with your decision to block, but just a FYI that yes Firefox/3.* is from 2012 but still very much in use, especially when installed on servers as their web browser set not get auto-updates.

For some reason you'll still meet humans using FF 3.6, while several higher numbers are wholly given over to robots. If I remember rightly, FF 3\.[7-9] doesn't exist at all. (I checked once, but it's been a while.)

Camino's default UA string says "like Firefox 3.6" but I've changed it to bypass irritating servers that think they know it all. (What a browser really can't do, and what a site thinks it can't do, are not always the same thing.)

bahnhof.net
94.254.64.0 - 94.254.64.255
94.254.64.0/18

New Hetzner range - South Africa.

129.232.128.0 - 129.232.255.255
netname: HETZNER-20150216
descr: HETZNER (Pty) Ltd
country: ZA

Typo correction to bahnhof.net:
94.254.64.0 - 94.254.127.255
94.254.64.0/18

Ta! :)

129.232.128.0/17 Ber...locked!