Would it be safe to NUKE it?

I do, and don't miss them either.

:: business with raw logs, followed by consultation of whois as I haven't updated these files in yoincks ::

43.0.0.0/9 is Alibaba.
43.128.0.0/10 is Tencent.
some parts of 43.192.0.0/11 are Amazon.

BUT the remaining /11 (43.224 on up) is distributed all over Asia. Or rather, all over APNIC; there might be some slivers of legit Australian ISPs in there.

:: quick run to logs ::

Yup. In that final /11 I find a handful of apparently human requests, from--as I anticipated--Australia and the like.

So, counting on fingers, 3/4 of 43 is definitely nukable, probably another 1/8

-- apparently human requests --


I see "Human Almost" requests from several ranges there,

A.K.A in Headers:

"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36",

but then:

"sec-ch-ua-platform": "\"Linux\"",

Added:
What I mean is Same UA pulls

"sec-fetch-dest": "document"
&
"sec-fetch-dest": "image"

Claiming to be Win10 on Chrome but sends "sec-ch-ua-platform": "\"Linux\" header.

Deff not Kosher...

Heh. I didn't check headers. Did these humanoids request all supporting files, including favicon, or just pages?

Did you mean \"Linux\" like that, with escaped quotes, or is that just an artifact of your logging function? If the former, that sounds like grounds for blocking on its own right.

:: back to logged headers ::

I find a smattering of
Sec-Ch-Ua-Platform: ^^Windows^^\"\"
Sec-Ch-Ua-Platform: "\"Windows\""
and, yup, one or two
Sec-Ch-Ua-Platform: "\"Linux\"" (from 3.abc, netting them a bad_range* lockout in any case)

all of which sound like the amateur botrunner's equivalent of "I comma your name comma" and so on.

* bad_range rather than Require ip so I can poke a hole for Amazonbot, currently authorized.

-- Heh. I didn't check headers. Did these humanoids request all supporting files, including favicon, or just pages? --

Yes they do, and execute JS that has document.write('<img = src="/img.jpg>");, then request /img.jpg it self with JS params added as in QueryString params to specify screen size.

function lightOneUp(q,p) {
var mW = 0, mH = 0;
var r = Math.floor(Math.random() * p);
d = document.documentElement;
b = document.body;
if( typeof( window.innerWidth ) == 'number' ) {//Non-IE
mW = window.innerWidth;
mH = window.innerHeight;
} else if( d && ( d.clientWidth || d.clientHeight ) ) {//IE 6+ in 'standards compliant mode'
mW = d.clientWidth;
mH = d.clientHeight;
} else if( b && ( b.clientWidth || b.clientHeight ) ) {//IE 4 compatible
mW = b.clientWidth;
mH = b.clientHeight;
}
document.write('<img border="0" height="2" alt="" src="/img.jpg?u=' +mW+ '.' +mH+ '.' +q+ '.' +p+'">');
}

<script>
lightOneUp(x,y);
</script>

x and y are passed as extra params to track session first and subsequent parameters via Application Session that it tracked by Server Code

Looks like a full fledged Human except Sec-Ch-Ua-Platform: "\"Linux\"" on Win10 Platform.

I'm not blocking all of 43/8, but I am blocking practically all of 43.0 to 43.167 and then 34% of everything higher than that.

I got what looks like legit hits this year from 43.174.120.162 and 43.174.29.101 (zenlayer and our friend Aceville) but those have since been added to my block list (for one reason or another). I'm curious what the gang here knows about hits from zenlayer.

Just quickly grabbing what /8 + /9 + /10 I am blocking and putting that together in a list, gives this:

13.128.0.0/9
34.192.0.0/10
36.128.0.0/10
38.0.0.0/8
39.128.0.0/9
41.0.0.0/8
43.0.0.0/9
44.192.0.0/10
54.0.0.0/9
60.64.0.0/10
60.128.0.0/10
78.192.0.0/10
102.0.0.0/8
105.0.0.0/8
111.0.0.0/10
112.0.0.0/10
113.64.0.0/10
117.128.0.0/9
120.192.0.0/10
126.64.0.0/10
156.192.0.0/10
177.0.0.0/9
179.128.0.0/9
183.0.0.0/10
183.192.0.0/10
187.0.0.0/9
189.0.0.0/9
196.64.0.0/10
197.0.0.0/8
219.0.0.0/10
220.0.0.0/10

Anything there I probably shouldn't be blocking?

Overlapping--this is in response to blend27

Option B, considering the geographic region (we are still in 43, aren’t we?) is that it’s a human in a low-budget country using a pirated or knockoff OS whose glitches include sending an incorrect header.

In any case, all those Sec-blahblah headers get on my nerves. What are they supposed to be for, anyway? (developer dot mozilla dot org says of Sec-CH-UA-Platform* “Experimental” and “Check the Browser compatibility table carefully before using this in production” ... which gets us no further.)

* Their casing, though logged headers never show anything but Sec-Ch-Ua-etcetera.

@ Lucy24
-- considering the geographic region?--

US/Canada is a target from all in, that is my point on 43/8. Pirated OS glitches do not service their VWs or buy Turquoise jewelry or have their Poodles Paws shaved(Yack) at the next corner to the pond where John could fish while Wendy Insta the shiat out of the event......

@SumGuy

--and our friend Aceville --

Not, Nut, Nara...

Just 43/8 at this point to keep it looped in, but I see where u going with this...

@Lucy24

Look at FireFox, Chrome, Edge. <== Request Headers

On Linux^, Windows^ & IOS(Phone and Pad = ^)


Win10 & Linux: >> These are Fake headers set up by a script kiddie....

"headers": {
"sec-ch-ua-mobile": "?0",
"Accept-Language": "en-US,en;q=0.9",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36",
"sec-fetch-mode": "navigate",
"sec-fetch-site": "none",
"sec-ch-ua": "\"Not;A=Brand\";v=\"99\", \"Chromium\", \"Google Chrome\"",
"host": "www.example.com",
"priority": "u=0, i",
"sec-fetch-user": "?1",
"connection": "close",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Encoding": "gzip, deflate, br, zstd",
"X-ORIGINAL-URL": "/",
"upgrade-insecure-requests": "1",
"sec-ch-ua-platform": "\"Linux\"",
"X-REQUEST-URI-STAB": "/",
"content-length": "0",
"sec-fetch-dest": "document"
}

How many actual "human" ips exist in this range? What would the collateral damage be to just nix the whole range?

How many actual "human" ips

Buried somewhere upthread is the detail that the final /11 within 43/8, i.e. 43.224-255, may include human ISPs. And even if your target audience is not likely to include {Asian country of your choice}, you probably don't want to exclude Australia and New Zealand. Heck, they might be buying something from a US-based business to ship to their relatives in the US.

Look at FireFox, Chrome, Edge. <== Request Headers

Out of millions of Sec-blahblah headers, I found only a hundred or so containing \" (that is, escaped quotation mark in addition to the usual quotation used in this header) or ^, so I'm confident calling them bogus. But on the other hand they are so rare, it's not currently worth blocking on those grounds alone.

-- Out of millions --

Sí, humano. Sí.

-- How many actual "human" ips exist in this range? --

Pulling THE PLUG on IIS level:

 
<system.webServer>
<security>
 <ipSecurity allowUnlisted="true" denyAction="AbortRequest">
 <!-- NoMo 43.0.0.0/8-->
 <add ipAddress="43.0.0.0" subnetMask="255.0.0.0"/> <!-- 43.0.0.0/8 43.0.0.0 - 43.255.255.255 - as Margaret LeAnn Rimes Cibrian mentioned on Wiki: You Light Up My Life, Sittin on Top of the World.. -->
 </ipSecurity>
</security>
</system.webServer>

@Lucy24-
-don't want to exclude Australia and New Zealand-

Tariffs, They- aint buying ***t.

Ankles Up!

Amazon is using about 15% of 43.0.0.0/8. Right here:

43.0.0.0/13
43.192.0.0/12
43.208.0.0/13
43.216.0.0/14
43.220.0.0/15

Then some very small pieces above 43.220. Besides that, at 43.168 and above I count 30 /16's that are not allocated to any AS but appear to be assigned to China.