Blocking asn 12345 from sites

Dracos published a guide on June 9, 2026, that details blocking asn 12345 across Nginx, iptables, and Cloudflare [Dracos Blog]. The guide adds the asn's cidr list (1,212 prefixes covering roughly 45% of the address space owned by the target isp) to an Nginx geo block and returns 403 for matching ips [Cloudflare Docs]. It also creates an iptables rule that drops traffic from the same prefixes before it reaches the application stack, saving ~15% cpu on a 4-core server. Additionally, it configures a Cloudflare firewall rule that references the asn by number, allowing the edge network to reject the traffic before it hits the origin. The guide includes a Bash script that pulls the latest prefix list from the public BGPView API and reloads the Nginx map automatically every 12 hours. By rejecting the entire asn at the cdn, Dracos observed a 30% drop in request volume, freeing bandwidth for legitimate users and reducing upstream costs. The approach is cheap and reversible, with no additional hardware or third-party subscription required. However, blocking an asn can unintentionally block customers of a shared hosting provider, with Dracos's test showing 0.8% of legitimate traffic was lost, a figure derived from server logs that flagged 12k of 1.5m daily requests as false positives [Dracos Blog].