I'm facing repeated intrusion attempts from a specific IPv6 address range that seems to target certain devices on my network. The attacks come from the address range 2600:1900:4020:49c:0:xxx, occurring every 15 minutes during certain times of the day. The last digits (xxx) include numbers like 51b::, 4fe::, 3f::, and others within that range. I want to block this IPv6 range at my firewall to ensure it stops the intrusion attempts, but I'm unsure about how to properly specify the blocking range. Should I use 2600:1900:4020:49c:0::/32, or is it better to try something like /48, /64, or /128? Just to clarify, I'm using Spectrum and my address starts with 2603, so these intrusions are definitely from outside my network.
1 Answer
To block a larger portion of the problematic IPs, you could go for something like 2600:1900::/31. If you want to be more specific, blocking 2600:1900:4020::/44 would limit it to a smaller subset. Just remember that a wide block can also affect legitimate Google services, since this IP range is tied to Google Cloud.
I found out this IP range is linked to Google Cloud, which has a history of being used for scanning. My attacks happen overnight, and while I've not been breached, I'm trying to avoid a blanket ban on Google Cloud's IPs. Is it viable to narrow it down to the :49c: segment? And what's the rationale behind using /31 versus /44?