I've been experiencing frequent intrusion attempts from a specific IPv6 address range that targets certain devices on my network. These attempts seem to originate from the range 2600:1900:4020:49c:0:xxx, where 'xxx' varies among values like 51b::, 4fe::, and 3f::. The attacks occur about every 15 minutes during specific times of the day and then stop for a few days before resuming. I want to block all connections from this range at my firewall to be safer in case my router can't manage it. However, I'm not sure how to properly specify the block range. Should I use something like 2600:1900:4020:49c:0::/32, or would it be better as /48, /64, or /128? For context, I'm using Spectrum and my address range starts with 2603, so these attacks are definitely coming from outside my network.
1 Answer
To effectively block a portion of Google's range without affecting too much, you could use 2600:1900::/31. However, for a more targeted approach, 2600:1900:4020::/44 could also be a good option, which would limit access to a smaller section of that range.
I noticed that this IP is related to Google Cloud, which has been involved in scanning attacks before. Is there a more precise blocking method to specifically target the consistent :49c: portion of this address? It mainly attacks overnight and I've yet to see any success on their end, but I can't prove it.