Yes but how’s that going to help when the IPs you’re banning are mobile IP addresses? Bright Data claims to have over 7 million of them in their network. They aren’t in contiguous ASNs because they’re sourced from regular human users unknowingly running proxy endpoints on their mobile devices.

(I agree, eBPF is very cool. Once you dive into the Linux network internals you discover a bunch of shortcuts you can take to execute code on packets before they ever leave kernel space.)

Well you have to have metrics and behavioral analysis anyways because of TOR and other proxies, right? For those kind of residential IPs, you will just treat them as /32 prefixes (well if they use IPv4).

There's nothing set in stone, as you have to ensure that 24hrs later they get a chance again, so bans will be temporary first and will be permanent only for repeating offenders.