Checking the Nets: 511 Blocked Threats and the $0 Security Philosophy
- Patrick Duggan
- Nov 10, 2025
- 7 min read
The Monday Morning Ritual
Every morning, I do what Judge Dredd calls "checking the nets." Not network cables—network security. It's Monday, November 10, 2025, and before we do anything else, we run the checks:
node scripts/judge-dredd-agent/cli.js session-start
node scripts/judge-dredd-agent/cli.js 6d
node scripts/show-blocked-assholes.js
The results came back clean. Well, "clean" in the sense that everything is working exactly as designed. We're currently blocking 511 IP addresses. All of them earned their spot through AbuseIPDB scores above our threshold of 5.
The Hall of Shame: Top 30
Our auto-blocking system maintains what we affectionately call the "Hall of Shame." Here's who's currently sitting at the top:
1. Intelligence Hosting LLC (204.76.203.31, Netherlands) - **Asshole Score:** 172.3 - **Abuse Rate:** 100% - **Reports:** 1,711 - **Status:** Blocked automatically
This is the kind of provider name that makes you wonder if it's ironic. "Intelligence" hosting running operations so obvious they've been reported 1,711 times. That's not intelligence—that's persistence.
2-3. VIRTUALINE TECHNOLOGIES (Germany) Two IPs from the same German provider, both with 100% abuse rates: - 213.209.157.93: 162.8 score, 1,203 reports - 213.209.157.244: 162.1 score, 819 reports
4. Pfcloud UG (176.65.148.212, Netherlands) - **Asshole Score:** 162.1 - **Abuse Rate:** 100% - **Reports:** 646
The Netherlands keeps showing up. Not because Dutch people are malicious—because Dutch hosting is cheap, unregulated, and perfect for people who need to be somewhere that doesn't ask questions.
The DigitalOcean Problem
DigitalOcean appears 23 times in our blocked list. Average abuse rate: 80%. Total reports: 10,721.
This isn't DigitalOcean's fault. They're a legitimate cloud provider with millions of customers. But they're also cheap enough for adversaries to spin up droplets, run attacks, get banned, and do it again. We're not blocking DigitalOcean wholesale—we're blocking specific IPs with proven abuse histories.
The Palo Alto Networks Mystery
Here's where it gets interesting. Our ISP analysis shows:
• Average abuse rate: 0.0%
• Total reports: 596,706
Wait. Zero abuse rate but 596,706 reports? How does that math work?
It doesn't. These are false positives from AbuseIPDB's categorization system. Palo Alto Networks runs threat intelligence scanning infrastructure. Their IPs show up in logs because they're *supposed* to be scanning. They're not malicious—they're literally doing the same thing we are.
We keep them blocked because our whitelist focuses on search engines (Google, Microsoft, DuckDuckGo) and legitimate crawlers. Security scanners don't need to access our public sites. If Palo Alto Networks wants to analyze DugganUSA security posture, they can read our blog like everyone else. It's all public.
The Netherlands Anomaly
Yesterday's threat intelligence report flagged one medium-severity anomaly:
• Baseline average: 16.9 requests
• Standard deviation: 15.4
• Deviation: +5.9σ (541% increase)
• Classification: PARTIAL_DOWNLOAD
• Business Impact: NEUTRAL
This is background noise. Someone in the Netherlands either: 1. Downloaded blog content for legitimate research 2. Ran a scraper that got partway through before rate limiting kicked in 3. Had a script fail and retry 108 times
The bytesPerRequest (11,119 bytes) suggests partial downloads. Not full HTML pages (those are ~50KB). Not APIs (those are <5KB). Something in between. Could be images. Could be stylesheets. Could be someone's JavaScript breaking mid-stream.
We don't block based on volume alone. We block based on abuse score + behavior patterns. This traffic didn't trip any red flags beyond statistical deviation.
The Six-Dimensional Truth
Judge Dredd runs what we call "6D Truth Verification." It's not just checking if the system works—it's checking if we're lying about the system working.
Dimension 1: Commit Compliance (95%) Git history matches documentation. Every deployment is tagged, timestamped, and traceable.
Dimension 2: Corpus Alignment (95%) Training data quality: 90 examples, 4/4 quality checks passed. This blog post will become example #91.
Dimension 3: Production Evidence (91%) - APIs: 4/4 healthy - VirusTotal scans: Running (awaiting completion) - Cloudflare Analytics: 2,603 pageviews, 2,270 unique visitors
Dimension 4: Temporal Decay (95%) Last update: 1 day ago. Estimated CVE exposure: 1. Decay rate: 0.0%.
Dimension 5: Financial Efficiency (95%) - **P.F. Chang's Avoided Cost:** $65,000 (one Full Bono session) - **ROI:** 2,166,666% - **Velocity:** 24-32x faster than traditional consulting
Dimension 6: Democratic Sharing / Ethics (93%) - Hoarding: 95/95 (99.5% public files) - Transparency: 95/95 (15 incident files, 149 GitHub issues) - Gratitude: 95/95 (33 documented instances) - Accessibility: 95/95 (99.9% open formats) - Trust Arbitrage: 95/95 (7.1x evidence-to-claims ratio) - Armor Polishing: 85/95 (119/149 incidents fixed)
Overall 6D Score: 94%
Why not 100%? Because we guarantee a minimum of 5% bullshit exists in any complex system. That's not humility—that's Gödel. Any system powerful enough to verify itself cannot prove its own consistency. We cap scores at 95% to avoid claiming completeness we can't mathematically achieve.
The $0 Security Philosophy
Here's the part where most security vendors would tell you to buy their $240/year Cloudflare Pro subscription, or their $5,000/month enterprise SIEM, or their $50,000/year threat intelligence feed.
• 4 Azure Container Apps
• Cloudflare Free tier (DNS + CDN)
• AbuseIPDB Free tier (1,000 API calls/day)
• GitHub Actions Free tier (2,000 minutes/month)
Our threat intelligence is better than most commercial feeds because we're not reselling someone else's data—we're generating it ourselves. Every blocked IP gets investigated. Every anomaly gets analyzed. Every pattern gets documented and published.
The Born Without Sin Principle
Our Azure Defender score is 22%. Most security consultants would panic. We celebrate it.
• Container Apps (not VMs)
• Managed certificates (not manual renewals)
• Git-tagged deployments (not FTP uploads)
• Infrastructure as code (not ClickOps)
The "unhealthy" items in Azure Defender are things like "Enable multi-factor authentication for service principals" and "Implement network segmentation." We don't have service principals with passwords—we use managed identities. We don't need network segmentation—we use zero-trust container networking.
Low scores ≠ insecure. Low scores = no legacy baggage to protect.
The Auto-Blocking Pipeline
When an IP crosses our threshold (abuse score >5), here's what happens:
1. Detection: Cloudflare Analytics + AbuseIPDB API 2. Verification: Cross-reference against whitelist (11 known-good bots, 8 cloud provider ASNs) 3. Blocking: Add to Azure Container Apps firewall rules 4. Evidence Collection: Cache AbuseIPDB response, log to Azure Table Storage 5. Blog Generation: Auto-generate Hall of Shame entry 6. Publishing: Update security.dugganusa.com
All of this happens automatically. No human intervention required. The only manual step is writing analysis posts like this one—and even that's semi-automated through Claude Code integration.
The ISP Patterns
Looking at repeat offenders by hosting provider:
High Abuse Clusters - **TECHOFF SRV LIMITED:** 15 IPs, 100% abuse, 11,341 reports - **FBW NETWORKS SAS:** 5 IPs, 100% abuse, 5,338 reports - **VIRTUALINE TECHNOLOGIES:** 3 IPs, 100% abuse, 3,354 reports
Mixed Results - **DigitalOcean:** 23 IPs, 80% average abuse (legitimate + malicious users) - **Microsoft Corporation:** 96 IPs, 17.9% average abuse (mostly Bing crawler being aggressive) - **Amazon Technologies:** 12 IPs, 55.1% average abuse (mix of AWS abuse + legitimate research)
False Positives - **Palo Alto Networks:** 109 IPs, 0% abuse (security scanner infrastructure) - **Google LLC:** 23 IPs, 19.3% average abuse (mostly Googlebot being thorough) - **Meta Platforms:** 22 IPs, 0% abuse (Facebook crawler)
We don't block providers—we block proven bad actors. That's why our whitelist exists. That's why we check abuse scores instead of just IP ranges.
The Purple Team Surveillance
Speaking of checking the nets—we're also running what we call "Purple Team Logging." This is 420 lines of Express middleware deployed across our Container Apps to track competitive intelligence gathering.
• John (competitor A)
• Administrator (competitor B)
Both have been crawling our public sites. Both left trails in our logs. Both are now monitored with geographic tracking, build hash detection, and temporal analysis.
We're not blocking them. We're inviting scrutiny. If you can steal something from our public repository, we didn't protect it well enough. If you think you found a vulnerability, we'll thank you and patch it publicly.
This is Pattern #20 in action: "I don't pick the Overton windows—I just look through them."
The Cloudflare Bypass Success
One more metric worth celebrating: 180+ days of continuous Cloudflare bypass success.
• No DNS A records pointing to origin
• No certificate transparency log leaks
• No historical WHOIS data
• No server response headers revealing real IP
Total cost of this protection: $0. Cloudflare Free tier handles all of it.
The Marketing Pitch
Most security companies claim 100% protection when they're at 80%. We claim 95% when we're at 95%.
Most security companies charge $5,000/month for enterprise monitoring. We run on $70-80/month and publish all our data publicly.
Most security companies hide their incident history. We document it, time-stamp it, and publish learning artifacts.
Most security companies sell fear. We demonstrate confidence through transparency.
That's the $0 security philosophy. Not because it's free—because the marginal cost of sharing digital goods is zero. We built this infrastructure to protect DugganUSA. Publishing it publicly costs us nothing and proves we have nothing to hide.
The Brian Krebs Philosophy
Brian Krebs once told me (indirectly, through his blog) that the best defense against scrutiny is having nothing to hide. If you're confident in your security, invite people to test it. If you're confident in your ethics, publish your incident history. If you're confident in your architecture, document it publicly.
We do all three.
That's why we run Judge Dredd session-start checks before every coding session. That's why we publish 6D verification scores with every commit. That's why we maintain a public Hall of Shame with 502 blocked IPs.
Not because we're perfect. Because we're honest about being 95% compliant in a world full of companies claiming 100%.
The Next Check
Tomorrow morning, I'll run the same commands:
dredd session-start
dredd 6d
node scripts/show-blocked-assholes.js
Maybe we'll have 503 blocked IPs. Maybe 501. Maybe the Netherlands will show up again with another partial download anomaly. Maybe Intelligence Hosting LLC will finally live up to its name and stop getting reported.
But probably not. Because the internet is full of adversaries, and checking the nets is how you know if your defenses work.
---
Postscript: This blog post was written over the weekend, then updated Monday morning with fresh data. Saturday showed 502 blocked IPs. Monday morning: 511. Nine new threats blocked overnight. The system works while we sleep.
That's the velocity you get when your documentation is real-time, your evidence is automated, and your security philosophy is "publish everything and invite scrutiny."
6D Verification Status: 94% (Gödel-Compliant) Total Blocked IPs: 511 (as of Nov 10, 2025, 7:13 AM CST) Infrastructure Cost: $70-80/month Marginal Cost of Sharing: $0
---
• Proper Names: Judge Dredd, Claude Code, AbuseIPDB, Intelligence Hosting LLC, VIRTUALINE TECHNOLOGIES, Pfcloud UG, DigitalOcean, Palo Alto Networks, Netherlands, Germany, Azure Defender, Cloudflare, GitHub Actions, Brian Krebs, DugganUSA, TECHOFF SRV LIMITED, FBW NETWORKS SAS, Microsoft Corporation, Amazon Technologies, Google LLC, Meta Platforms, Patrick Duggan, Paul Galjan, Butterbot, Monday Morning
• Abstract Concepts: security philosophy, threat intelligence, auto-blocking, abuse score, Hall of Shame, 6D verification, epistemic humility, Gödel compliance, marginal cost, Born Without Sin, legacy debt, Purple Team surveillance, Overton windows, temporal decay, financial efficiency, democratic sharing, autonomous pivot
• Ratio: 25 proper names / 17 abstract concepts = 147% density
Comments