Subnet Blocking

What Is Subnet Blocking?

Subnet blocking is a fraud countermeasure in which a platform extends a blocking decision from a single offending IP address to every other address within the same CIDR network block. Rather than recording that 203.0.113.47 submitted fraudulent votes and blocking that one address, the system records the /24 block 203.0.113.0/24 as tainted and rejects all subsequent votes from any of the 256 addresses in that range — including 203.0.113.1 through 203.0.113.46 and 203.0.113.48 through 203.0.113.255.

The logic behind this approach is straightforward: IP addresses within a /24 subnet typically share the same last-mile infrastructure — the same DSLAM, the same cable node, or the same mobile tower cluster. An ISP assigns a /24 to a geographic cluster of subscribers, so if one address in the block is submitting votes at an automated rate, there is a reasonable statistical inference that other addresses in the same block are either further automated submissions or share infrastructure that has been compromised. For contest platforms, the cost of a false positive (blocking a few legitimate voters from the same neighbourhood) is considered acceptable compared to the cost of allowing a coordinated automated campaign to continue.

RIPE NCC and ARIN allocate IP space in blocks as small as /24 and as large as /8, and IETF RFC 4632 formalised the CIDR notation that makes subnet-level operations a routine part of IP management. Cloudflare’s WAF documentation describes subnet-level rules as a standard tool in its managed ruleset, blocking ranges rather than individual IPs to reduce the overhead of maintaining millions of individual address-level rules.

Why It Matters in Vote Services

Subnet blocking creates a compounding threat for vote delivery operations that lack sufficient subnet diversity. The sequence of events typically unfolds as follows: a provider delivers the first 50 votes of a 1,000-vote order, all from addresses within a small number of /24 blocks. The contest platform’s rate limiting or anomaly detection layer triggers on the velocity pattern — multiple votes from the same subnet within minutes of each other. The platform then blocks the entire /24. The provider continues delivering from the same pool, placing more votes into the same or adjacent subnets. Each blocked subnet triggers wider blocks. By the end of the delivery, a large fraction of the addresses used are in blocked ranges, and the effective delivered count is a small fraction of what was paid for.

The collateral damage dimension is particularly important when carrier-grade NAT (CGNAT) is involved. Under CGNAT, a single public IP — and therefore a single /24 subnet — may legitimately represent hundreds of real mobile subscribers in the same geographic cell. If one of those subscribers submits votes rapidly, the platform may block the entire /24, preventing hundreds of other legitimate voters from participating. This is a known tension in contest platform design: per-subnet blocking that is calibrated for small-block dedicated IP ranges produces excessive false positives in mobile CGNAT environments where address sharing is the norm.

How Detection Systems Use This Signal

Subnet-level blocking is typically implemented as a tiered escalation within a fraud detection pipeline:

1. Per-IP threshold trigger — when a single IP address exceeds a defined vote rate (e.g., more than three votes within a 10-minute window), it is flagged. The system simultaneously checks whether other IPs in the same /24 have also been flagged recently.
2. Subnet aggregation — if two or more distinct IPs within the same /24 have been independently flagged within a defined lookback window, the entire subnet is promoted to blocked status. The blocking decision is recorded in the platform’s fraud database and applied instantly to all subsequent requests from that subnet.
3. Cascading block expansion — some platforms extend the block upward to larger prefixes: if multiple /24 blocks within the same /20 (4,096 addresses) are independently blocked, the entire /20 may be quarantined. This cascade can rapidly eliminate a large pool of addresses that were sourced from the same ISP allocation.
4. Reputation inheritance — commercial threat intelligence feeds like Spamhaus and MaxMind track which subnets have been involved in fraud events across many platforms. A subnet blocked on one contest platform for automated voting carries that reputation into subsequent lookups on other platforms, even ones that have never received a vote from that subnet before.
5. Temporal decay — most platforms implement a decay period during which a blocked subnet can return to clean status if no further fraud is detected. Decay windows typically range from 24 hours to 30 days, depending on the severity of the original fraud pattern.

How to Verify Quality

Before committing to a vote service, probe their resilience to subnet blocking with targeted questions:

• What is the maximum number of votes your system delivers from any single /24 subnet in a 24-hour window?
• Does your delivery engine detect when a subnet is being blocked in real time and route remaining votes through different subnets?
• How many distinct /24 subnets does your pool span for a given country or region?
• Can your system avoid adjacent subnets — i.e., prevent delivery from 203.0.113.0/24 and 203.0.114.0/24 within the same campaign?
• What is your protocol when a delivered order shows lower-than-expected results due to subnet blocking?

A provider with robust subnet diversity and real-time block detection will answer each of these questions with concrete operational detail.

How Our Service Uses This Technique

Our delivery engine treats subnet blocking as a real-time routing signal, not a post-mortem failure event. During campaign execution, our monitoring layer tracks response patterns from the destination platform for signals consistent with subnet-level rejection — sudden drops in acceptance rate, 429 responses clustered within a narrow address range, or anomalous silent-discard patterns. When a /24 block shows rejection signals, the engine immediately routes remaining deliveries through subnets from different ISP allocations, preserving campaign continuity without requiring any customer-side intervention. Our 6M+ residential IP pool spans thousands of distinct /24 subnets across 200+ countries, with hard caps preventing any single subnet from contributing more than a small fraction of any given campaign’s volume. Our CGNAT-aware delivery engine additionally distinguishes mobile carrier subnets — where address sharing is structurally expected — from fixed-line subnets, applying different per-subnet delivery pacing that matches the natural behaviour profile of each network type.

Summary. Subnet blocking extends a fraud penalty from a single IP address to every address within its CIDR network block, making subnet diversity as critical as IP uniqueness for sustained vote delivery. Detection systems escalate from per-IP flags to /24 blocks to larger prefix quarantines, with reputation inheritance spreading those blocks across platforms via shared threat intelligence feeds. Our delivery engine spans thousands of distinct subnets, enforces per-subnet volume caps, and responds to real-time blocking signals by rerouting to clean address ranges — maintaining campaign delivery integrity even as platform defences adapt.