How to Block IP Ranges on Shopify (CIDR and Prefix Guide)

When fraudsters or scrapers rotate through IPs in the same network, blocking individual IPs is whack-a-mole. The right tool is range blocking — banning entire IP blocks, ISPs, or ASNs in one rule.

This guide explains the three approaches: CIDR notation, prefix matching, and ASN-level rules.

What is an IP range?

An IP range is a contiguous block of IP addresses that share a network prefix. The standard notation is CIDR:

/24 and /16 are the most useful for fraud blocking.

Method 1 — Block CIDR ranges on Shopify

1. Install Shieldy.
2. Open Block rules → New rule.
3. Rule type: Block.
4. Criteria: IP address → Equals.
5. Enter the CIDR: 192.0.2.0/24.
6. Save.

Shieldy parses CIDR and applies the rule to every IP in the range.

Method 2 — Block by IP prefix (no CIDR knowledge)

If CIDR is unfamiliar, use the Starts with operator:

• 192.0.2. blocks 192.0.2.0 to 192.0.2.255 (same as /24)
• 192.0. blocks 192.0.0.0 to 192.0.255.255 (same as /16)
• 2001:db8: blocks an IPv6 range

This is easier to maintain and produces the same effect for most cases.

Method 3 — Block by ISP

Sometimes a single ISP generates most of the bad traffic. Block by ISP name:

1. New rule → ISP → Equals.
2. Enter the ISP name (e.g. "Hetzner Online GmbH", "DigitalOcean LLC").
3. Save.

ISP blocking is in the Enterprise plan. It uses MaxMind's ISP database which is more reliable than parsing raw ASN data.

Method 4 — Block by ASN

Autonomous System Numbers identify network operators globally. Useful for blocking specific datacenter or proxy providers.

1. New rule → ASN → Equals.
2. Enter the ASN (e.g. AS16509 for AWS, AS14061 for Digital Ocean).
3. Save.

Common ranges to consider blocking

Major hosting providers (datacenter, not consumer):

Amazon Web Services - AS16509
Google Cloud - AS15169
Microsoft Azure - AS8075
DigitalOcean - AS14061
OVH - AS16276
Hetzner - AS24940
Linode - AS63949
Vultr - AS20473

Block these via Shieldy's Block datacenter IPs toggle (Bot Killer) — covers all at once.

Known proxy providers (residential proxy networks):

Luminati / Bright Data
Smartproxy
Oxylabs
Soax

Block via the Auto-block VPN/Proxy category.

Method 5 — Block country-level (largest range)

If a country accounts for 50 %+ of your fraud, block by country instead of IP:

1. New rule → Location → Country.
2. Pick the country.
3. Save.

One rule covers millions of IPs.

How to find the right range

Open Shieldy's Visitor Analytics:

1. Filter by Risk score > 0.5.
2. Sort by ISP column.
3. Group by ISP — top 5 are usually 80 % of bad traffic.
4. Look at IP patterns — if many bad IPs share the same /24, block the /24.

Example finding:

bad-isp-name      120 bad visits   range 198.51.100.0/24
hetzner           85 bad visits    AS24940 (block datacenter category)
nordvpn           70 bad visits    block VPN category

Three rules cover 275 of 300 bad visits.

Whitelist your team and B2B customers

Before applying broad blocks, whitelist:

1. Your office IP range
2. Your remote team's known IPs
3. B2B customers' corporate networks

Use Rule type: Whitelist with the same range syntax.

Range blocking and SEO

Major search engines have known IP ranges:

Googlebot - 66.249.64.0/19, 64.233.160.0/19
Bingbot - 40.77.167.0/24, 207.46.13.0/24
Applebot - 17.0.0.0/8 (whitelist specifically)

Never block these. Shieldy auto-whitelists verified search-engine ranges.

Performance impact

Range matching uses radix-tree lookup — under 1ms per request regardless of how many ranges you have configured. You can run hundreds of range rules without slowdown.

Real-world example

A merchant we work with was getting scraped heavily by a competitor in India. Visitor Analytics showed:

• 240 page views/day from 103.45.92.0/24
• Same IP block hitting multiple times per hour
• All requests had Mozilla/5.0 UA (spoofed bot)
• Total: ~2 GB bandwidth/day wasted on scraping

Adding one rule (block 103.45.92.) eliminated the scraping. No real customer impact.

Frequently asked questions

How big a range can I block?

Any size. Shieldy handles /8 through /32 efficiently. For very broad blocks (country-scale), use country rules instead.

Will it slow my store?

No. Range matching is O(1) lookup with the radix tree.

Can I block IPv6 ranges?

Yes. Use IPv6 CIDR notation (e.g. 2001:db8::/32).

What if I make a mistake and block legitimate users?

Toggle the rule off (not delete) and customers regain access immediately. Test changes during off-peak.

Does the free plan include CIDR blocking?

Yes — but only 4 rules total. The Premium plan at $4.99/mo lifts the cap to unlimited.

Wrapping up

Range blocking is the right tool when you see fraud or scraping coming from contiguous IP blocks. Combined with ISP and ASN rules, it catches network-level patterns that single-IP rules cannot. Worth learning CIDR notation for the long-term gain.

Install Shieldy free → · See pricing →