Add Facebook/Meta + TikTok/Bytedance IP ranges to bots list

[steven-tey]

Summary by CodeRabbit

• Improvements
  • Expanded bot detection to include many additional IP ranges for Meta (Facebook) and TikTok (Bytedance), improving recognition and management of automated traffic from these platforms and reducing false positives/negatives in traffic handling.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dub	Ready	Preview	Feb 3, 2026 11:20pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request expands the IP_RANGES_BOTS array in apps/web/lib/middleware/utils/bots-list.ts by adding numerous Facebook/Meta and TikTok/Bytedance IP range string literals; no logic, signatures, or control flow were changed.

Changes

Cohort / File(s)	Summary
Bot IP Range Expansion apps/web/lib/middleware/utils/bots-list.ts	Added ~429 string literals of IP ranges for Facebook/Meta and TikTok/Bytedance to the exported IP_RANGES_BOTS array; no functional or signature changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through lists both vast and wide,

Meta and TikTok now sit side by side.
Ranges added, neat and bright,
Catching bots by day and night. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding Facebook/Meta and TikTok/Bytedance IP ranges to the bots list, which directly matches the 429 lines of IP range additions to the IP_RANGES_BOTS export.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ip-ranges

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[steven-tey]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@apps/web/lib/middleware/utils/bots-list.ts`:
- Around line 400-604: The TikTok / Bytedance IP ranges block currently includes
only IPv4 and appears to be a historical snapshot; update the TikTok / Bytedance
IP ranges array in apps/web/lib/middleware/utils/bots-list.ts by adding the five
IPv6 prefixes (2404:9dc0:cd01::/48, 2404:9dc0:cd03::/48, 2404:9dc0:cd05::/48,
2404:9dc0:cd06::/48, 2404:9dc0:cd07::/48) and add a clear comment above the
block (referencing AS138699) that documents the source, source date (e.g.,
2026-01-29), and whether the list is "historical/full" or "current BGP-announced
only"; if you choose to trim IPv4 to current announcements, replace the large
IPv4 list with the 19 active prefixes obtained from a BGP lookup of AS138699 and
note that choice in the comment.

🧹 Nitpick comments (1)

apps/web/lib/middleware/utils/bots-list.ts (1)

177-399: Normalize overlapping Meta CIDR entries to reduce redundancy.

There are overlapping blocks (e.g., Line 185–191 includes 69.171.224.0/19 plus its /20 subranges; Line 271–279 includes 129.134.26.0/23 plus 129.134.26.0/24). Consider merging/deduping with a CIDR-merge pass so the list stays minimal and avoids redundant checks in IP matching.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the full context of the bots-list.ts file
wc -l apps/web/lib/middleware/utils/bots-list.ts

Repository: dubinc/dub

Length of output: 100

---

🏁 Script executed:

# Look at the structure and see what's before line 400
head -405 apps/web/lib/middleware/utils/bots-list.ts | tail -10

Repository: dubinc/dub

Length of output: 295

---

🏁 Script executed:

# Check if IPv6 ranges exist anywhere in the file
grep -i "ipv6\|:" apps/web/lib/middleware/utils/bots-list.ts | head -20

Repository: dubinc/dub

Length of output: 500

---

🏁 Script executed:

# See the context around lines 400-604 and check for any IPv6
sed -n '395,610p' apps/web/lib/middleware/utils/bots-list.ts | head -30

Repository: dubinc/dub

Length of output: 674

---

🌐 Web query:

AS138699 ByteDance TikTok announced prefixes IPv4 IPv6 2026

💡 Result:

As of January 29, 2026, AS138699 (TIKTOK PTE. LTD. / ByteDance TikTok) is announcing the following prefixes:

IPv4 (19)

• 71.18.247.0/24
• 71.18.248.0/24
• 71.18.250.0/24
• 71.18.251.0/24
• 71.18.252.0/24
• 71.18.253.0/24
• 71.18.255.0/24
• 101.45.192.0/24
• 101.45.193.0/24
• 101.45.194.0/24
• 101.45.195.0/24
• 101.45.248.0/22
• 101.45.248.0/24
• 103.136.220.0/23
• 103.136.220.0/24
• 103.136.221.0/24
• 103.136.222.0/24
• 103.136.223.0/24
• 118.26.132.0/24 [1]

IPv6 (5)

• 2404:9dc0:cd01::/48
• 2404:9dc0:cd03::/48
• 2404:9dc0:cd05::/48
• 2404:9dc0:cd06::/48
• 2404:9dc0:cd07::/48 [1]

Source: Hurricane Electric BGP Toolkit for AS138699. [1]

References
[1] Hurricane Electric BGP Toolkit — AS138699 (Prefixes Announced v4/v6) (bgp.he.net)

Citations:

• 1: https://bgp.he.net/AS138699

---

🌐 Web query:

AS138699 current CIDR blocks 2025 2026 BGP announcements

💡 Result:

AS138699 (TikTok Pte. Ltd. / ByteDance) — currently originated/announced CIDR blocks (observed Jan 29, 2026)

IPv4 (19)

• 71.18.247.0/24
• 71.18.248.0/24
• 71.18.250.0/24
• 71.18.251.0/24
• 71.18.252.0/24
• 71.18.253.0/24
• 71.18.255.0/24
• 101.45.192.0/24
• 101.45.193.0/24
• 101.45.194.0/24
• 101.45.195.0/24
• 101.45.248.0/24
• 101.45.248.0/22
• 103.136.220.0/24
• 103.136.220.0/23
• 103.136.221.0/24
• 103.136.222.0/24
• 103.136.223.0/24
• 118.26.132.0/24  [1][2]

IPv6 (5)

• 2404:9dc0:cd01::/48
• 2404:9dc0:cd03::/48
• 2404:9dc0:cd05::/48
• 2404:9dc0:cd06::/48
• 2404:9dc0:cd07::/48  [1][2]

Sources: bgp.tools ASN page for AS138699 (prefix list) and Hurricane Electric BGP Toolkit AS138699 page (counts + last update timestamp). [1][2]

---

🌐 Web query:

ByteDance TikTok IPv6 address ranges ASN

💡 Result:

TikTok / ByteDance ASNs (with IPv6 BGP-announced prefixes)

AS138699 — TIKTOK PTE. LTD. (TIKTOK-AS-AP, bytedance.com) [1][2]
IPv6 prefixes (originated):

• 2404:9dc0:cd01::/48
• 2404:9dc0:cd03::/48
• 2404:9dc0:cd05::/48
• 2404:9dc0:cd06::/48
• 2404:9dc0:cd07::/48  [1]

AS396986 — Bytedance Inc. (BYTEDANCE, bytedance.com) [3][4]
IPv6 prefixes (originated) include many /48s under 2605:340::/48 space, e.g.:

• 2605:340::/48, 2605:340:1::/48
• 2605:340:100::/48, 2605:340:200::/48, 2605:340:300::/48, 2605:340:301::/48
• 2605:340:f00b::/48, 2605:340:f00e::/48, 2605:340:f011::/48, 2605:340:f013::/48, … (additional 2605:340:f0xx::/48 also listed) [4]

Sources: Hurricane Electric BGP Toolkit prefix listings + IPinfo ASN org mapping. [1][2][3][4]

---

Add IPv6 ranges and verify against current BGP announcements for AS138699.

As of January 29, 2026, ByteDance/TikTok (AS138699) is announcing 5 IPv6 prefixes that are not included in this list:

• 2404:9dc0:cd01::/48
• 2404:9dc0:cd03::/48
• 2404:9dc0:cd05::/48
• 2404:9dc0:cd06::/48
• 2404:9dc0:cd07::/48

Additionally, the IPv4 ranges in this block appear to be sourced from a historical snapshot; current BGP announcements from AS138699 show only 19 active prefixes, not the 200+ listed here. Consider whether this list intentionally maintains broader coverage (possibly for incoming traffic or legacy infrastructure), or if it should be updated to current announced ranges. Document the source date and scope (IPv4-only vs. IPv6 inclusion) in a comment for future maintenance.

🤖 Prompt for AI Agents

In `@apps/web/lib/middleware/utils/bots-list.ts` around lines 400 - 604, The
TikTok / Bytedance IP ranges block currently includes only IPv4 and appears to
be a historical snapshot; update the TikTok / Bytedance IP ranges array in
apps/web/lib/middleware/utils/bots-list.ts by adding the five IPv6 prefixes
(2404:9dc0:cd01::/48, 2404:9dc0:cd03::/48, 2404:9dc0:cd05::/48,
2404:9dc0:cd06::/48, 2404:9dc0:cd07::/48) and add a clear comment above the
block (referencing AS138699) that documents the source, source date (e.g.,
2026-01-29), and whether the list is "historical/full" or "current BGP-announced
only"; if you choose to trim IPv4 to current announcements, replace the large
IPv4 list with the 19 active prefixes obtained from a BGP lookup of AS138699 and
note that choice in the comment.