> If Cloudflare were to actually be willing to do something against being used by scammers, they'd put the ingress IPs for the C&C infrastructure on dedicated IP ranges and publish these in a machine-readable format so every reasonable person that does not use Cloudflare tunnels can ban them.
I don't like the idea of making it easier to block certain services, because it goes both ways: it'd also be easier for bad guys to block good guys from using said services.
I'm not seeing how the GP's idea could be used by bad guys to block access to services - it'd be something you could add to your firewall, if you don't use this service, to prevent it's use in gaining persistence.
If the bad guys can modify your firewall config, you already have a problem.
I don't like the idea of making it easier to block certain services, because it goes both ways: it'd also be easier for bad guys to block good guys from using said services.