diff --git a/pillar/cluster/atlas/services.sls b/pillar/cluster/atlas/services.sls
index 66688dc..b879af4 100644
--- a/pillar/cluster/atlas/services.sls
+++ b/pillar/cluster/atlas/services.sls
@@ -2,7 +2,7 @@ haproxy:
   frontends:
     http:
       acls:
-        - annoying_clients src 47.128.0.0/14  # Amazon EC2
+        - annoying_clients src -f /etc/haproxy/blacklists/networks -n  # salt/profile/proxy/files/etc/haproxy/blacklists/networks
         - internal_clients src 2a07:de40:b27e::/48  # PRG2
         - no_x-frame-option var(txn.host) -m str chat.opensuse.org
         - no_x-frame-option var(txn.host) -m str dimension.opensuse.org
diff --git a/salt/profile/proxy/files/etc/haproxy/blacklists/networks b/salt/profile/proxy/files/etc/haproxy/blacklists/networks
new file mode 100644
index 0000000..728746c
--- /dev/null
+++ b/salt/profile/proxy/files/etc/haproxy/blacklists/networks
@@ -0,0 +1,18 @@
+{{ pillar['managed_by_salt'] }}
+
+## Networks qualify to be listed here if they:
+##   - generate absurd amounts of HTTP(S) connections
+##   - cause high load on backends
+##   - are unlikely to be used for human/legitimate purposes
+
+# Alibaba
+47.76.0.0/16
+59.82.78.0/24
+
+# Amazon
+3.224.0.0/12
+23.20.0.0/14
+47.128.0.0/14
+
+# DataForSEO
+136.243.220.208/29
diff --git a/salt/profile/proxy/haproxy.sls b/salt/profile/proxy/haproxy.sls
index d2b4fd9..3026504 100644
--- a/salt/profile/proxy/haproxy.sls
+++ b/salt/profile/proxy/haproxy.sls
@@ -14,10 +14,13 @@ haproxy_dhparam:
     - watch_in:
       - service: haproxy.service
 
-haproxy_errorfiles:
+haproxy_trees:
   file.recurse:
-    - name: /etc/haproxy/errorfiles
-    - source: salt://{{ slspath }}/files/etc/haproxy/errorfiles
+    - names:
+        - /etc/haproxy/blacklists:
+            - source: salt://{{ slspath }}/files/etc/haproxy/blacklists
+        - /etc/haproxy/errorfiles:
+            - source: salt://{{ slspath }}/files/etc/haproxy/errorfiles
     - clean: true
     - template: jinja
     - require: