$ whois -h whois.radb.net '!AS8075'
$ pfctl -t drophosts -T add <results>
$ for range in <results> ; do sudo iptables -A INPUT -s $range -j DROP ; done
As in my nearby comment, I only allow network access on VMs that don't contain any sensitive data. Once I've fully updated, I create clones to actually work on, and disable the Internet uplink entirely. When it's time to update again, I start with a virgin clone. And then transfer data to it, after disabling the Internet uplink.