I do have a bit of experience with managing WAFs for large online gaming providers and I can tell you it's not a solved problem. Netflix would also love to hear how I guess.
Even if you somehow manage to enumerate the Nordvpn IPs - a thing of which Nordvpn probably thought in their threat model - then you still have thousands of other providers.
Even if you somehow manage to enumerate the Nordvpn IPs - a thing of which Nordvpn probably thought in their threat model - then you still have thousands of other providers.