These are usually implemented as actual whitelists. Someone goes through each AS, and decides whether it should have unrestricted access or not. Verizon gets unlimited access, because it mostly provides service to end users. Hetzner doesn't, because it mostly has servers. There are companies that enumerate all networks and tell you if they are user-mostly or server-mostly networks, so you can block all but the user-mostly networks.