https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182401#M56181 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39365">@Sjoerd</a>,</P><P>What you are asking for is essentially blocking access to every single VPN or Proxy provider, that's not a very viable solution. You might want to take a look at DoS profiles and Zone Protection limits and setup a DoS profile for the IP address that is getting hit. There really isn't a viable solution to blocking every single outside provider that someone could use to hide their IP, not to mention even if you identified the true source IP it wouldn't matter since your firewall sees the traffic coming from the listed source.&nbsp;</P><P>Most of these types of attacks are not truly targeted, and you just got caught up in someones scripted attack. Try blocking the IP your see the traffic coming from and see if the IP changes, generally it would not.&nbsp;</P> Tue, 17 Oct 2017 20:59:20 GMT BPry 2017-10-17T20:59:20Z https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182189#M56151 <P>I see a lot of threat (thousands in a few minutes) to one of my webservers from IP&nbsp;176.10.115.140.</P><P>This IP belongs to cyberghost, so probably someone used this to hide his own IP and attack our webserver.</P><P>Is there a way to block this traffic (before the threat prevention blocks it)?</P><P>&nbsp;</P><P>I know I can try to block this ip (or even the scope), but when someone on the outside tries to hide his IP address when reaching my server, his intensions are probably no good.&nbsp;I would like to block everyone “entering” my network who is trying to hide its IP. Is there some kind of “external dynamic list” which can help me accomplish this?</P> Tue, 17 Oct 2017 09:44:20 GMT https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182189#M56151 Sjoerd 2017-10-17T09:44:20Z https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182401#M56181 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39365">@Sjoerd</a>,</P><P>What you are asking for is essentially blocking access to every single VPN or Proxy provider, that's not a very viable solution. You might want to take a look at DoS profiles and Zone Protection limits and setup a DoS profile for the IP address that is getting hit. There really isn't a viable solution to blocking every single outside provider that someone could use to hide their IP, not to mention even if you identified the true source IP it wouldn't matter since your firewall sees the traffic coming from the listed source.&nbsp;</P><P>Most of these types of attacks are not truly targeted, and you just got caught up in someones scripted attack. Try blocking the IP your see the traffic coming from and see if the IP changes, generally it would not.&nbsp;</P> Tue, 17 Oct 2017 20:59:20 GMT https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182401#M56181 BPry 2017-10-17T20:59:20Z https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182885#M56281 <P>Hello,</P><P>There are dynamic lists that are publically available. Here are a few links to help out. However I think ou are looking for something that&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;suggested and that is a dynamic block. We have ours set to 3600 (seconds) so at least the attacker is blocked for one hour at a time.</P><P>&nbsp;</P><P>&nbsp;</P><P>Source on PAN support:</P><P><A href="https://live.paloaltonetworks.com/message/54183#54183" target="_blank">https://live.paloaltonetworks.com/message/54183#54183</A></P><P>&nbsp;</P><P>Sans notes on this:</P><P><A href="https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/" target="_blank">https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/</A></P><P>&nbsp;</P><P>Others listed on this site:</P><P><A href="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" target="_blank">http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt</A></P><P><A href="http://malc0de.com/bl/IP_Blacklist.txt" target="_blank">http://malc0de.com/bl/IP_Blacklist.txt</A></P><P><A href="http://panwdbl.appspot.com/lists/openbl.txt" target="_blank">http://panwdbl.appspot.com/lists/openbl.txt</A></P><P><A href="http://panwdbl.appspot.com/" target="_blank">http://panwdbl.appspot.com/</A></P><P><A href="http://cinsscore.com/list/ci-badguys.txt" target="_blank">http://cinsscore.com/list/ci-badguys.txt</A></P><P>&nbsp;</P><P>Cheers!</P> Thu, 19 Oct 2017 22:01:03 GMT https://live.paloaltonetworks.com/t5/general-topics/block-cyberghost-ips/m-p/182885#M56281 OtakarKlier 2017-10-19T22:01:03Z