04-12-2013 01:05 PM
A discussion in a IRC-channel this evening was regarding the ongoing DDoS against wordpress installations all around the world and what to do in order to protect your webservers from the known bad ip addresses.
Using ACLs in for example a modern Cisco router seems to only be able to handle something like 1-10k ace's depending on masks being used etc.
Using iptables locally on the webservers seems to bail out after approx 30-40k lines with 10% cpu usage in kernel space for the linux kernel.
So what other countermeasures can be used?
A BGP based blackholing should be doable - however that only seems to block outgoing (returning) traffic from your network, it wont stop the incoming bad request (at least the syn will reach the server and then become hanging - while udp-traffic will be able to reach your server anyway). Unless im missing something here?
Another possible approach could be to enable HostnameLookups in your apache-server and use something like:
<Directory "/www/">
Options None
AllowOverride None
<Limit GET POST>
Order deny,allow
Deny blacklisted.example.com
</Limit>
<LimitExcept GET POST>
Order allow,deny
</LimitExcept>
</Directory>
and then in your DNS server make it authoritive for PTR records regarding the ip addresses you wish to block. When bad ip shows up your apache will ask the DNS for PTR-record of this host and if the answers from the DNS is "blacklisted.example.com" (or whatever you wish to call it) the apache will just drop the connection (perhaps with a http error 403 or such in return).
Which boils down to why I created this thread... what can be used if you have a PA device in place?
According to the datasheet the PA-5060 can use up to 40.000 security policies - but this is of course unique security policies.
A single security policy could perhaps be something like:
srczone: internet
dstzone: dmz
srcip: country(blacklist)
dstip: webserver
appid: any
service: any
action: deny
option: log on session end
or for that matter:
srczone: internet
dstzone: dmz
srcip: group(blacklist)
dstip: webserver
appid: any
service: any
action: deny
option: log on session end
So the question is really is it possible and in which way can one setup a custom country (or a custom address group) to hold 200k+ members (mostly /32 ip addresses)?
And as a sidenote - any efficient ways to keep this list easily up2date? There is for example methods to setup dynamic objects where the PA device will load a textfile from a webserver containing the ip addresses to act on as srcip (in this case) - or for that matter using the REST API to push (or withdraw) ip-addresses to blacklist. Will any of these methods work for a list that contains 200k+ ip addresses?
Or does any of you have other suggestions mainly from own experience? 🙂
07-22-2015 06:04 PM
From the time of last post (2013) BGP FlowSpec was more and more preferred for the granularity of blocking/rate limiting, but even vendors which implemented in routing platforms (JNPR) did not implemented (yet) in firewall platforms. Vendors with ADC & CGN background (ATEN) copes with dynamic block lists of 8 millions of /32.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
