How to efficiently block a large number of ip-addresses?


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L6 Presenter

Sorry about that...

But in this context it doesnt seem to matter if you use a dynamic address object or a dynamic block list - the limit is still 25.000 ip addresses on a PA-5000 box, isnt it?

L6 Presenter

Yes in this particular case using some kind of IPS signature to trigger the DoS-protection is probably the way to go.

But then what?

How many ip addresses can the PA dynamically block by the DoS-protection feature?

Doesnt it too have the same limit of max 25.000 entries on a PA-5000 series box?

Which brings me back to the original question - ignore the wordpress thingy. The use-case is that you need to block 200.000 /32's - how the hell are one supposed to do that nowdays without a major performance drop (and that is without putting 8 x PA-5000 boxes in a line :smileysilly:)?

L1 Bithead

What if you use BGP blackholing in addition to uRPF (IP spoof protection)?  I'm not sure if this is any more efficient than using an ACL on your router, but assuming your router has enough memory to hold all the /32 entries in its routing table, it may be worth a try.  Since the router's core function is routing packets, hopefully a route lookup for uRPF enforcement would be faster than an ACL check.  In theory, if your blackhole route doesn't point towards the internet, then the router should discard any packet from a blackholed IP when it arrives on your internet interface.

View solution in original post

L4 Transporter

We are dealing with the wordpress issue by blocking access to the wordpress login page from the internet. This is done with a simple custom vulnerability signature with default action allow (for inside users) and an exception of block (for outside users).  Content management must be done from the inside or if needed from the outside - they need to us a vpn connection.

L6 Presenter

Hmm yeah this seems to be the (currently) only proper and practically usuable way to deal with a situation where one would need to block plenty of ipaddresses.

It also has a name :-)

RTBH - Remotely Triggered Black Holes

You would most likely need to up the "maximum-prefix" in your BGP-settings like so (and use a device which can store and use +200.000 routes):

neighbor x.x.x.x maximum-prefix 250000

Which gives - how many routes (through BGP) can various PA-devices deal with?

L2 Linker

From the time of last post (2013) BGP FlowSpec was more and more preferred for the granularity of blocking/rate limiting, but even vendors which implemented in routing platforms (JNPR) did not implemented (yet) in firewall platforms. Vendors with ADC & CGN background (ATEN) copes with dynamic block lists of 8 millions of /32.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!