How to efficiently block a large number of ip-addresses?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to efficiently block a large number of ip-addresses?

L6 Presenter

A discussion in a IRC-channel this evening was regarding the ongoing DDoS against wordpress installations all around the world and what to do in order to protect your webservers from the known bad ip addresses.

Using ACLs in for example a modern Cisco router seems to only be able to handle something like 1-10k ace's depending on masks being used etc.

Using iptables locally on the webservers seems to bail out after approx 30-40k lines with 10% cpu usage in kernel space for the linux kernel.

So what other countermeasures can be used?

A BGP based blackholing should be doable - however that only seems to block outgoing (returning) traffic from your network, it wont stop the incoming bad request (at least the syn will reach the server and then become hanging - while udp-traffic will be able to reach your server anyway). Unless im missing something here?

Another possible approach could be to enable HostnameLookups in your apache-server and use something like:

<Directory "/www/">

        Options                 None

        AllowOverride           None

<Limit GET POST>

        Order                   deny,allow

        Deny                    blacklisted.example.com

</Limit>

<LimitExcept GET POST>

        Order                   allow,deny

</LimitExcept>

</Directory>

and then in your DNS server make it authoritive for PTR records regarding the ip addresses you wish to block. When bad ip shows up your apache will ask the DNS for PTR-record of this host and if the answers from the DNS is "blacklisted.example.com" (or whatever you wish to call it) the apache will just drop the connection (perhaps with a http error 403 or such in return).

Which boils down to why I created this thread... what can be used if you have a PA device in place?

According to the datasheet the PA-5060 can use up to 40.000 security policies - but this is of course unique security policies.

A single security policy could perhaps be something like:

srczone: internet

dstzone: dmz

srcip: country(blacklist)

dstip: webserver

appid: any

service: any

action: deny

option: log on session end

or for that matter:

srczone: internet

dstzone: dmz

srcip: group(blacklist)

dstip: webserver

appid: any

service: any

action: deny

option: log on session end

So the question is really is it possible and in which way can one setup a custom country (or a custom address group) to hold 200k+ members (mostly /32 ip addresses)?

And as a sidenote - any efficient ways to keep this list easily up2date? There is for example methods to setup dynamic objects where the PA device will load a textfile from a webserver containing the ip addresses to act on as srcip (in this case) - or for that matter using the REST API to push (or withdraw) ip-addresses to blacklist. Will any of these methods work for a list that contains 200k+ ip addresses?

Or does any of you have other suggestions mainly from own experience? 🙂

15 REPLIES 15

From the time of last post (2013) BGP FlowSpec was more and more preferred for the granularity of blocking/rate limiting, but even vendors which implemented in routing platforms (JNPR) did not implemented (yet) in firewall platforms. Vendors with ADC & CGN background (ATEN) copes with dynamic block lists of 8 millions of /32.

  • 10907 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!