How To Block 10k IP Addresses

[Sash]

Does anyone know the best way to block 10k IP addresses?

We understand that iptables and hosts.deny will cause too many problems blocking 10k ip addresses.

Thanks,
Mike

[cPanelEricE]

Howdy,

Can you add any of those up to subnet blocks? A /24 or /8 here and there would help cut down that list drastically. My own list is about 3.5k long and I load them all in a simple for loop like this:

for ip in `cat /root/black-list`; do iptables -I INPUT -s $ip -j DROP; done

it will take some time to run, but it works.

Thanks!

[cPanelDon]

If a software firewall (iptables) does not satisfy the performance requirements, you may want to consider a dedicated hardware firewall; I would check with your data center for available dedicated hardware firewall solutions.

[Sash]

Quote:

Originally Posted by cPanelEricE

Howdy,

Can you add any of those up to subnet blocks? A /24 or /8 here and there would help cut down that list drastically. My own list is about 3.5k long and I load them all in a simple for loop like this:

for ip in `cat /root/black-list`; do iptables -I INPUT -s $ip -j DROP; done

it will take some time to run, but it works.

Thanks!

I could try to trim the list into smaller subnets.

At 3.5k entries do you have any performance issues?

Thanks,
Mike

[cPanelEricE]

Howdy,

This is on my little atom router box at home. I run even more on my little atom cPanel server. Never misses a beat. Just slow at boot time.

[sirdopes]

Another option is to use route to reject ips.

route add 1.1.1.1 reject

This adds the ip to the routing table and blocks it. I have had 15K+ ips with no problem using this method.

[Spiral]

Quote:

Originally Posted by Sash

Does anyone know the best way to block 10k IP addresses?

We understand that iptables and hosts.deny will cause too many problems blocking 10k ip addresses.

Thanks,
Mike

Why in the world would you want to block that many individual IPs?

You would have to be insane to do that for performance and memory consumption reasons among others!

As cPanelEricE pointed out, you can probably reduce the list greatly by using proper CIDR notation.

Also, if your intent is to block countries, there is much better and far simpler ways to deal with that than just blocking huge IP lists. One that comes to mind immediately is installing GEOIP from Maxmind and then you can just simply block traffic to your site or server by a single country or continent code (For example CN for "China") instead of dealing with long (often outdated) IP range lists.

Another would be to setup a DNS based RBL blacklist database and run IP checks against the RBL!

[stugster]

Quote:

Originally Posted by Spiral

Why in the world would you want to block that many individual IPs?

Just thinking out loud here, but DDoS?

[Spiral]

Quote:

Originally Posted by stugster

Just thinking out loud here, but DDoS?

Setting a firewall to try to block IPs from a dDOS attack is futile, and mostly pointless for the most part!

News Flash: 95% of all logged dDoS attack IP address are not actually real!

In fact, the vast majority of IPs that you would try to block aren't even actually being used to attack you whatsoever and are more often than not perfectly innocent 3rd parties who may even be the actual real target!

By masquerading IPs and a little creative packet header manipulation, a hacker could easily make you think that any server on the planet is attacking you and your server will happily log the wrong IP! In fact, the real goal of the hacker might even be to trick you into placing a block or ban someone else! Even more points scored if they can trick you into wrongfully reporting a bogus IP the the upstream as a hacking source! The same technique can be used to trick you into limiting access to your own server or internet networks! (extremely common these days)

There are much,better and far more effective ways to handle dDoS attacks ---

As a rule, I never put any solid faith in the IPs that any regular logs show, and in fact that most often tells me exactly which IPs not to block!

The good news and the flip side of the coin is that it's actually fairly trivial to distinguish legitimate packets from altered packets so the vast majority of dDoS traffic can often be blocked by packet composition instead of by packet origin (which may not even be that reliable in the first place).

Unfortunately many "security administrators" out there remain, technically speaking, often far behind the skill levels or knowledge of the hackers out there, ignorant of knowledge that might be helpful in being more effective in fighting these situations! Each and every day, I see so many administrators take on activities such as racing to block IPs in a dDoS attack simply because they just simply know no any other way to handle the situation!

[BareckObama]

Would you mind sharing with us on how you would filter the legitimate from the illegitimate traffic.

Quote:

Originally Posted by Spiral

The good news and the flip side of the coin is that it's actually fairly trivial to distinguish legitimate packets from altered packets so the vast majority of dDoS traffic can often be blocked by packet composition instead of by packet origin (which may not even be that reliable in the first place).

Unfortunately many "security administrators" out there remain, technically speaking, often far behind the skill levels or knowledge of the hackers out there, ignorant of knowledge that might be helpful in being more effective in fighting these situations! Each and every day, I see so many administrators take on activities such as racing to block IPs in a dDoS attack simply because they just simply know no any other way to handle the situation!