I could try to trim the list into smaller subnets.Howdy,
Can you add any of those up to subnet blocks? A /24 or /8 here and there would help cut down that list drastically. My own list is about 3.5k long and I load them all in a simple for loop like this:
for ip in `cat /root/black-list`; do iptables -I INPUT -s $ip -j DROP; done
it will take some time to run, but it works.
Why in the world would you want to block that many individual IPs?Does anyone know the best way to block 10k IP addresses?
We understand that iptables and hosts.deny will cause too many problems blocking 10k ip addresses.
Setting a firewall to try to block IPs from a dDOS attack is futile, and mostly pointless for the most part!Just thinking out loud here, but DDoS?
The good news and the flip side of the coin is that it's actually fairly trivial to distinguish legitimate packets from altered packets so the vast majority of dDoS traffic can often be blocked by packet composition instead of by packet origin (which may not even be that reliable in the first place).
Unfortunately many "security administrators" out there remain, technically speaking, often far behind the skill levels or knowledge of the hackers out there, ignorant of knowledge that might be helpful in being more effective in fighting these situations! Each and every day, I see so many administrators take on activities such as racing to block IPs in a dDoS attack simply because they just simply know no any other way to handle the situation!