over a 1,000,000,000 individual ips to block

over a 1,000,000,000 individual ips to block

[Timothy Webster]

I have a need to block 1 -> 2 million ips. 
This edge firewall will be blocking dos attackers, spammers
from hitting our proxys, and mail/web servers.
I also need to be able to reload the 1 -> 2 million blocked 
ips from time to time as they change. 
But this list is not changing continuously.

Thoughts how to do this?
What would you recommend for a hardware?
The iptables set patch, what else?


I need to come of with a plan so I can begin testing for
deployment.

Thanks,

-Tim

Re: over a 1,000,000,000 individual ips to block

[Michael Gale]

Hello,

	Why don't you block networks ??

Firewall - SYN Cookie enabling ? 

Mail servers - use RBL list - this list will contain networks of IP's that
belong to home users. So they do not need to connect directly to your mail
server.

Web servers -- rate limiting ? block networks ? Better web server ?

If you blocked networks ? The estimated max number of rules a packet might have
to match would be 254 ... plus the rest of your filtering for ports and other
needs. This could slow down network access because of all the rules to check for
each packet.

If you are not using network addresses the list would become to long.

Michael.


On Thu, 24 Jun 2004 22:57:32 +0800
"Timothy Webster" <timothyw@outblaze.com> wrote:

> I have a need to block 1 -> 2 million ips. 
> This edge firewall will be blocking dos attackers, spammers
> from hitting our proxys, and mail/web servers.
> I also need to be able to reload the 1 -> 2 million blocked 
> ips from time to time as they change. 
> But this list is not changing continuously.
> 
> Thoughts how to do this?
> What would you recommend for a hardware?
> The iptables set patch, what else?
> 
> 
> I need to come of with a plan so I can begin testing for
> deployment.
> 
> Thanks,
> 
> -Tim
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: over a 1,000,000,000 individual ips to block

[Alex Sirbu]

For blocking pourposes why don't you use blackholes ?
I have a webserver that is permanently under DoS attacks , so I use blackholes.

Routing table can have million of rules or static routes, so is not a problem .

Let's say you want to block ip 11.22.33.44 . just type :

#ip route add blackhole 11.22.33.44/32

and all packets to 11.22.33.44  will be discarded.

if you type than :
#ip ro | grep blackhole
you will see all blackholes defined by you

you can blackhole your incomming traffic, but be carefull what you are doing .


> Hello,
>
> 	Why don't you block networks ??
>
> Firewall - SYN Cookie enabling ?
>
> Mail servers - use RBL list - this list will contain networks of IP's that
> belong to home users. So they do not need to connect directly to your mail
> server.
>
> Web servers -- rate limiting ? block networks ? Better web server ?
>
> If you blocked networks ? The estimated max number of rules a packet might have
> to match would be 254 ... plus the rest of your filtering for ports and other
> needs. This could slow down network access because of all the rules to check for
> each packet.
>
> If you are not using network addresses the list would become to long.
>
> Michael.
>
>
> On Thu, 24 Jun 2004 22:57:32 +0800
> "Timothy Webster" <timothyw@outblaze.com> wrote:
>
>> I have a need to block 1 -> 2 million ips.
>> This edge firewall will be blocking dos attackers, spammers
>> from hitting our proxys, and mail/web servers.
>> I also need to be able to reload the 1 -> 2 million blocked
>> ips from time to time as they change.
>> But this list is not changing continuously.
>>
>> Thoughts how to do this?
>> What would you recommend for a hardware?
>> The iptables set patch, what else?
>>
>>
>> I need to come of with a plan so I can begin testing for
>> deployment.
>>
>> Thanks,
>>
>> -Tim
>>
>>
>>
>>
>>
>
>
> --
> Michael Gale
> Network Administrator
> Utilitran Corporation
>
>
>



-----------------------------------------------------------------------
As.Ro - Cont gratuit de Email si 50MB free webhosting. http://www.as.ro

Re: over a 1,000,000,000 individual ips to block

[Feizhou]

Alex Sirbu wrote:
> For blocking pourposes why don't you use blackholes ?
> I have a webserver that is permanently under DoS attacks , so I use blackholes.
> 
> Routing table can have million of rules or static routes, so is not a problem .
> 
> Let's say you want to block ip 11.22.33.44 . just type :
> 
> #ip route add blackhole 11.22.33.44/32
> 
> and all packets to 11.22.33.44  will be discarded.

All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able 
to generate a connection socket?
> 
> if you type than :
> #ip ro | grep blackhole
> you will see all blackholes defined by you

How maintainable is such a list compared to iptables which has 
iptables-save and iptables-restore?
> 
> you can blackhole your incomming traffic, but be carefull what you are doing .
> 

Is there something I am missing here?

Re: over a 1,000,000,000 individual ips to block

[Alex Sirbu]

> Alex Sirbu wrote:
>> For blocking pourposes why don't you use blackholes ?
>> I have a webserver that is permanently under DoS attacks , so I use blackholes.
>>
>> Routing table can have million of rules or static routes, so is not a problem .
>>
>> Let's say you want to block ip 11.22.33.44 . just type :
>>
>> #ip route add blackhole 11.22.33.44/32
>>
>> and all packets to 11.22.33.44  will be discarded.
>
> All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able
> to generate a connection socket?

if you put a blackhole to destination, all pakets to that ip addres will get "Network is
unrecheable" so a TCP connection will never be established.

>>
>> if you type than :
>> #ip ro | grep blackhole
>> you will see all blackholes defined by you
>
> How maintainable is such a list compared to iptables which has
> iptables-save and iptables-restore?

you can write your own script ( bash, perl , etc. ) that can manage the blackhole list and have it
running in start, stop, restart, dump, clear, panic , add or delete.
you can even keep all the information into a flatfile or database

I wrote my own script , and it's working very well. I can add or remove IPs to/from blackholes
list , I can remove all blackholes at once , I can make a bulk dump of running routing table
containing blackholes.

>>
>> you can blackhole your incomming traffic, but be carefull what you are doing .
>>
>
> Is there something I am missing here?

if , by mistake, you block your own IP net or even loopback address (127.0.0.1) you will get a lot
of trouble ( that can be fixed if you have direct access to that server - I mean keyboard or
serial terminal )
>
>
>



-----------------------------------------------------------------------
As.Ro - Cont gratuit de Email si 50MB free webhosting. http://www.as.ro

Re: over a 1,000,000,000 individual ips to block

[Feizhou]

Alex Sirbu wrote:
>>Alex Sirbu wrote:
>>
>>>For blocking pourposes why don't you use blackholes ?
>>>I have a webserver that is permanently under DoS attacks , so I use blackholes.
>>>
>>>Routing table can have million of rules or static routes, so is not a problem .
>>>
>>>Let's say you want to block ip 11.22.33.44 . just type :
>>>
>>>#ip route add blackhole 11.22.33.44/32
>>>
>>>and all packets to 11.22.33.44  will be discarded.
>>
>>All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able
>>to generate a connection socket?
> 
> 
> if you put a blackhole to destination, all pakets to that ip addres will get "Network is
> unrecheable" so a TCP connection will never be established.

So if my problem was that 11.22.33.44 was taking up all my SMTP 
connections, doing ip route add blackhole 11.22.33.44/32 means that all 
my ACK's get discarded silently and if the blackhole was done locally 
the processes just get a EINVAL error. So basically MY processes have to 
wait for a timeout. What I'd rather achieve is that the SYN from 
11.22.33.44 not even get through.

Looks like it's still something for iptables.

Re: over a 1,000,000,000 individual ips to block

[Feizhou]

Michael Gale wrote:
> Hello,
> 
> 	Why don't you block networks ??
> 
> Firewall - SYN Cookie enabling ? 

What good is syn cookies against traffic that conform to tcp rules but 
are just too abusive?
> 
> Mail servers - use RBL list - this list will contain networks of IP's that
> belong to home users. So they do not need to connect directly to your mail
> server.

RBL does nothing against spammers who open 100 connections to each of 
your MXs and who run malware that do not understand,respect smtp 5xx. 
Dropping the connection means they keep coming at you. For these, there 
is nothing but a firewall that will keep them off your MXs.
> 
> Web servers -- rate limiting ? block networks ? Better web server ?
> 
> If you blocked networks ? The estimated max number of rules a packet might have
> to match would be 254 ... plus the rest of your filtering for ports and other
> needs. This could slow down network access because of all the rules to check for
> each packet.
> 
> If you are not using network addresses the list would become to long.

I am sure CIDRs were part of the OP's mind since iptables takes both 
individial ips and CIDRs. He probably does have a mixture of over a 
million ips/cidrs he wants to block.

Re: over a 1,000,000,000 individual ips to block

[Michael Gale]

Hello,

	If you allow a simple IP to make a 100 smtp connections to your mail server
then you have other problems. Why you would allow any IP to make more then 10-15
connections is beyond me. Also .. if you set a error limit (example mine is 5)
when that limit is reached the smtp and tcp connection are dropped. 

There are also other SMTP server restrictions you can take place. How do you
think mail appliances that are designed to be placed on the outside of a network
to filter traffic between the outside world and exchange work ??? Do you think
they rely solely on some other firewall to handle DOS's ??? I can tell you that
they don't. 

I am not saying that you should not block abusive IP's or network's at the
firewall. But to rely only on the firewall to solve this problem. Plus using 1
million rules ... how long would your load time be ? What about changes and
administration ? 

Also what about ESTABLISHED connections ??? If you do not use a ESTABLISHED
state -j ACCEPT at the top ... then each IP would then in theory have to match 1
million rules every time it came in.

I am sure there is a better answer then to create 1 million iptable rules. 

Michael. 


On Mon, 28 Jun 2004 21:20:16 +0800
Feizhou <feizhou@linuxmail.org> wrote:

> Michael Gale wrote:
> > Hello,
> > 
> > 	Why don't you block networks ??
> > 
> > Firewall - SYN Cookie enabling ? 
> 
> What good is syn cookies against traffic that conform to tcp rules but 
> are just too abusive?
> > 
> > Mail servers - use RBL list - this list will contain networks of IP's that
> > belong to home users. So they do not need to connect directly to your mail
> > server.
> 
> RBL does nothing against spammers who open 100 connections to each of 
> your MXs and who run malware that do not understand,respect smtp 5xx. 
> Dropping the connection means they keep coming at you. For these, there 
> is nothing but a firewall that will keep them off your MXs.
> > 
> > Web servers -- rate limiting ? block networks ? Better web server ?
> > 
> > If you blocked networks ? The estimated max number of rules a packet might
> > have to match would be 254 ... plus the rest of your filtering for ports and
> > other needs. This could slow down network access because of all the rules to
> > check for each packet.
> > 
> > If you are not using network addresses the list would become to long.
> 
> I am sure CIDRs were part of the OP's mind since iptables takes both 
> individial ips and CIDRs. He probably does have a mixture of over a 
> million ips/cidrs he wants to block.
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: over a 1,000,000,000 individual ips to block

[Timothy Webster]

 
Hi, 
 
1 million (ips and subnets) we are looking is actually  
the top 1 million spammers and open relays used.  
This list is automatically generated and currently  
stored in cdb files.  
 
Limited maximum connections and a simple accept established 
help, but we need more. Currently looking into modify 
the set patch to handle this large number. 
If not iptables then openbsd pf. 
 
We do get up to 100 smtp connections from a simple ip during peak times. 
 
> 	If you allow a simple IP to make a 100 smtp connections to your 
mail server 
 
> then you have other problems. Why you would allow any IP to make more 
then 10-15 
> connections is beyond me. Also .. if you set a error limit (example 
mine is 5) 
> when that limit is reached the smtp and tcp connection are dropped.  
 
> I am not saying that you should not block abusive IP's or network's at 
the 
 
>  
> Also what about ESTABLISHED connections ??? If you do not use a 
ESTABLISHED 
> state -j ACCEPT at the top ... then each IP would then in theory have 
to match 1 
> million rules every time it came in. 
>  
> I am sure there is a better answer then to create 1 million iptable 
rules.  
>  
> Michael.  
>  
>  
> On Mon, 28 Jun 2004 21:20:16 +0800 
> Feizhou <feizhou@linuxmail.org> wrote: 
>  
> > Michael Gale wrote: 
> > > Hello, 
> > >  
> > > 	Why don't you block networks ?? 
> > >  
> > > Firewall - SYN Cookie enabling ?  
> >  
> > What good is syn cookies against traffic that conform to tcp rules 
but  
> > are just too abusive? 
> > >  
> > > Mail servers - use RBL list - this list will contain networks of 
IP's that 
> > > belong to home users. So they do not need to connect directly to 
your mail 
> > > server. 
> >  
> > RBL does nothing against spammers who open 100 connections to each of  
> > your MXs and who run malware that do not understand,respect smtp 5xx.  
> > Dropping the connection means they keep coming at you. For these, 
there  
> > is nothing but a firewall that will keep them off your MXs. 
> > >  
> > > Web servers -- rate limiting ? block networks ? Better web server ? 
> > >  
> > > If you blocked networks ? The estimated max number of rules a 
packet might 
> > > have to match would be 254 ... plus the rest of your filtering for 
ports and 
> > > other needs. This could slow down network access because of all the 
rules to 
> > > check for each packet. 
> > >  
> > > If you are not using network addresses the list would become to 
long. 
> >  
> > I am sure CIDRs were part of the OP's mind since iptables takes both  
> > individial ips and CIDRs. He probably does have a mixture of over a  
> > million ips/cidrs he wants to block. 
> >  
> >  
> >  
> >  
>  
>  
> --  
> Michael Gale 
> Network Administrator 
> Utilitran Corporation 
>  
 

Re: over a 1,000,000,000 individual ips to block

[Feizhou]

>  
> Limited maximum connections and a simple accept established 
> help, but we need more. Currently looking into modify 
> the set patch to handle this large number. 
> If not iptables then openbsd pf. 

that's why you are looking into ipset....i asked a similar question a 
while ago...need to check to see if there is a 2.6.x version out now.
>  
> We do get up to 100 smtp connections from a simple ip during peak times. 
>  
> 
>>	If you allow a simple IP to make a 100 smtp connections to your 
> 
> mail server 
>  
> 
>>then you have other problems. Why you would allow any IP to make more 
> 
> then 10-15 
> 
>>connections is beyond me. Also .. if you set a error limit (example 
> 
> mine is 5) 
> 
>>when that limit is reached the smtp and tcp connection are dropped.  

postfix does not have per ip connection limiting and this goes for 
sendmail (if you've got a ruleset for that please post) and for 
tcpserver (qmail-smtpd)
> 
>  
> 
>>I am not saying that you should not block abusive IP's or network's at 
> 
> the 
>  
> 
>> 
>>Also what about ESTABLISHED connections ??? If you do not use a 
> 
> ESTABLISHED 
> 
>>state -j ACCEPT at the top ... then each IP would then in theory have 
> 
> to match 1 
> 
>>million rules every time it came in. 
>> 
>>I am sure there is a better answer then to create 1 million iptable 
> 
> rules.  
> 

Which is why Timothy is asking about ipset/ippool functionality.