best approach for blocklist

Linux Netfilter discussions
 help / color / mirror / Atom feed

* best approach for blocklist
@ 2010-03-05 16:17 Dennis J.
  2010-03-05 17:11 ` Payam Chychi
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Dennis J. @ 2010-03-05 16:17 UTC (permalink / raw)
  To: netfilter

Hi,
I'm wondering what the most efficient way to implement a blocklist is. We 
are basically talking about blocking a few thousand IPs. Does iptables do 
some internal optimizations when blocking based on a source address or 
would it be better to, say, create a chain for each class A net (e.g. 
83.0.0.0/8) and then add the IPs in that range to that class to make the 
matching more efficient?

Regards,
   Dennis

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: best approach for blocklist
  2010-03-05 16:17 best approach for blocklist Dennis J.
@ 2010-03-05 17:11 ` Payam Chychi
  2010-03-05 17:43 ` Mike Wright
  2010-03-05 17:48 ` Mart Frauenlob
  2 siblings, 0 replies; 5+ messages in thread
From: Payam Chychi @ 2010-03-05 17:11 UTC (permalink / raw)
  To: Dennis J.; +Cc: netfilter

anytime where you can use chains to jump from and not have to go
through a massive list its a good thing... id take the later option


-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

On Fri, Mar 5, 2010 at 8:17 AM, Dennis J. <dennisml@conversis.de> wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is. We
> are basically talking about blocking a few thousand IPs. Does iptables do
> some internal optimizations when blocking based on a source address or would
> it be better to, say, create a chain for each class A net (e.g. 83.0.0.0/8)
> and then add the IPs in that range to that class to make the matching more
> efficient?
>
> Regards,
>  Dennis
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: best approach for blocklist
  2010-03-05 16:17 best approach for blocklist Dennis J.
  2010-03-05 17:11 ` Payam Chychi
@ 2010-03-05 17:43 ` Mike Wright
  2010-03-05 17:48 ` Mart Frauenlob
  2 siblings, 0 replies; 5+ messages in thread
From: Mike Wright @ 2010-03-05 17:43 UTC (permalink / raw)
  To: Dennis J.; +Cc: netfilter

Dennis J. wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is. 
> We are basically talking about blocking a few thousand IPs. Does 
> iptables do some internal optimizations when blocking based on a source 
> address or would it be better to, say, create a chain for each class A 
> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class 
> to make the matching more efficient?

Have you considered ipset?  I use it in various ways, sometimes to 
allow, sometimes to deny.  It supports IPs, NETs, ports, etc.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: best approach for blocklist
  2010-03-05 16:17 best approach for blocklist Dennis J.
  2010-03-05 17:11 ` Payam Chychi
  2010-03-05 17:43 ` Mike Wright
@ 2010-03-05 17:48 ` Mart Frauenlob
  2010-03-06  7:11   ` Weedy
  2 siblings, 1 reply; 5+ messages in thread
From: Mart Frauenlob @ 2010-03-05 17:48 UTC (permalink / raw)
  To: netfilter

On 05.03.2010 17:17, netfilter-owner@vger.kernel.org wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is.
> We are basically talking about blocking a few thousand IPs. Does
> iptables do some internal optimizations when blocking based on a source
> address or would it be better to, say, create a chain for each class A
> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class
> to make the matching more efficient?
> 
> Regards,
>   Dennis

things i would take into consideration:

- drop in raw table (avoid conntrack)
- use user-defined chains
- use ipset to match many IPs

best regards

Mart

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: best approach for blocklist
  2010-03-05 17:48 ` Mart Frauenlob
@ 2010-03-06  7:11   ` Weedy
  0 siblings, 0 replies; 5+ messages in thread
From: Weedy @ 2010-03-06  7:11 UTC (permalink / raw)
  To: netfilter

Mart Frauenlob wrote:
> On 05.03.2010 17:17, netfilter-owner@vger.kernel.org wrote:
>> Hi,
>> I'm wondering what the most efficient way to implement a blocklist is.
>> We are basically talking about blocking a few thousand IPs. Does
>> iptables do some internal optimizations when blocking based on a source
>> address or would it be better to, say, create a chain for each class A
>> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class
>> to make the matching more efficient?

There is a PDF I'm too lazy to google for about how the university of 
florida mitigated a DDOS from a worm using TARPIT. Point being they had 
to TARPIT hundreds of thousands of IPs and had to deal with the 
performance issues behind that. It's a good read.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-03-06  7:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-05 16:17 best approach for blocklist Dennis J.
2010-03-05 17:11 ` Payam Chychi
2010-03-05 17:43 ` Mike Wright
2010-03-05 17:48 ` Mart Frauenlob
2010-03-06  7:11   ` Weedy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox