cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

 

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

 

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

# fwaccel dos blacklist -a 1.2.3.4

 

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

 

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

fwaccel dos blacklist -d 1.2.3.4

 

Very nice new function in R80.20!

 

 

Furthermore there are also the Penalty Box whitelist in SecureXL.

 

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks.

 

More under this link:

Command Line Interface R80.20 Reference Guide

 

Regards,

Heiko

13 Replies

Re: R80.20 - IP blacklist in SecureXL

You need to use this function with LOTS of care, as it is even less visible that SAM rules...

Re: R80.20 - IP blacklist in SecureXL

Bug or feature?

It is also possible to enter networks. In the handbook there is unfortunately only the IP Address in it and not the network.

It is also suggested that the network is be created. But it will unfortunately not be displayed afterwards.

Regards,

Heiko

Highlighted

Re: R80.20 - IP blacklist in SecureXL

Kind regards,
Jozko Mrkvicka
Iain_King
Copper

Re: R80.20 - IP blacklist in SecureXL

How is this different to SAM?

Admin
Admin

Re: R80.20 - IP blacklist in SecureXL

The blacklist/whitelist is only IP level (either SecureXL drop this IP always or never subject this IP to the Penalty Box).

fw sam and fw samp allow configuring more granular rules.

Re: R80.20 - IP blacklist in SecureXL

I agree with Dameon here. Here is a link to sam penalty box sk that has been around for quite a while:

What is the SecureXL penalty box mechanism for offending IP addresses? 

I think the new command is very good for effectively blocking individual IP addresses. For example a DoS attack from a few IP addresses or similar opportunities.

And I also agree with Valeri, the function is to be used with care. Many users will not know it yet and it is also not very transparent visible.

Re: R80.20 - IP blacklist in SecureXL

I also find it interesting that it still works when I disable SecureXL in R80.20. I wouldn't have expected that at this pointSmiley Happy.

Re: R80.20 - IP blacklist in SecureXL

In real life, if you are facing DDoS attack (or broadcast storm), you are not able to log into system anyway (lagging, freezing, not able to execute any single command). Happened to me 2 times. The only solution was to find a root cause and cut that machine. So from logical point of view the better solution would be to move this feature into SmartConsole (some hidden place ) and push the command via SIC with triple confirmation alerts.

Kind regards,
Jozko Mrkvicka

Re: R80.20 - IP blacklist in SecureXL

I think that's gonna be a fundamental discussion. From my point of view, DDoS attacks should be blocked at the provider. You can discuss it for a long time.

If I can't get login to the system during an attack, of course I can't do much.

Everything should be configured on the firewall first. Then I don't have the problems later. 

I like the option to block IP's on SecureXL level. It is simple and effective.

I think the following function "Accelerated SYN Defender" is the better choice for DoS attacks (SYN Flood attack) on Check Point gateways with enabled SecureXL.

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

You can find more in the manual under:

"fwaccel synatk"

Regards,

Heiko

Re: R80.20 - IP blacklist in SecureXL

HI Guys,

I always use the following commands to drop ips, subnets, ports and a list of known IPs. See sk67861.

CommandDescription
sim dropcfgConfigures drop parameters (run 'sim dropcfg')
sim dropcfg -hPrints the help message with available options for 'dropcfg' parameter
sim dropcfg -lPrints current drop configuration
sim dropcfg -f </path_to/file_name>Sets drop configuration file
sim dropcfg -eEnforces drop configuration on the external interface only
sim dropcfg -yAvoids confirmation
sim dropcfg -rResets drop rules
Employee
Employee

Re: R80.20 - IP blacklist in SecureXL

1) The sim dropcfg command is not available in R80.20

2) Refer to the R80.20 Performance Tuning Administration Guide to see all relevant commands.

0 Kudos

Re: R80.20 - IP blacklist in SecureXL

just wanted to note that the blacklist with IPs added to the blacklist with

fwaccel dos blacklist -a 1.2.3.4

do not survive a reboot

0 Kudos
Blason_R
Copper

Re: R80.20 - IP blacklist in SecureXL

This is fantastic feature and thanks for sharing.

BTW is there any limitation for number of IP addresses inr fwaccel dos blacklist chain?
0 Kudos