This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2019-06-01 08:03 AM

What is the best way to block huge list of malicious IP addresses?

Hi Guys,

What is the best way to block around half a million malicious IP addresses as the external feeds that I am getting without impacting "much" performance of firewall module?

Is it by implementing 

  1. dynamic_objects
  2. fwaccel dos
  3. Some kind of scripting with dyamic updatable objects?
  4. Any other way?

 

TIA

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-06-01 09:54 PM

fwaccel dos or sim erdos might be the most efficient of the options, especially in pre-R80 cases.
Blason_R
Leader
Leader
‎2019-06-02 07:30 AM
In response to PhoneBoy

Well I tried blocking using dynamic_objects there are around 5,65,000 malicious IP addresses and CPU core 1 shoot up to 95% for almost 10mins and then firewall hung up.

Issue with fwaccel dos is; Tracker shows the traffic is accepted and those logs are forwarded to SIEM which then send the false alerts even though traffic is blocked.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-02 12:43 PM
In response to Blason_R

I believe the default is that drops from fwaccel dos should be logged.
You can see the setting with fwaccel dos config get.
If this isn't happening it might be worth a TAC case.
0 Kudos
Blason_R
Leader
Leader
‎2019-06-03 12:22 AM
In response to PhoneBoy

Here is the setting and I am talking about blocking IP addresses in fwaccel blacklist functionality. Once the IP address is blocked in blacklist functionality the tracker still shows as traffic is passed.

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

 

fwaccel dos blacklist -s
14.1xx.xx.xx

telnet 14.1xx.xx.xx 4545
Trying 14.1xx.xx.xx...
telnet: connect to address 14.1xx.xx.xx: Connection timed out

 

 

 

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-03 06:27 PM
In response to Blason_R

Like I said, you should open a TAC case.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events