Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

What is the best way to block huge list of malicious IP addresses?

Hi Guys,

What is the best way to block around half a million malicious IP addresses as the external feeds that I am getting without impacting "much" performance of firewall module?

Is it by implementing 

  1. dynamic_objects
  2. fwaccel dos
  3. Some kind of scripting with dyamic updatable objects?
  4. Any other way?

 

TIA

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

fwaccel dos or sim erdos might be the most efficient of the options, especially in pre-R80 cases.
Blason_R
Leader
Leader

Well I tried blocking using dynamic_objects there are around 5,65,000 malicious IP addresses and CPU core 1 shoot up to 95% for almost 10mins and then firewall hung up.

Issue with fwaccel dos is; Tracker shows the traffic is accepted and those logs are forwarded to SIEM which then send the false alerts even though traffic is blocked.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

I believe the default is that drops from fwaccel dos should be logged.
You can see the setting with fwaccel dos config get.
If this isn't happening it might be worth a TAC case.
0 Kudos
Blason_R
Leader
Leader

Here is the setting and I am talking about blocking IP addresses in fwaccel blacklist functionality. Once the IP address is blocked in blacklist functionality the tracker still shows as traffic is passed.

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds

 

fwaccel dos blacklist -s
14.1xx.xx.xx

telnet 14.1xx.xx.xx 4545
Trying 14.1xx.xx.xx...
telnet: connect to address 14.1xx.xx.xx: Connection timed out

 

 

 

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

Like I said, you should open a TAC case.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events