Results 1 to 12 of 12
  1. #1
    Registered User
    Join Date
    Feb 2004
    Location
    Melbourne
    Posts
    404
    Any aussie DCs that use massive-scale reputation feed IP blocking?
    After almost 15 years in the business I am just about ready to pack it in as I'm sick and tired of dealing with the same BS day in day out ie. playing cat and mouse with spammers, hackers, botnets etc

    I recently came accross a whitepaper by 'techguard' who sell one of these devices (that I long wondered if they existed) that can basically

    - block whole countries (I have no interest in this personally)
    - use commercial lists of 'bad ips' ie. botnets etc to block 10s of MILLIONS of IPs without any impact on the network latency

    ie. Block IP traffic using IP Blacklists - PoliWall

    While I'm sure there are other such appliances, does anyone know if any decent-sized aussie DCs use such appliances?

    I realize to setup one of these in HA mode can cost something like $100k or more so I don't expect small providers to be able to do it but I AM surprised that some of the bigger players either don't have them or don't advertise them?

    What I want for my small number of servers is basically a DC that uses one of these at the network edge so that I don't have to daily monitor and adjust my security policies to deal with bs like ever-evolving wordpress/joomla/whatever brute force botnets, spammers, hackers etc

    Commercial lists that are constantly updated and contain millions of known 'bad ips' are available (I don't know their subscription costs though)

    And before someone says "but you still have to secure your servers" YES that goes without saying. What I want however is protection from KNOWN botnets and hackers, spammers etc and there are 10's of millions of those IPs so it's impossible for me to deal with them at the server or firewall level other than by wasting countless resources and time day in day out ie. daily cat and mouse routine.

  2. #2
    Take a look at Black Lotus most providers including us, use them.
    DDoS protection for service providers and enterprises we also sell access to the Edgecast ADN, Application Delivery Network which can do some pretty awsome stuff.
    It also has DDos protection available.
    CPK Web Services
    The one solution
    Get in touch www.cpkws.com.au/contact.php

  3. #3
    Registered User
    Join Date
    Feb 2004
    Location
    Melbourne
    Posts
    404
    I am not talking about ddos protection, I thought I made that clear. I am talking about nuisance IPs, ie. the millions of well known and ever growing botnets used for anything from web site compromises to email harvesting etc AFAIK BL is about network ddos attacks ie. attacks designed to bring down sites with sheer bandwith consumption.

    If you host any significant number of wordpress sites for example, you would have noticed thousands of different IPs everyday trying to brute force wordpress admin logins. There's little point in trying to block these at the server level as these bastards just send thousands more automatically once you start blocking.

    That's just one example. There are millions of known nuissance IPs like this kept up to date on commercial lists. Obviously this can't be blocked on server level or even firewall level, it needs to be done at the network provider/dc level before it even gets to any customer servers.

  4. #4
    Chief Amazer @ Amaze sisgroup's Avatar
    Join Date
    May 2007
    Location
    australia
    Posts
    58
    I thought about building a firewall or some scripts to provide an extra layer of protection from these exact problems.

    A way of qualifying 'bad' ip addresses would be to setup a darknet, where by you use a /24 from the top of your aggregate prefix that has never been used before, feed it into a box that logs TCP SYN and collects the IP's.

    Write some metrics around how many times you are willing to receive packets that you didn't ask for before you treat it as bad.

    You would need some sort of white list ability and ensure you are at least opening a connection, its wayy to easy to spoof a SYN packet and do a reverse DOS on the equipment you are protecting.

    This list then could be fed into a Hardware router running S/RTBH to provide in hardware drops at your border(s).

    You could take it further and build it out to a number of trusted partner networks and share / collate the info and tune your policies. Such routes could be sent via eBGP multihop.

    Just an idea



    Quote Originally Posted by pixie View Post
    I am not talking about ddos protection, I thought I made that clear. I am talking about nuisance IPs, ie. the millions of well known and ever growing botnets used for anything from web site compromises to email harvesting etc AFAIK BL is about network ddos attacks ie. attacks designed to bring down sites with sheer bandwith consumption.

    If you host any significant number of wordpress sites for example, you would have noticed thousands of different IPs everyday trying to brute force wordpress admin logins. There's little point in trying to block these at the server level as these bastards just send thousands more automatically once you start blocking.

    That's just one example. There are millions of known nuissance IPs like this kept up to date on commercial lists. Obviously this can't be blocked on server level or even firewall level, it needs to be done at the network provider/dc level before it even gets to any customer servers.
    Luke Iggleden
    Dedicated Servers, VPS and Amazing Support!
    https://www.amaze.com.au

  5. #5
    Registered User
    Join Date
    Feb 2004
    Location
    Melbourne
    Posts
    404
    Problem with that approach that I see is simply that you'd be introducing potentially massive latency and enormous maintenance costs. That's why proucts like the one I mentioned in opening post exist.

    I believe they quoted something ridiculous like 0.01ms latency added when blocking 10M IPs. Plus its all automated, you subscribe to list providers and they give you lists of millions of IPs use by spammers, hackers and so on and they're all automatically blocked before they even enter your customers servers. I believe these lists are created with the use of thousands of honeypots all over the net to prevent false positives.

    I could give you a list of atleast 100K IPs of nuissance IPs and I'm a smaller host. I have no way of blocking those 100K IPs without spending massive amounts of money upfront and maintenance. And even if I did, that only solves 0.001% of the problem ie. there are 10s of MILLIONS of KNOWN nuissance IPs and growing.

    My guess is most DCs/providers who sell colo/bandwidth etc don't do this because quite frankly, they'd lose money on the traffic ie. all the nuissance traffic eats up bandwidth that customers incl. web hosts, ultimately pay for.

    Quote Originally Posted by sisgroup View Post
    I thought about building a firewall or some scripts to provide an extra layer of protection from these exact problems.

    A way of qualifying 'bad' ip addresses would be to setup a darknet, where by you use a /24 from the top of your aggregate prefix that has never been used before, feed it into a box that logs TCP SYN and collects the IP's.

    Write some metrics around how many times you are willing to receive packets that you didn't ask for before you treat it as bad.

    You would need some sort of white list ability and ensure you are at least opening a connection, its wayy to easy to spoof a SYN packet and do a reverse DOS on the equipment you are protecting.

    This list then could be fed into a Hardware router running S/RTBH to provide in hardware drops at your border(s).

    You could take it further and build it out to a number of trusted partner networks and share / collate the info and tune your policies. Such routes could be sent via eBGP multihop.

    Just an idea
    Last edited by pixie; 14-08-2014 at 10:58 AM.

  6. #6
    Chief Amazer @ Amaze sisgroup's Avatar
    Join Date
    May 2007
    Location
    australia
    Posts
    58
    Using S/RTBH to block large subnets does not increase latency at all, its done in hardware. The only limiting factor is your routers routing table. Our juniper MX's will hold millions of routes, so with aggregation its very simple to achieve what you want.

    You said it yourself, you have a list of IP's that you want to block, presumably to save money by way of compute resource as well as human time, since you have this list, why not fire a VPS up in front of your hardware and update this list yourself with a script? Once its up and running your maintenance would be looking after your false positives.

    The reason why we haven't implemented something like this is due to trust issues on the source of the lists. We simply cant roll out an ACL blocking millions of IP's to all users unless we see a direct impact on services - and the acl then would be only pointed towards the users having issues.

    My suggested approach of an active honeypot/darknet does take into account new IP's and effect change immediately btw. Perhaps a combination of subscribed list + live self generated lists?


    Quote Originally Posted by pixie View Post
    Problem with that approach that I see is simply that you'd be introducing potentially massive latency and enormous maintenance costs. That's why proucts like the one I mentioned in opening post exist.

    I believe they quoted something ridiculous like 0.01ms latency added when blocking 10M IPs. Plus its all automated, you subscribe to list providers and they give you lists of millions of IPs use by spammers, hackers and so on and they're all automatically blocked before they even enter your customers servers. I believe these lists are created with the use of thousands of honeypots all over the net to prevent false positives.

    I could give you a list of atleast 100K IPs of nuissance IPs and I'm a smaller host. I have no way of blocking those 100K IPs without spending massive amounts of money upfront and maintenance. And even if I did, that only solves 0.001% of the problem ie. there are 10s of MILLIONS of KNOWN nuissance IPs and growing.

    My guess is most DCs/providers who sell colo/bandwidth etc don't do this because quite frankly, they'd lose money on the traffic ie. all the nuissance traffic eats up bandwidth that customers incl. web hosts, ultimately pay for.
    Luke Iggleden
    Dedicated Servers, VPS and Amazing Support!
    https://www.amaze.com.au

  7. #7
    Quote Originally Posted by sisgroup View Post
    Using S/RTBH to block large subnets does not increase latency at all, its done in hardware. The only limiting factor is your routers routing table. Our juniper MX's will hold millions of routes, so with aggregation its very simple to achieve what you want.

    You said it yourself, you have a list of IP's that you want to block, presumably to save money by way of compute resource as well as human time, since you have this list, why not fire a VPS up in front of your hardware and update this list yourself with a script? Once its up and running your maintenance would be looking after your false positives.

    The reason why we haven't implemented something like this is due to trust issues on the source of the lists. We simply cant roll out an ACL blocking millions of IP's to all users unless we see a direct impact on services - and the acl then would be only pointed towards the users having issues.

    My suggested approach of an active honeypot/darknet does take into account new IP's and effect change immediately btw. Perhaps a combination of subscribed list + live self generated lists?
    A lot of the DDos protection providers are already doing this type of thing, so no need to reinvent the wheel.
    Micron21 are doing this locally hear in Australia, I personally don't have issues with hundreds of brute force attacks even on the Wordpress sites that our clients host as the networks we use have decent protection in place to prevent it. All this stuff needs to be prevented from the network level rather then trying to protect individual servers, that is not to say you shouldn't run firewalls and other protective systems on the servers themselves, as you should, but but all these attacks need to be prevented at the network level.
    CPK Web Services
    The one solution
    Get in touch www.cpkws.com.au/contact.php

  8. #8
    Chief Amazer @ Amaze sisgroup's Avatar
    Join Date
    May 2007
    Location
    australia
    Posts
    58
    Quote Originally Posted by Chaddy View Post
    A lot of the DDos protection providers are already doing this type of thing, so no need to reinvent the wheel.
    Micron21 are doing this locally hear in Australia, I personally don't have issues with hundreds of brute force attacks even on the Wordpress sites that our clients host as the networks we use have decent protection in place to prevent it. All this stuff needs to be prevented from the network level rather then trying to protect individual servers, that is not to say you shouldn't run firewalls and other protective systems on the servers themselves, as you should, but but all these attacks need to be prevented at the network level.
    I'm not certain that a Netflow based DDOS protection system will have the scope to look at a brute force attack at the application layer. Netflow on high volume networks has to be sampled, eg, 1 packet out of 100. It's not possible to form any valuable rule from something like this. You would have to have your traffic pushed via a device to sniff and apply dyn filters. (nsfocus, arbor, snort etc)

    It can't be done in-line at high speed (multi 10G) for all packets entering a border router.

    You can install application layer (ids) firewalls as suggested to manage this, but they will suffer from state exhaustion under a volumetric attack, that is where ddos protection comes in.
    Luke Iggleden
    Dedicated Servers, VPS and Amazing Support!
    https://www.amaze.com.au

  9. #9
    Registered User
    Join Date
    Oct 2008
    Location
    Canberra
    Posts
    72
    What the OP is asking for is certainly possible, but as noted by Luke there are a few things you need to be mindful of.

    DDoS providers can certainly block bad IP's, spammers, botnets, etc but they gather their information from someone. While some of them can provide extremely fast DPI, generally speaking DDoS mitigation providers exist to block the volumetric stuff, like filling the pipes.

    To be completely honest, the issues you are facing should actually be looked at differently. Primarily because certain companies are market leaders in one area, but really lacking in others.

    Take spam, good old email. You will find most people agree Cisco's IronPorts are a serious market leader in this industry, they have been at it for a while and support some massive organisations around the world. IIRC, some 40% of the Fortune 500 use them. It is a logical choice to use their products to protect yourself against spam.

    However, i would not use their products to protect a website. For that, you want a product that has been providing a form of WAF for a long time. While i could rattle off some products (which we use) i would actually prefer to just point you towards Home | CloudFlare | The web performance & security company
    CloudFlare is an excellent product, that is free (for most people) and allows you to protect your website, while also speeding it up. Because they have a massive number of websites being routed through their WAF, when a new "hack" comes out, they generally know about it quite quickly and are able to apply new filters to all their clients are a much faster speed than most other providers.
    On the more expensive end of the scale is providers like Akamai. Their "hide your DC" service, while expensive, is very powerful.
    However i dont think that is what you are after.

    Rather than making up your mind with one product, ask the hosting providers what they can and cannot do. Full web/mail filtering with all the bells and whistles and endless customisations isn't something you will regularly see advertised but if you ask about it you should be able to find someone who can provide what you are after.

    Cheers,
    Seamua
    www.uber.com.au
    Seamus Ryan - Senior Leading Chief Parallels Orchestration Synergy Platform Operational Evangelist Specialist Developer Program Manager Engineer AKA The Internet Police

  10. #10
    Registered Provider
    Join Date
    Apr 2013
    Posts
    66
    Quote Originally Posted by Chaddy View Post
    Micron21 are doing this locally hear in Australia,
    [snip]
    All this stuff needs to be prevented from the network level rather then trying to protect individual servers,
    Any sydney based datacenter (colocation provider) that would be doing the same thing?

    I would personally love to see a plugin,(that works with, or alongside of CSF), that works in such a way that any times a new IP is baned on multiple servers running the same plugin, that it automatically adds that IP to the firewall blacklist on all servers worldwide using that plugin. That would provide a much better protection rather then simply waiting for my turn to be attacked before it gets blocked.
    Today is international no sig day

  11. #11
    Quote Originally Posted by Matt. L. View Post
    Any sydney based datacenter (colocation provider) that would be doing the same thing?

    I would personally love to see a plugin,(that works with, or alongside of CSF), that works in such a way that any times a new IP is baned on multiple servers running the same plugin, that it automatically adds that IP to the firewall blacklist on all servers worldwide using that plugin. That would provide a much better protection rather then simply waiting for my turn to be attacked before it gets blocked.
    Yeah as I said the Edgecast ADN, Application Delivery Network can do it, drop me a line for pricing CPK Web Services :: Contact us
    CPK Web Services
    The one solution
    Get in touch www.cpkws.com.au/contact.php

  12. #12
    Registered User
    Join Date
    Aug 2014
    Location
    Southbank
    Posts
    4
    Very good post you made buddy that it has the helpful replies and suggestions that would be more helpful to have.

Similar Threads

  1. DEASOFT:: MASSIVE 25% OFF FOR LIFE! Premium AU/US Plans! No Messing About!
    By bjdea1 in forum Australian Shared Web Hosting Offers
    Replies: 0
    Last Post: 11-02-2011, 06:19 PM
  2. Replies: 0
    Last Post: 20-12-2010, 10:21 PM
  3. DEASOFT:: MASSIVE 35% OFF FOR LIFE! Premium AU/US Plans! No Messing About!
    By bjdea1 in forum Australian Shared Web Hosting Offers
    Replies: 0
    Last Post: 11-11-2010, 12:05 PM
  4. DEASOFT:: MASSIVE 40% OFF EVERYTHING! Premium AU/US VPS! New Aussie Server!
    By bjdea1 in forum Australian Virtual Private Servers Requests and Offers
    Replies: 0
    Last Post: 19-08-2010, 10:05 PM
  5. Replies: 0
    Last Post: 19-08-2010, 10:02 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •