2

Are there any utilities out there that can assist in building an IP exclusion list?

Scenario: Recently suffered a brute force attack where 50000 failed login attempts came from a multitude of different IP addresses.

Question: Is there a utility out there that can take a list of IP addresses and help build an IP exclusion list. IE... Take commonalities from the IP list, and build an IP range to block?

Disclaimer: Security is not my background. I come from a programming background, and have worked with computers for 20+ years, but never with a primary focus on security. So I apologize in advanced if my question is not up to snuff with security professionals out there.

Jim P.
  • 121
  • 2
  • Are you looking for a network wide utility, or would a host based solution work? – amccormack May 29 '15 at 16:30
  • I am just looking for a utility where I can feed a list of IP addresses, and the utility trys to find commonality among the list of IPs in such a way that it can come up with a list of unique IP addresses, and more hopefully a list of IP range to block. 172.114.01.x - 172.113.02.x ... Like I said definitely not a securtiy professional, or even network admin, but it programmatically it makes sense that you could have a list of IPs, and create a common IP range to block??? Maybe I am way off base! – Jim P. May 29 '15 at 17:29
  • Yup, I understand that part, but are you trying to put this on one firewall, many firewalls, or just your webserver? I ask because there are programs that I know of that can address a host based, and there are definitely COTS solutions for enterprise wide. – amccormack May 29 '15 at 17:31
  • It would be applied to amazon security groups... So many servers, but also many different amazon accounts. So typical scenario, might be one customer with 3 servers, and one security group policy. – Jim P. May 29 '15 at 17:42
  • possible duplicate of Is blacklisting IP addresses a waste of time? – WhiteWinterWolf May 30 '15 at 08:00

3 Answers3

3

You have a unique requirement. But your basis may be off.

I'll use an incident I ran into this week as an example. I discovered an attack from 50 IP addresses from a block of IPs managed by a hosting company in Hong Kong. It would make sense, then, to block all IPs from this hosting company, at least temporarily. I believe this is similar to the scenario that you have in mind.

To accomplish this, you would have to run a whois on the IPs, link them to a common holder, and populate your list with the block of IPs. Programatically, this is trivial if the use case is as I defined.

But what if the owner of the IP block is AWS? Do you block all of AWS? For some sites, this might be a valid thing to do. Then what if the attacker detects the block (it's a common feature in botnets) and they switch to another hosting site; do you add this new block to the list? Project this process into the future where now you are blocking all major hosting providers and even a few ISPs (if the botnets switched to personal computers and your script added Comcast IP blocks). You have now DoS'ed your own service.

The problem, then, is not the process of adding IP blocks, but the problem is not adding too much.

The typical way security pros address this problem is to block each IP individually. Fail2ban is a common utility to do this.

Or, if you know that certain countries are not normally using your service, then you can use geo-IP databases and only allow (or block) certain countries.

schroeder
  • 129,372
  • 55
  • 299
  • 340
  • Thank you for taking the time to respond! Are you familiar with Amazon security groups (I dont claim to be)? I only ask, because I am wondering if your scenario would work in this instance. Lets take the scenario you gave and assume it was thousands of IPs instead of 50? I have no real world experience, so I am asking, how common would it be for a botnet to have 1000s of IP addresses at its disposal? Would amazons security groups allow me to block thousdands of IPS? Would I skip using amazons security groups and fallback to Windows Firewall to manage thousands of unique IP exclusions? Thanks! – Jim P. May 29 '15 at 18:43
  • botnets can have millions of IPs - botnets can also be Crime-as-a-Service where they share, spawn, shift and move their IPs as needed. I would not use a Windows Firewall to manage such a shifting landscape. I am also not sure that an AWS security group meets your needs in this way - you need to implement something (a firewall) inbetween the AWS layer and your application. – schroeder May 29 '15 at 18:55
  • That is what I thought in terms of botnets access to endless supply of IPs. I would think that enterprise level software has ability to react. Ie, multiple failed attempts from this IP, temp block, move on... We are migrating to VPCs for all customers, which will help, and are looking into some better enterprise solutions. This is all being handled by corporate. I was just curious and wanted to learn a little bit, and be able to intelligently participate in discussions. Thanks for schooling me! :) – Jim P. May 29 '15 at 19:22
  • Fail2ban is the standard tool for blocking individual IPs temporarily. Many services use the same approach on a wider level. Banning IPs is a game of whack-a-mole, and fail2ban is the champ of that frustrating process. – schroeder May 29 '15 at 19:27
1

I think you need to approach this issue from a different direction. There are a number of problems with your proposed solution

  • It is a maintenance nightmare.
  • It is a reactive rather than proactive solution. You will only add blocked IPs once the IPs have tried to break in. This could be too late
  • It ignores the problem that many IPs are assigned dynamically. Just because you were attacked from a specific IP yesterday, it doesn't necessary hold that the same individual is using that IP today.

Generally, the starting point with traditional firewalls is you begin by blocking everything and then start opening up only what is needed. When this begins to be a problem, it frequently identifies an underlying architecture weakness.

For example, if I have a server, I will start by blocking all incoming connections and then look at the services I'm running and assess where they need to be accessed from. If I am running a web server, does it need access from everywhere is does it just need access from my company network or a subnet within that network?

If it needs access from everywhere, then I'll permit all IP addresses to access it. If it only needs to be accessed from my company network, I'll only allow access from that IP range.

Depending on the system architecture and application requirements, a basic firewall may not be sufficient. For example, you have a web application which in general needs to be open to the world, but there are URLs within the application used for administration which you want to lock down to just a small number of IP addresses. In this case, either the application will provide the level of access control you need i.e. serves up a page forbidden error for requests from any IP which isn't part of the admin list or you have an application firewall which sits between your boarder firewall and your application.

Sometimes, the problem is that you need to provide admin access to a resource, but you don't know what IP address the user will be coming from. In these situations, you might have to insist that the admin person users a company VPN, which will allow them to connect from anywhere, but will restrict their client address to a range within your VPN subnet. Alternatively, you may use some form of reverse proxy where the admin person needs to connect through an authenticated proxy and the IP adddress for the resource is restricted to the IP of the proxy. The problem with this solution is that you will possibly now see attacks against your proxy. However, this might be OK as you have added another layer of complexity which may provide sufficient protection - now attackers must first compromise your proxy and them compromise your admin service (assuming they use different passwords of course).

There are also firewalls which provide IDS+IPS facilities. The IDS looks for suspicious behaviour, such as large numbers of failed authentication requests to a service. When such an event is detected, it triggers the IPS to put a temporary block/drop on the source IP. Such systems can be very good, but they can be difficult to get configured correctly, often need a bit of maintenance and need to be monitored to detect issues with things like false positives which might result in legitimate traffic being blocked.

The other approach you can do is to rate limit the resource. Brute force attempts depend on being able to perform high numbers of attempts in a short period. If you rate limit the request, brute force attacks can become impractical because they take too long. A common example is to have a login page where a delay is used in responding to failed login attempts. As the number of login attempts increases, the delay increases.

Rather than blocking addresses, I would be looking for a solution which allows you to only permit specific addresses to the areas you are concerned about. If this is not possible because it is something like a general login page for your customers and you cannot know what IP addresses they are coming from, then I would be looking at what additional IDS/IPS you might be able to implement at either the application or application firewall level. If you have no other solution than to block IP addresses, I would be seeking a solution which allows temporary blocking and which will remove the blocks after an acceptable period. To be effective, the blocking must be an automated process - blocking IP addresses after an attempted brute force attack is usually shutting the gate after the horse has bolted.

Tim X
  • 3,292
  • 15
  • 13
-1

If your web site is mainly accessed by the USA and you don't care about the rest of the world then it is very easy and effective to only allow IP blocks by country and deny the rest of the world.

It's what I do.

Kris
  • 101
  • 2