2

At the simplest form - the question is to block external proxy due to an emergency situation due to which management have forced technical teams to get a solution to block all the external proxy or share external proxy list for blocking.

While, I do understand, there's multi-million cache proxy floating around the inter-intra-net which isn't just feasible to extract out; what are some of the best countermeasures one could take in order to resolve, in-case events turn out to happen in such emergencies as mentioned in the hyperlink above?

Judging from the attacker's perspective, this emergency might just be a DDoS attack via botnets or external proxy's and I have had read caching proxy could serve purpose but I'm more open to more than one solution for this one. Any insight on solutions could really help.

Shritam Bhowmick
  • 1,602
  • 14
  • 28
  • How will blocking proxies help in defending against a DDOS launched from botnets? – Neil Smithline Dec 30 '15 at 21:16
  • 1
    Have you looked at 3rd-party DDOS protection? That seems the best solution and you just pay them for the service. No need to worry about it. – Neil Smithline Dec 30 '15 at 21:17
  • Cloudflare seems to be one of the most possible solution but because of the wide network installations is also the most down to the list of solutions to be availed for! – Shritam Bhowmick Dec 30 '15 at 21:20
  • Sorry, but I don't quite understand your previous comment. Can you rephrase it Shritam? – Neil Smithline Dec 30 '15 at 21:21
  • Shritam - that link is to a small article in English with the real information being from a non-English video. That makes it hard for us to understand. – Neil Smithline Dec 30 '15 at 21:28
  • Hi Neil, I do understand the lingual differences but that's the only reliable source of information from a news channel and the management has already panicked twice a day due to the nature of finance business the investors have put money into! To rephrase my previous indicators, I was indicating to wide network installations which have too many servers to protect. Which is the reason why the OP talked about a simpler solution to block **almost all open proxy ip's** or at-least the known bad ones!? – Shritam Bhowmick Dec 30 '15 at 21:49
  • 1
    You say "too many servers to protect". Do you mean that it would be too expensive and you are looking for a cheaper solution? I understand that they are expensive, but that is because doing the same thing yourself is difficult or impossible. EG: you probably can't have 10x or 100x the network hardware you need to run your service lying around, but, due to the economy of scale, 3rd-parties can. – Neil Smithline Dec 30 '15 at 21:57
  • Let's see if someone answers your question. – Neil Smithline Dec 30 '15 at 21:58
  • Tech is bound by company budget policies while looking down to expense coverage + management interest to security budget ratio. This is highly compatible in U.S. but here in India - the security budget ratio is comparative medio-core or less. The servers are many and the management has like 4 days to decide on the expenditure etc.. tech team to deploy over-all in 20 days span of time. This is getting hectic as I do not have **all external proxy lists** and it's *next to impossible* to have the list all at once. It's limited and requires maybe more considerable options. – Shritam Bhowmick Dec 30 '15 at 22:14

1 Answers1

3

A third-party DDOS protection service like cloudflare.com may be the best place to start for typical web traffic but these won't protect you from everything. None-the-less you've raised an important question and knowing how to protect your own servers by yourself is very important.

The following will give you instructions on how to block the proxy servers but I will also point out that getting the initial list of IP's to block, or allow, can be a bit tricky.

Effectively you want to know how to implement blacklists so you can block all of the attacking IP addresses an organization may be concerned about or see during an attack (in your case the IP list of the proxy servers). That said it's important to understand how blacklists really help you. Blacklists are a great way to slow-down or temporarily block attackers and can work great when triggered appropriately. Even a 30-minute blacklisting of IP's sending malicious traffic can really have a huge impact against any type of automated attack. There are tools like fail2ban (link below) which can easily help you automate your blacklisting based on malicious behavior. Likewise there are tools like ipset (link below) which can be used with iptables to create extremely large black-lists or white-lists than can easily block or allow tens of thousands of IP's with almost no impact on performance and block millions of IP's with only a slight performance on impact.

Effectively deploying ipset and iptables combined with the list of proxies is all you need.

The following are some tips I recommend for configuring your blacklists for long-term use:

Basically because every organization has different needs and different requirements each deployment may be a little bit different but as a general rule of thumb I group who I blacklist into three categories.

1.) IP's that will never have a need to connect to these systems

2.) IP's that are doing really targeted harmful stuff to these systems

3.) IP's that are scanning or doing something less harmful but are still annoying and may include a customers infected system.

and based on these groups (yours may be different especially given your immediate concern) I set a variety of different block times. In this example I use the following block times based on the groups above.

1.) Forever

2.) 24-168 hours

3.) 30-60 minutes with 30 minutes being the most common.

This said I would also take into context what activity you are blacklisting. If an organization has a public website but I see attacks brute-forcing secure-shell or a VPN server (something that is NOT meant to be accessible to the general public) I don't mind blocking that type activity for much longer on that port or protocol. Likewise if I see an IP address really hammering a site with tens of thousands of attacks or repeated activities for days that IP gets blocked for a longer time. From the article you linked to you may want to block things for at least 48 hours to start with and start creating your white-list of good IP's immediately.

There are always risks when blocking traffic for any period of time but I've seen that it's becoming more common to see very large organizations blocking for at least 30 minutes to disrupt the automated attacks and I highly recommend doing this anyway because it gets rid of a lot of the brute-force scanning that ultimately effects all sites.

Note: With the #2 group it is also wise to send an abuse e-mail to the bad actors ISP CC'ing the IP owner and/or domain owner. Frequently this helps resolve the problem after a few days and if not you can always promote that IP to group #1 if you have too.

Finally I would also recommend creating a white-list of your infrastructure and also of your key business partners or critical clients. Occasionally business partners do check the security of their supply chain and you may not want to auto-block these organizations if they decide to take a closer look at what you are doing.

I think it is very wise to actively blacklist bad actors especially since it's a very cost-effective defense but I wouldn't limit your blocking to a single type & time-frame if you can avoid it. That said if you do, 30-minutes seems to be the industry norm right now.

http://www.fail2ban.org/

http://ipset.netfilter.org/

http://ipverse.net/ipblocks/data/countries/

If nothing else this will allow you to get the "hooks" in place to block large numbers of IP's in the future so I'd recommend this no matter how you handle your issue in the short-term. Hope this helps.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49