Nginx: How to block IP by hostname regex

Question

I'm running a small wordpress site with nginx + php5-fpm.

I have noticed that I get a lot of botnet attacks from IPs with hostnames like:

52-182.static.spheral.ru
208-135.static.spheral.ru
118-239.static.spheral.ru

The actual IPs associated with these machines is quite varied, there isn't really a discernable pattern:

195.62.52.182
195.88.208.135 
193.19.118.239

How do I just block requests from all machines with IPs matching the hostname pattern:

*.static.spheral.ru

I'd like to do this directly in nginx, to avoid the additional hop (and drain of machine resources) it would take to do this from the php process.

I believe that blocking by hostname would allow me to pre-emptively block future attacks from the same botnet but from IPs that have not yet been revealed to me.

(P.S. I'm happy to install an nginx plugin / additional software if need be.)

wireghoul · Answer 1 · 2016-06-04T03:29:58.583

First off, let me start with an important fact: Regex on reverse IP lookups is a bad idea for blocking incoming requests. Reverse DNS is an informational function. Unlike DNS where it is critical for the domain to point to the correct IP address there is little consequence for having the reverse lookup of an IP point to an arbitrary domain. Thus it would be trivial for an attacker to cycle through arbitrary domains in their reverse DNS records to constantly bypass the filter. Relying on reverse DNS for security functions can be classified as CWE-350 (https://cwe.mitre.org/data/definitions/350.html).

In this case the source of the problem seems to be a specific provider so you could just block their entire IP range. Lets start by finding one of the IP addresses (I'm assuming the reverse IP->hostname entry is valid in this case):

~# nslookup 52-182.static.spheral.ru 
Server:     192.168.153.2
Address:    192.168.153.2#53

Non-authoritative answer:
Name:   52-182.static.spheral.ru
Address: 195.88.209.9

Now lets determine their IP range/provider:

root@bt:~# whois 195.88.209.9
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.88.208.0 - 195.88.209.255'

% Abuse contact for '195.88.208.0 - 195.88.209.255' is 'info@spheral.ru'

inetnum:        195.88.208.0 - 195.88.209.255
netname:        IPSERVER
descr:          Operated by IT Expert LLC
remarks:        Abuse mailbox: abuse@ipserver.su
country:        RU
org:            ORG-Al123-RIPE
admin-c:        SOV63-RIPE
tech-c:         SOV63-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         MNT-SPHERE
mnt-routes:     MNT-SPHERE
mnt-routes:     FIORD-MNT
mnt-domains:    MNT-SPHERE
created:        2009-04-15T12:34:23Z
last-modified:  2016-04-14T09:38:32Z
source:         RIPE
sponsoring-org: ORG-SL202-RIPE

organisation:   ORG-Al123-RIPE
org-name:       Antaro ltd.
abuse-mailbox:  abuse@spheral.ru
org-type:       other
address:        127473, Moscow, 2 Schemilovskiy per., d.5/4., str.1
abuse-c:        AC29892-RIPE
mnt-ref:        ANTARO-MNT
mnt-by:         ANTARO-MNT
created:        2009-04-14T08:02:50Z
last-modified:  2016-02-15T16:45:17Z
source:         RIPE # Filtered

person:         Strekozov Oleg Vladimirovich
address:        Russia, 107031, Moscow, proezd Dmitrosvkiy 8
phone:          +18552100465
nic-hdl:        SOV63-RIPE
mnt-by:         MNT-SPHERE
created:        2012-05-05T22:19:17Z
last-modified:  2014-09-15T13:18:40Z
source:         RIPE

% Information related to '195.88.208.0/23AS28917'

route:          195.88.208.0/23
descr:          IPSERVER
origin:         AS28917
mnt-by:         FIORD-MNT
mnt-routes:     FIORD-MNT
created:        2012-12-24T08:35:13Z
last-modified:  2015-03-10T14:32:44Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.3 (DB-2)

Based on this information you can make an official complaint about these attacks to info@spheral.ru and escalate to abuse@spheral.ru and abuse@ipserver.su if your abuse report isn't being addressed.

You can also block future attacks with the range 195.88.208.0 - 195.88.209.255 or 195.88.208.0/23 if you prefer CIDR notation.

I hope this helps.

You might want to add a comment on *why* looking up the reverse DNS is a bad idea - slow speed and rate limiting being the obvious ones. — SomeoneSomewhereSupportsMonica, Jun 03 '16 at 07:59
@wireghoul - thanks! Please do add a few brief comments on why looking up the reverse DNS is a bad idea in the answer itself for completeness, and I will accept it! — David Simic, Jun 03 '16 at 17:54

Nginx: How to block IP by hostname regex

1 Answers1