Block all communication from a list of IP addresses

Question

Is there any firewall(preferred some free :) ) that can block all communication from all ip addresses except from some IP's coming from a particular location...

i basically want to block DDOS attack on my servers its being getting hit from some IP's outside my country

EDIT: i am using 1 window machine and 1 linux machine

EDIT 2: I have heard of some organization running in INDIA that helps us in doing this thing, so i think it is possible. They filter only the IP's coming from india region only and blocks the rest.

Your question tells me you don't understand how a DDoS works. It's all about flooding the destination with traffic and it doesn't matter whether those packets are dropped, bounced or processed normally. The idea is that your system is so occupied dealing with that traffic, even if it is just to block it, that it cannot process "normal" traffic properly. — John Gardeniers, Oct 10 '11 at 09:35

score 11 · Answer 1 · answered Jul 06 '11 at 06:03

11

You did not mention your operating system. Linux has netfilter/iptables, Net/Open/FreeBSD has pf, Windows Server 2008 R2 has the Windows Firewall with Advanced Security which would easily be able to filter traffic based on source ip addresses. There is nothing that will be able to (reliably) filter based on a geographical location, though.

But depending on the type of the DoS attack (you happen to omit any details here as well), blocking traffic at O/S network stack level will not help you. If the DoS saturates your bandwidth, you would need to talk to your upstream ISP and ask them for filtering.

answered Jul 06 '11 at 06:03

the-wabbit

40,319
13
105
169

I know of at least one firewall system which has the option to blackhole whole countries or continents (Astaro). It's not 100% reliable, of course, but it's pretty accurate. – Stephane Oct 10 '11 at 09:31
Geo-IP databases are "accurate" to a certain degree as well, but all functionality of this kind is just an approximation. Of course, the internet infrastructure facilities - from regional internet NICs down to ISPs do address management, and since "address aggregation" is one of the key points and because data is still flying over physical cables and routers with physical locations, there are IP address blocks which tend to end up in geo-neighbourhood. But it should be noted that all they care about is LPM-based backbone routing - tunneling of any kind or MPLS will distort the picture. – the-wabbit Oct 10 '11 at 16:58
The level of accuracy is certainly not of 100% but, for the stated purpose, it's accurate enough. It's highly unlikely that a DDOS will be tunneled and MPLS will still not obfuscate the original IP address unless the server is practically plugged on the backbone itself. I still think GeoIP databases will perform the function requested by the OP – Stephane Oct 12 '11 at 13:47
I don't think so. He wants to have "everything but my customers' country" blocked. This is really really hard to do without having false positives. Actually, since the accuracy of the databases is a matter of statistics and probability, [the false negative rate is interconnected with the false positive rate](http://en.wikipedia.org/wiki/Type_I_and_type_II_errors) - you cannot optimize for both at the same time. From the practical point of view, it is **extremely** likely to have a DDoS attack tunneled or gateway-ed through unsuspected victim's PCs - this type of attack relies on botnets. – the-wabbit Oct 12 '11 at 14:12
Botnet nods typically do not tunnel their attack to the endpoint so blocking all netblocks except the ones that you are going to use is an effective way to reducing the scale of a DDoS attack. – Stephane Oct 14 '11 at 08:43
This is the whole point - he **does not know** which ones he is going to use, so he is trying to settle with a geographical approximation - which won't work well for the stated reasons. If he was to find out which netblocks are not used for sure, he simply could let the ISP block them and the problem of using Geo-IP would not even arise. – the-wabbit Oct 14 '11 at 09:03

score 5 · Answer 2 · answered Jul 06 '11 at 06:00

There are geoip modules for both iptables and Apache, which will allow you to blacklist entire countries. The subnet mappings aren't 100% accurate, but they're "pretty good."

With that said, if you're actually getting DoS'd (as in your link's getting saturated), firewalling won't be enough; your servers are still going to have to chew on those packets to figure out if they should be blocked. You'll need to get your upstream to nullroute either your servers or the attackers -- and if it's highly distributed, well, it's really just a matter of how responsive and cooperative your provider is.

score 2 · Answer 3 · edited Apr 13 '17 at 12:14

This Serverfault question has some good general tips on DDoS mitigation - there are lots of things you can try but a significant DDoS requires help from your ISP, as mentioned.

It would help to know the web server you are using on Windows and Linux - presumably IIS and Apache.

A few options in decreasing order of usefulness:

Use Linux kernel firewall (iptables) to block - the xtables-addons approach is simple but ipset can handle larger numbers of IP address ranges. Similar setup on Windows. Using a separate physical firewall would be better, then it could front-end both Linux and Windows, reducing setup and offloading the servers.
Use mod_security on Apache - this could potentially work across Windows and Linux as long as you use Apache on both. Since using GeoIP involves quite a lot of setup to keep the GeoIP blocks up to date, this could reduce overall maintenance once configured.
Use DNS server to block on GeoIP - OK for a casual DoS that uses your domain name. However this is useless against anyone simply using your IP address to DOS you.

See this question on GeoIP blocking as well and the ddos and geoip tags (also added to your question.)

A DDoS mitigation service (aka "clean pipes" service) may be the best option for serious DDoS: they front-end your traffic and filter out the DDoS, leaving you only with valid site traffic, subject to how well they filter. They have huge pipes and are focused on this problem so will probably do a better job than an in-house solution, and a lot depends on having a big enough pipe to absorb a DDoS so their hardware/software can filter it. BlockDOS.net is a reasonably priced service, Prolexic and Verisign are more top-end and much more expensive.

If that's too expensive, it might help to re-host onto Amazon EC2, which can route all traffic via a specific EC2 instance (like a VPS) - there's a specific AMI (VPS image) that is intended to frontend your web servers, which would be on separate EC2 instances. Amazon EC2 also make it possible to spin-up new server instances to handle the increased load. You might still get charged for the DDoS traffic (possibly more than for a mitigation service), and would pay for the extra servers, so this needs some investigation. Other cloud VPS providers may have better DDOS policies or in-house DDoS mitigation services.

The DNS server option is appealing, but it would be even better not to return a resolution failure but to have a reverse proxy to the original service which would be rate-limited. BTW: DDoS attackers are usually not dumb and would target the DNS domain name *as well* as the numeric IP address, thus limiting the usefulness of this approach. — the-wabbit, Oct 12 '11 at 14:28
Agree on both points - I mentioned that attackers would target the IP address in my third bullet, making any DNS-based defence fairly useless. — RichVel, Oct 16 '12 at 06:37

score 0 · Answer 4 · answered Oct 11 '11 at 23:10

You might want to look into some DDos scrubbing services. Basically, these services will take all the traffic you are getting, scrub out the "bad guys" and send you the clean data. Be warned, depending on the size of the attack, these can get quite expensive. A firewall on your server won't help much, because it's already gotten to you. You need to drop the traffic further away from you, and that can get complex.

Some vendors:

just saw this after adding similar stuff in my answer. If you can afford it, this seems like one of the best solutions. — RichVel, Oct 16 '11 at 08:11

score 0 · Answer 5 · answered Oct 12 '11 at 18:05

0

A large scale sustained DDOS attack usually involves attacking your name servers. Which prevents the general public from accessing your site via domain name. Since a DDOS attack can take down Yahoo for more than 24 hours. You are not going to be able to mitigate a DDOS attack simply by blocking a list of IP's in your software/hardware firewall.

answered Oct 12 '11 at 18:05

Michael

761
1
6
15

Citation needed - there are some specific DDoS attacks on DNS servers, such as http://www.theinquirer.net/inquirer/news/1562212/name-servers-ddos-targets, but since DNS records are cached, this won't be as effective in taking down a site as a direct DDoS on the site. Unless of course the target is the owner of the domain server (web hosting company). An easy response to a DNS attack is to move your DNS to someone larger like Google DNS, which should be able to mitigate the attack much better. – RichVel Oct 16 '11 at 08:14

Block all communication from a list of IP addresses

5 Answers5