Windows Firewall - blocking IP address ranges en masse - performance considerations?

Question

One of our services is an extranet for the exclusive use of our 200 employees across the UK. We're seeing a huge number of login attempts from China, Russia, Ukraine and Nigeria. I have large lists of IP ranges that I would like to block. There are thousands of entries.

(For the purpose of this discussion, I'm not interested in opening up a debate about the rights and wrongs of blocking whole countries. That's the requirement I have - and I need to fulfil it.)

I have written a Powershell script which updates the list every 24 hours and will populate Windows Firewall with block rules. But, I'm nervous about activating it.

My question is, how efficient is Windows Firewall at handling thousands of block rules in this manner? For instance, if my script contained 10,000 block rules (or even 100,000), will it work effectively or grind to a halt?

Whilst I want to keep my web server as protected as possible, I need to make sure the web server is handling requests quickly.

UPDATE

I decided to take a chance and run the PowerShell script. I've gone for a slightly different technique. Instead of creating 6700 rules (covering millions of IPs), I created one rule and pushed all bad IP ranges in to the mother of all Remote Addresses section.

Result: Works perfectly. Blocks most of China, Russia, Taiwan, Ukraine and Nigeria, which is where we are getting most of the inbound hacking attempts. And there is no noticeable difference in performance. We seem to be serving the same amount of requests without any change. One up for Windows Firewall. It does seem to be able to handle thousands of IP blocks very efficiently.

UPDATE 2 - FEEDBACK

The script has been in place for a couple of days now so I thought you'd appreciate some feedback on how it's going. I set the script up as a scheduled job to run daily, updating the firewall with new IP ranges, read in from a CSV file. This all works perfectly, the firewall functions very quickly. However there is a word of caution: The script itself takes approx. 4-5 minutes to run, during which time the CPU maxes out and web requests are extremely sluggish.

Therefore, I recommend running the script during the evening or during a maintenance window where you are not expecting heavy load.

The solution for me is to run the script at different times on each of my load balanced servers, so that there is no degradation in performance during the execution.

Here is the script:

$csv = Import-Csv -Path 'C:\Scripts\IP Block List.csv'

$data = @()
$csv | ForEach-Object { $data += $_.From + "-" + $_.To }

Set-NetFirewallRule -Name "BlockAllIPsInList" -RemoteAddress $data

And here is a sample CSV file:

From,To
1.2.3.4,1.2.3.255

So in this example, it would block everything from 1.2.3.4 - 1.2.3.255 inclusive

With a little bit of work, the script could be modified to work with CIDR formats too. Hope this helps.

Answer 1

We did this with a game server. We eventually changed it for a plugin on pfsense, but we didn't notice any performance degradation with a few thousand ip blocks in the windows firewall. Blocking based upon ip is one of the most rudimentary tasks a firewall can do. Besides the management overhead (you already have a script for that), I wouldn't see any reason why there would be a problem. FWIW, I looked at using route53 from amazon for this, but it didn't serve our purpose at the time. It would alow you to resolve a bogus ip in those countries.

Answer 2

Even if our scenarios are different, I would like to share: I have a small VPS (1 CPU, 256MB RAM) running a few services on Linux, and the firewall have thousands of rules denying whole blocks of adresses, spanning whole countries, and I haven't seen any slowdown.

I think it's less demanding on the server to simply drop lots of packets than letting them go to the application and be processed, just to send back and error message. Dropping them takes a lot less power.