Abstract : Banning IP can be divided into automatic ban and manual ban. This article mainly introduces how to manually ban. The key to manual blocking is: seamless collaboration, convenient operation, batch, one-click, anti-mis-blocking, and high capacity.
IP blocking is the most direct and effective way to deal with network attacks.
In the network security defense system, some systems and devices can be automatically blocked by means of TCP reset, returning HTTP errors, etc., or linked to a firewall for automatic blocking, but this is not enough. In real defensive scenarios, manual bans are essential.
Manual blocking is mainly to block malicious IPs discovered by monitoring and intelligence transmission. How to quickly block on multiple firewalls (enterprises may have multiple Internet exits) in a short period of time is worth studying and optimizing.
This article summarizes some practical methods for reference only.
1. Seamless collaboration
There should be a collaborative platform that at least provides online documents and instant messaging. Security monitoring personnel can report various attack behaviors and their IPs in a timely manner through online forms. Network blocking personnel check the form in real time, fill in the IP in the IP blocking system, and The key is sent to the firewalls of all Internet egresses of the enterprise.
2. One-click delivery
Enterprises should build an IP blocking system. This module can be built in the operation and maintenance automation system, or it can be built separately.
The main idea is to implement automated login and operation through the API or SSH mode of the firewall.
It should be possible to preselect multiple firewalls.
The operator only needs to fill in the IP, or import a batch of IPs, and then generate a banning command that adds malicious IPs to the blacklist, and then sends them to multiple pre-selected firewalls.
If there is no page operation within a certain period of time, re-authentication should be forced.
Correspondingly, there should be a corresponding unblocking operation page.
3. Priority Blacklist
Mainstream firewalls provide two blocking methods: blacklist blocking and security policy blocking.
The blacklist ban method can immediately interrupt the existing connection of the banned IP and prohibit subsequent connections.
After the configuration of the security policy ban mode is completed, the subsequent connection of the corresponding IP can be prohibited, but the existing connection cannot be broken.
Therefore, for the attacking IPs discovered by monitoring, the blacklist should be used first to block them.
For a large number of intelligence IPs (thousands), security policies can be used to block them in batches.
4. Capacity management
The blacklist capacity of mainstream firewalls is usually between 20,000 and 100,000 IPs. When the number of banned IPs in the blacklist reaches 50% of the capacity, consideration should be given to migrating the banned IPs in the blacklist to the security policy in batches (the capacity is usually At the million level or unlimited), the blacklist is guaranteed to maintain sufficient capacity to deal with a large number of sudden attacks.
Security policies are associated with IP address groups. For mainstream firewalls, each IP address group also has an upper limit of capacity (usually between 1000-3000). When doing blacklist IP migration and intelligence batch import, you should do a good job For group management, the address group naming rules should be combined with date numbers, such as Block20220810-01, Block20220810-02, etc., so as to facilitate the query and backtracking of banned IPs.
5. Anti-wrong seal
In order to prevent mis-blocking, the IP blocking system should implement the whitelist function, and add the company's own public network egress IP, partner IP, etc. to the whitelist. When implementing a ban, the system automatically performs a whitelist check on the IP to be banned to prevent business failures caused by wrongly blocked IPs.
When adding an IP to the whitelist, the reason for joining, associated business, requester, operator, and operation time should be recorded in detail to facilitate management and traceability.
In addition, the rationality check is automatically performed, especially the IP with a subnet mask, to prevent large network segments from being blocked due to mask errors. Such high-risk operations should be automatically forced into the SMS approval process.
Because, I have seen someone want to block 1.2.3.4/32, but with a shake of hand, it was blocked as 1.2.3.4/3.
Anyone who has studied the Internet knows what this means.
6. Summary
Automate as much as possible and prevent misuse as much as possible, which will make it easier for you.
Text|Wei sir