Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2451
Views
0
Helpful
6
Replies

Need to block (or route to null0) hundreds of thousands of subnets

scrye
Level 1
Level 1

‎10-11-2011 05:39 PM - edited ‎03-11-2019 02:36 PM

Hi;

We have struggled with this for months and no one seems to have a solution.

Our CTO has ordered us to block all IPV4 packets from many countries such as China, Iran, Russia, Nigeria, North Korea, etc. Please don't side-track the discussion with reasons why this might be bad, we have to make it happen.

I've considered two options, ASA rules in access-lists, or routes to null0. We have a 4948 at the edge that handles our BGP, but it has a hard limit of 32,000 routes. (BTW, we only accept summary routes from our two ISPs). We also have an unused ASA 5550. Our production firewall is an ASA-5585-X-SSP10.  Our internet traffic peaks at 700 Mbps inbound, about 60 Mbps outbound.

Looking at the IPV4 allocation from APNIC, yesterday there were over 3400 distinct subnets allocated to China; these are already as summarized as possible. That means 3400 lines in the config just to block China. When we consider all the other countries we have been directed to block, we are looking at well over 100,000 lines in the config.

Aside from the sheer size of the resulting config, I have no idea what the result would be in terms of performance. Obviously not good.

Of course, all of this ignores the IPV6 elephant in the room ... let's not go there for now.

So, what kind of hardware can handle this kind of task? I imagine there are ISP or carrier grade products that can, but I'm just a lil' ol' Enterprise engineer and this is out of my league.

Any suggestestions most welcome ...

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎10-12-2011 08:06 AM

Have you considered to block everything and only allow the source IP's that you want to connect to your services?

At the end of the day you are blocking any traffic that has not been originated from you - so only allow what you want in?

0 Helpful

scrye
Level 1
Level 1
In response to andrew.prince

‎10-12-2011 11:13 AM

Hi Andrew, thanks for the reply.

I did toy with that idea. I thought about starting with allowing all the ARIN, RIPE, and LACNIC subnets and blocking everything else. Problem is, that list is even larger.

Blocking any traffic that is not a reply to traffic we originate will not work, because of things like incoming email, people surfing to our public websites, etc.

The CTO's goal is to block access from "bad" countries, known for attacks, and also from which there are no users that will ever need to contact our orgainization. For example, our logs show a constant barrage of attempted penetrations from China, Iran, etc. The ASA turns them back, but we want more than that - why even send that traffc to the ASA for it to deal with?

I have to be careful to not block countries such as India and Australia - Cisco has TAC centers there.

What I really need to understand is what kind of big iron is needed to handle hundreds of thousands of routes. Setting a static route to null0 for a subnet will process that "block" at nearly wirespeed - until the list grows huge.

Thanks again,

Steve

0 Helpful

efrazee
Level 1
Level 1
In response to scrye

‎12-04-2012 11:31 AM

Hi Steve,

I am facing a similar situation. Curious what you decided?

Thank you

0 Helpful

scrye
Level 1
Level 1
In response to efrazee

‎12-05-2012 08:53 AM

Hi;

Sorry, no solutions. No one at Cisco that I have talked to has been able to offer any help. TAC seems clueless about what we are trying to do.

Although we have pretty much given up on doing it with routes on our Cisco gear, we have been eying the Sonicwall appliance. It has a "block by country code" feature that is easy to configure via the GUI.

I wish Cisco would take our problems more seriously. More and more, the consistently bad support from TAC (usually off-shored) is making me reconsider Cisco. I used to be confident that when I recommended and purchased Cisco, I was getting the best. Not so sure about that any more ...

Steve

0 Helpful

jan.nielsen
Level 7
Level 7
In response to scrye

‎12-05-2012 03:31 PM

I realise this is probably not the answer you were looking for, but if you are actually serious about blocking ips known to attack and/or be part of known malware and part of botnets/DoS and so on, how about using the massive intelligence gathered by cisco, and used in the Botnet feature of your ASA ?

0 Helpful

scrye
Level 1
Level 1
In response to jan.nielsen

‎12-13-2012 03:48 PM

We pay for and use the BotNet filter. We are more worried about human attackers. We have no need for any connections from Iran, North Korea, etc. Also don't want to bog down our already sweating ASA 5585-X by forcing it to look at traffic we want to kill before it reaches the ASA.

I'm already using the APNIC and AfrniNIC lists from here, but there are more than just the /8's I need to block, and I am probably blocking some "friendly" countries by accident:

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

Steve

Message was edited by: Stephen Crye typo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card