cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1965
Views
0
Helpful
6
Replies
Highlighted
Beginner

Need to block (or route to null0) hundreds of thousands of subnets

Hi;

We have struggled with this for months and no one seems to have a solution.

Our CTO has ordered us to block all IPV4 packets from many countries such as China, Iran, Russia, Nigeria, North Korea, etc. Please don't side-track the discussion with reasons why this might be bad, we have to make it happen.

I've considered two options, ASA rules in access-lists, or routes to null0. We have a 4948 at the edge that handles our BGP, but it has a hard limit of 32,000 routes. (BTW, we only accept summary routes from our two ISPs). We also have an unused ASA 5550. Our production firewall is an ASA-5585-X-SSP10.  Our internet traffic peaks at 700 Mbps inbound, about 60 Mbps outbound.

Looking at the IPV4 allocation from APNIC, yesterday there were over 3400 distinct subnets allocated to China; these are already as summarized as possible. That means 3400 lines in the config just to block China. When we consider all the other countries we have been directed to block, we are looking at well over 100,000 lines in the config.

Aside from the sheer size of the resulting config, I have no idea what the result would be in terms of performance. Obviously not good.

Of course, all of this ignores the IPV6 elephant in the room ... let's not go there for now.

So, what kind of hardware can handle this kind of task? I imagine there are ISP or carrier grade products that can, but I'm just a lil' ol' Enterprise engineer and this is out of my league.

Any suggestestions most welcome ...

6 REPLIES 6
Highlighted
Advocate

Have you considered to block everything and only allow the source IP's that you want to connect to your services?

At the end of the day you are blocking any traffic that has not been originated from you - so only allow what you want in?

Highlighted

Hi Andrew, thanks for the reply.

I did toy with that idea. I thought about starting with allowing all the ARIN, RIPE, and LACNIC subnets and blocking everything else. Problem is, that list is even larger.

Blocking any traffic that is not a reply to traffic we originate will not work, because of things like incoming email, people surfing to our public websites, etc.

The CTO's goal is to block access from "bad" countries, known for attacks, and also from which there are no users that will ever need to contact our orgainization. For example, our logs show a constant barrage of attempted penetrations from China, Iran, etc. The ASA turns them back, but we want more than that - why even send that traffc to the ASA for it to deal with?

I have to be careful to not block countries such as India and Australia - Cisco has TAC centers there.

What I really need to understand is what kind of big iron is needed to handle hundreds of thousands of routes. Setting a static route to null0 for a subnet will process that "block" at nearly wirespeed - until the list grows huge.

Thanks again,

Steve

Highlighted

Hi Steve,

I am facing a similar situation. Curious what you decided?

Thank you

Highlighted

Hi;

Sorry, no solutions. No one at Cisco that I have talked to has been able to offer any help. TAC seems clueless about what we are trying to do.

Although we have pretty much given up on doing it with routes on our Cisco gear, we have been eying the Sonicwall appliance. It has a "block by country code" feature that is easy to configure via the GUI.

I wish Cisco would take our problems more seriously. More and more, the consistently bad support from TAC (usually off-shored) is making me reconsider Cisco. I used to be confident that when I recommended and purchased Cisco, I was getting the best. Not so sure about that any more ...

Steve

Highlighted

I realise this is probably not the answer you were looking for, but if you are actually serious about blocking ips known to attack and/or be part of known malware and part of botnets/DoS and so on, how about using the massive intelligence gathered by cisco, and used in the Botnet feature of your ASA ?

Highlighted

We pay for and use the BotNet filter. We are more worried about human attackers. We have no need for any connections from Iran, North Korea, etc. Also don't want to bog down our already sweating ASA 5585-X by forcing it to look at traffic we want to kill before it reaches the ASA.

I'm already using the APNIC and AfrniNIC lists from here, but there are more than just the /8's I need to block, and I am probably blocking some "friendly" countries by accident:

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

Steve

Message was edited by: Stephen Crye typo

Content for Community-Ad