‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, August 12, 2020 7:11 AM, Alan McKay <[email protected]> wrote:
> Hey folks, > > This is one that is difficult to test in a test environment. > > I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM. > > With some scripting I'm looking at feeding block IPs to the firewalls > to block bad-guys in near real time, but in theory if we got attacked > by a bot net or something like that, it could result in a few thousand > IPs being blocked. Possibly even 10s of thousands. > > Are there any real-world data out there on how big of a block list we > can handle without impacting performance? > > We're doing the standard /etc/blacklist to load a table and then have > a block on the table right at the top of the ruleset. > > thanks, > -Alan > On our network, we maintain a running block of scanners but IP addresses are removed from the list after several hours of no scanning. One thing that has been useful for us is to create three sets of IP addresses from our allocation of IP addresses. One set ( currently with 9 IP addresses) allows incoming access from anywhere in the world. Another set (currently 18 IP addresses) allows incoming access from the US only. The third set (the remainder of our /24) allows no incoming access. Of course, each host may have its own rules to limit access to the services actually needed. Note that this applies to normal traffic. Regardless of where it originates, things like chargen are blocked for both incoming and outgoing traffic. Every afternoon, we download the current IPv4 and IPv6 address blocks for the US from http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone for IPv4 and http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone for IPv6. Thus, we use these lists to permit access to our "US only" hosts. The IP source of attempts to scan our IP addresses in the third set above are automatically added to the block of scanners to be blocked. These blocks are then applied to all incoming traffic. Thus, if someone tries to scan IP addresses of hosts that provide no services on the Internet, they are also blocked from connecting to any of our hosts for several hours. So if 192.0.2.20, for example, is seen as trying to scan our network, they will be blocked from accessing any of our network for a little while. During that time, connections to a service at 192.0.2.20 from our network are still permitted since it isn't entirely impossible that the interpretation of it being a network scan is an error. Walt
