Subnets and building filters

Greetings all.

My website is a US based subscription site which for years has been under siege by pirates, robbers and thieves. I am essentially blocking the whole world except US and Canada, as I can keep up with these.

As I’m getting down to the last of the off continent IP pools it brings a network question to mind. IE, IP pool 10.10.0.0/16 may be divided into 50+ subnets scattered around say, Europe. They may be /28s, /24s, /19s etc… Can I use the /16 and lump them all into one network/filter? I ask because I have used this methodology but once in a while I see traffic slip through that should have been stopped (I think) in the /16.

Thanks for any insight!

If you just want to block all requests not coming from the US or Canada, simply create a blocking firewall rule

(not ip.geoip.country in {"CA" "US"})
1 Like

That would be too easy. :slight_smile: I do have 3 persons as subscribers that are off continent… 1 is South Africa, one in Spain and one in Germany. I have been careful to work around them in my building of filters. But back to the question, “They may be /28s, /24s, /19s etc… Can I use the /16 and lump them all into one network/filter?”

Yes, a /16 will include the other addresses too.

Having a login system is probably the better approach though.

I do have a login system with 19 character passwords. But the traffic to this 20 yr old website was such that the host was starting to charge excess fees (yep, even on a “no cap on bandwidth” server) and exploit attempts were on a drastic rise so I deemed it necessary to stop much of them before reaching the server at all.

Even if they couldn’t access the content in question?

Anyhow, a /16 will cover smaller blocks as well, if that was all you were after. I’d still look into other options though. A login system would prevent unauthorised access and the crawling attempts could be blocked with rate limiting, for example (but it is a paid feature). Though I am not sure why they’d access your site if they cannot access the content.

Because there are a BUNCH of terrorists that REALLY want the content on my site. Most of my subscribers are LEO depts across the country and some .gov depts. Besides IP blocking I also employ filters against things like WGET, all TOR networks, and more. This site (as mentioned) has been around for 20 years and so is well known globally. It’s just over 50GB and has ~ 20K pages. Another reason why I have employed heavy use of IP based filters is that I have seen numerous “holes” in Geo IP lookups. Times when even CFs geo system says “that’s a US ip” but comparison on multiple outside geo lookups says “no, that’s been assigned to Timbutu” or the like.

Fair enough, if IP blocking works for you, it works for you.

Also check out the newly introduced IP lists, they might make it easier to manage lists of addresses.

1 Like

Another example of here in the US… A Level3 IP has been hitting my every night for about a week, with 10K to 20 attempts to get at the .pdf stores. I some days see IPs (30-100) all hit in a 5 to 10 minute time frame, all looking for the same 3 or 4 files. I get constant probes for various /wp directories, all looking for an exploitable hole. I must have every defense I can in place to keep the ne’er-do-wells out.

I’d still look into firewall rules and how they could help you to block such requests. In particular paths which might not even exist. Do you use Wordpress in the first place?

Nope, absolutely no WP here… first thing I stripped out of the default dir setup on current host (5 yrs)

In that case I’d recommend the following rule

Lovely at keeping such requests out. Unless, of course, you do have URLs with “/wp-” in it.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.