(ot) Blocking IPs

I have a host who, for the most part, I am satisfied with. However, he is in the habit of blocking IP ranges for various reasons... DDOS attacks, repeated port scans, etc.  I've had complaints from some of my clients who do international business that some people cannot access their sites other parts of the world, like places in Asia, the Middle East, South and Central America, etc. I'm not surprised at the complaints. Is this a normal practice, or is this host over-zealous? Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct   125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788 T 631.231.6600 X 119   F 631.434.7022   http://www.austin-williams.com Blog:      http://www.austin-williams.com/blog Twitter:  http://www.twitter.com/austin_

Sounds over-zealous. Before I even block a single IP, I'll query my DB to try to determine whether valid traffic *ever* came from that IP. And, in general, blocking IP's is a last resort. I've never blocked a range. There're better ways to prevent the stuff he's trying to prevent. He should have a firewall that's smart/configurable enough to detect and prevent that stuff at a granular level. On Wed, May 2, 2012 at 7:51 AM, Robert Harrison <robert@austin-williams.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

The problem with IP blocking is that 99% of the time the IP is a fake IP, and that means that legitimate IP's are and do get blocked for no good reason. Who is the Hosting Provider? -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Wed, May 2, 2012 at 10:51 PM, Robert Harrison <robert@austin-williams.com ----- Excess quoted text cut - see Original Post for more -----

I run a SmarterMail server, and have blocked a few IPs, very selectively, only after I notice that consistent spam comes from those IPs that Barracuda or the other RBLs do not catch. No complaints from clients so far. I don't block entire countries or regions, though I have heard of administrators who do so. Some of my clients travel a lot, so I don't block countries. I send out friendly reminders to my clients to teach them how to recognize spam and use spam filters in MS Outlook. I hope at least a few people read them. =) Perhaps you can have a conversation with your hosting provider about using RBLs and configuring a firewall to do the spam blocking that he needs. Eric The problem with IP blocking is that 99% of the time the IP is a fake IP, and that means that legitimate IP's are and do get blocked for no good reason. Who is the Hosting Provider? -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/108193156965451149543 On Wed, May 2, 2012 at 10:51 PM, Robert Harrison <robert@austin-williams.com > wrote: > > I have a host who, for the most part, I am satisfied with. However, he is > in the habit of blocking IP ranges for various reasons... DDOS attacks, > repeated port scans, etc.  I've had complaints from some of my clients who > do international business that some people cannot access their sites other > parts of the world, like places in Asia, the Middle East, South and Central ----- Excess quoted text cut - see Original Post for more -----

> The problem with IP blocking is that 99% of the time the IP is a fake IP, This is not true. If you receive a message from an IP address, and the attacker's action relies on a response to that IP address, it will not be a fake IP address. It may not be the original IP address of the attacker, but it is definitely the IP address of the host connecting to you. > and that means that legitimate IP's are and do get blocked for no good > reason. This is true, in the sense that they may well be on the same range. But blocking individual addresses doesn't scale very well, to be honest. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

> The problem with IP blocking is that 99% of the time the IP > is a fake IP, and that means that legitimate IP's are and do > get blocked for no good reason. It really depends on the type of attack.  If they're just flodding as part of a DDOS attack then spoofing is viable, but for something like a SQL injection attack the IP can't be spoofed per se.  In those cases the biggest problem, in my opinion, is that it is ridiculously easy to reroute (think TOR) and come from a different, unrelated IP in a matter of seconds. -Justin

>>The problem with IP blocking is that 99% of the time the IP is a fake IP, I'm not a protocol specialist, just curious, but how can an IP be forged?

http://en.wikipedia.org/wiki/IP_address_spoofing On Wed, May 2, 2012 at 8:29 AM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

> http://en.wikipedia.org/wiki/IP_address_spoofing That is only useful for very specific, limited sorts of things. You can't carry on a conversation with a remote server using a spoofed IP address, because the server would have no way to respond. If you're concerned about blocking spam email, for example, you don't have to worry about people sending email through a spoofed IP address, because SMTP is a TCP application, and TCP requires sequence numbers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Well, I've checked with some contacts I have who are experts in security.  One of them works in internet security for the DOD in Arlington, VA, one is the Security Director at a fortune 100 company, and one owns a large nationwide hosting company. All frowned on the practice of blocking port 80 by range of IP and said it's rare and extreme to totally block even a specific IP, but that it does happen. All thought that blocking mail traffic by IP was very normal. I'm having conversations with my ISP about removing the blocks now. He is resistant, but the consensus is against blanket IP blocking. Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct   125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788 T 631.231.6600 X 119   F 631.434.7022   http://www.austin-williams.com Blog:      http://www.austin-williams.com/blog Twitter:  http://www.twitter.com/austin_

> I'm having conversations with my ISP about removing the blocks now. He is resistant, but the consensus is against blanket IP blocking. Well, one thing to note here is that it's easier for big ISPs to not block IP blocks than small ones - big ISPs, by having more bandwidth, more hosts to respond, etc, may have higher tolerance for higher amounts of traffic (whether that traffic is legitimate or not). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

>>http://en.wikipedia.org/wiki/IP_address_spoofing Thanks. I can't believe it is that simple. It would be so simple if the protocol was something like: - sender: I have a message for you my IP is x.x.x.x - receiver: Ok, here is the key: (UUID) - sender: Ok, your key is (UUID), here is the message:...

We've certainly never done this as a permanent solution. Blocking IPs or ranges at the firewall wouldn't do much under a heavy DDOS, by the time the traffic is there it's probably saturating other parts of the hosts network. Better avenue would be to null route the destination IP on the edge routers and work with upstream providers to determine the source and have them block and/or shutdown the source.  Null routing mitigates most of the effect of the DDOS on the rest of your network. Either way blocking at the firewall or null routing destinations would be temporary until the upstream provider could deal with things. I'd bet $1.50 that your host really doesn't understand mitigation or is hosting in another providers data center and doesn't have access to the core network gear. Also sounds like maybe they've had other customers complain about spam from specific IPs and did this as a quick fix. Byron Mann Lead Engineer and Architect HostMySite.com On Wed, May 2, 2012 at 8:51 AM, Robert Harrison <robert@austin-williams.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

I have found it effective to block troublesome IPs for some length of time, usually an hour to a day does it. This was my security policy as an IT Manager and it is working fine on my dedicated server. Hope this helps! I have a host who, for the most part, I am satisfied with. However, he is in the habit of blocking IP ranges for various reasons... DDOS attacks, repeated port scans, etc.  I've had complaints from some of my clients who do international business that some people cannot access their sites other parts of the world, like places in Asia, the Middle East, South and Central America, etc. I'm not surprised at the complaints. Is this a normal practice, or is this host over-zealous? Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788 T 631.231.6600 X 119   F 631.434.7022 http://www.austin-williams.com Blog:      http://www.austin-williams.com/blog Twitter:  http://www.twitter.com/austin_

You do realize that the post you replied to is 6 months old, right? On Thu, Nov 1, 2012 at 2:21 PM, Jenny Gavin-Wear < jennygw@fasttrackonline.co.uk> wrote: ----- Excess quoted text cut - see Original Post for more -----

I have found it effective to block troublesome emails for some length of time, usually 6 months does it. On Thu, Nov 1, 2012 at 3:25 PM, Matt Quackenbush <quackfuzed@gmail.com>wrote: ----- Excess quoted text cut - see Original Post for more ----- ...

Heh. :-) On Thu, Nov 1, 2012 at 2:30 PM, Cameron Childress <cameronc@gmail.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

> I have found it effective to block troublesome emails for some length of > time, usually 6 months does it. http://instantrimshot.com/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Ha! I was about to reply with the exact same link... On 11/1/12 4:06 PM, "Dave Watts" <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

That sir, made my day. Classic. G! On Thu, Nov 1, 2012 at 4:06 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

LMAO ! :P It's cruel to mock the afflicted ;) That sir, made my day. Classic. G! On Thu, Nov 1, 2012 at 4:06 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

LOL .. whoops .. didn't realise it was so long since I checked the list! You do realize that the post you replied to is 6 months old, right? On Thu, Nov 1, 2012 at 2:21 PM, Jenny Gavin-Wear < jennygw@fasttrackonline.co.uk> wrote: ----- Excess quoted text cut - see Original Post for more -----