Digital Demons, lets cast them out of our digital homes.

Back on March 19th of this year I posted, “Three weeks in two, bah who needs sleep.”, I must have lied because between those two weeks and the subsequent crazy weeks following I pretty much fell off the map. During the aforementioned two weeks though I visited Ottawa, Canada for Sales and Engineering training for CryptoCard. For me trips like this are exciting not for the trip but for the time I get to spend with other professionals learning, hanging out and passing on our tricks to each other. During a break on the training routine our instructor Patrick posed a question something to the affect of; if we don’t like spam and attacks and we know that 20 to 30% of all spam and attacks come from North Korea and China then why don’t we block them at the edge? A room full of accomplished network and security administrators and consultants responded….huh..why don’t we? This led to the conversation that has led me to casting out many of the worlds digital demons from a client site.

Late last week one of my clients started getting hit hard by some sort of PHP scanning and attack which was followed on Monday and Tuesday by massive SPAM flooding that not only jammed up their Barracuda Spam Firewall but also killed its ability to filter what was coming into it. So we started looking for answers other than simply allowing Barracuda to remote into its unit and play for 8 hours (Which ultimately fixed the problem but they neglected to inform us of the base problem.) This client had recently purchased a Cisco ASA-5540 with an AIP20 IPS inspection unit. Skipping the details we had never had the chance to deploy and or tune the AIP module. So knowing that we needed a quicker fix to our spam flood issue my mind returned to the question from that day in my training.

So with that I started searching Google for all sorts of key words that might give my pre-made silver bullet against the evil hoarde. After an hour or so I found what I was looking for at Okean. This site validates the conversation I had back in March at training that 20-30% of all SPAM originates in China and Korea according to Okean’s authors logs. What is offered at this site is an incredible set of text files that include ;

  • CN/KR DNS zone files
  • Cisco ACL (Combined both China and Korea)
  • Linux iptables (combined China and Korea)
  • IP Blocks contiguous
  • IP Blocks CIDR
  • IP Blocks dnsbl zone file

Depending on your application one of these files should fit the bill or provide you with a solid base for creating the type of filter that you need. In our case we were working with a Cisco ASA (PIX IOS 7.X) with an existing OUTSIDE_Access_IN ACL applied to OUTSIDE interface. The existing ACL’s make heavy use network_objects to define groups of similar networks and/or host that are then references in the ACL’s. The model allows administrators to quickly and easily add/remove/change ACL’s. So what I did was use the Cisco ACL provided at Okean then stripped out all the information with the exception of Ip Address and its Inverse Mask. With that information isolated I reversed the Mask’s and added network object tags. Here is the product of this little search and replace dance. I am publishing the Object_Group in its entirety but you should name the Group something that fits your format. To use this your should be familiar with both CLI configuration of PIX IOS 7.X as well as ASDM. If your not feel free to leave comments and we’ll see what we can do to help you out.

I try to keep my posts somewhat divorced from dates so they scale better over time but I wanted to let you know that I fully implemented this fix yesterday Tuesday May 8, 2007. You might ask what did I actually implement? For this particular client data published to the public is really only for local consumption (their local client base is HUGE!). So it was a simple decision to use a DENY IP (object group name) ANY. Yep thats right we killed any traffic originating from the Address Ranges period! And the results…thats kinda hard to tell. Here is a print of the current ACL hit counts. As for SPAM from what the Barracuda showed we cut the daily SPAM by more than half! Only time will tell if that holds. I plan on posting updates to this and plan on having numbers to show the benefits of this concept.

PLEASE comment on your experiences with large scale address filtering and your thoughts overall on this post. Thanks.

Powered by ScribeFire.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.