4

I'm using Amazon's ELB to load balance between servers,

When my site is under attack by bots, everything is exhausted, so here is the problem

I can't block IP addresses with Amazon's security groups, because they don't explicitly allow "deny", so deny one IP you have to allow every other IP address which is tedious.

I can't use iptables to block IP addresses because ELB obfuscates the public IP addresses and replaces them with its own IP address.

The actual IP address of the visitors can only be seen in X-FORWARDED-IP

user893730
  • 624
  • 2
  • 12
  • 20

4 Answers4

2

This just happened to me as well. I've been thinking about it, and while I haven't tried to implement it, I think for us the answer is to spin up an instance running a dedicated firewall in front of the app servers. That way the real ip addresses are visible to the firewall. I'll try to update this after I try to implement it with any issues I've come across.

Brandon
  • 151
  • 7
  • @mateuszzaqisza So that's basically what I ended up doing. I have a fw/lb consisting of iptables for security and nginx for ssl termination and load balancing. It's all configured with chef and knife_ec2. We don't use the ELBs at all anymore, which has a couple of side benefits like being able to use EIPs/A records on the fw/lb, instead of having to use CNAMEs. And the upstream nginx block gets auto-pop'd via chef search for all instances of the right type and env. So if I spin up a new instance that should be behind the lb, chef places the new instance in the upstream block. – Brandon Sep 19 '12 at 20:13
2

You're correct that you can't use security groups to block traffic.

If you're using a VPC, which you should be, then you can use Amazon's Network ACL as a firewall. They allow DENY rules, so you can block traffic on an IP or CIDR block.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison

sorohan
  • 193
  • 6
  • I'm going to vote this as the correct answer, but for others who found this thread you should consider this: https://aws.amazon.com/waf/ – zeros-and-ones Jan 19 '17 at 22:53
  • [The VPC quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) are very limited tho. – Kenny Evitt Nov 05 '20 at 19:08
0

Not a very good solution

You could block the IP address from accessing the EC2 instance using apache or iis. This obviously wouldn't be practical for hundreds of instances.

This question is also highly relevant: Blocking IP behind a load balancer

Community
  • 1
John Wheal
  • 456
  • 5
  • 17
-1

I don't believe this is doable in any other way then the one you've described on ELB level.

You could use firewall on each instance (in e.g. iptables) to block certain IP addresses, or even to set limit of connections per minute/second for IP address.

This way you could block attackers automatically.

Also you could use tools like Chef/Puppet to propagate your firewall config to each instance.

mateuszzawisza
  • 32
  • 1
  • 4
    But firewalls like iptables are also unable to see the real IP addresses of visitors, all they see is the ELB IP address, so it's not possible to block individual IPs – user893730 Jun 29 '12 at 18:43
  • Ah yeah. You're right. My bad. So I guess only option would be Apache/Nginx on each instance filtering out hosts by X-Forwarder-for. I see a lot of people has the same problem. In e.g. here: https://forums.aws.amazon.com/message.jspa?messageID=317385 – mateuszzawisza Jun 29 '12 at 23:17
  • I have used the X-Forwarded-For address within our Apache (and Nginx) configurations to block the traffic. It's a messy solution, but it works. I downvoted the accepted answer here because it is not correct. – Tom Harrison Jr Jun 14 '14 at 04:44