-1

First our server hold an application that only serve 4 countries. We had a repeated ddos from bonnet so would like to block all traffic except for the 4 countries that the application serve.

the idea is to block them by the vlan level.

so will a cisco asa 5505 or even 5520 hold in that? or will it slow things down/hang etc..?

user3376096
  • 11

1 Answers1

2

Chances are you won't be using a VLAN "virtual local area network" to do this. Keyword being local. What I believe you want is to limit by IP address ranges, assigned only to the countries that could use your resources legitimately.

There is not a perfect solution to your need. I would be awesome if you knew the IP address of every user but chances are that you don't.

Challenges are that IP address are not as simple as phone numbers, in the way we can just block a county code. The addresses were allocated far more randomly and countries that use them can change over time. Another challenge is that your users or customers could travel and would like to reach your services from other countries that you block. People with malicious intent can come from within the countries you don't block or could spoof their IP address using a proxy and appear from another country. I'm sure I could come up with more but that is a good start.

All that being said on to solutions: If I were looking for a quick and easy solution to block or only allow certain countries I would talk to my ISP and see if they already have a quick affordable solution.

You can use deny or allow rules based on the IP addresses found in lists. Here is an article that discusses this solution http://blogs.cisco.com/security/block-a-country-with-my-cisco-router-or-firewall/

Cisco has their solution that they want to sell you traffic-anomaly-detector-xt-5600a and they tell you in a whitepaper article why firewall equipment is not the best solution for DDOS.

You could create alarms around DDOS and then view the logs at that time and then block the problems as they happen.

I don't know anything about the code you are using but some limit within the application but there are Apache and other solutions.

This is one of your better options for using an ASA to mitigate DDOS http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Jason Landstrom
  • 81
  • 5
  • thanks for your answer jason,at least blocking the unwanted traffic will less the hard of the ddos attack, i was talking with my isp about a solution but they just refer to services like cloudflare etc.. – user3376096 Mar 04 '14 at 07:52
  • The company that I work for does use another provider similar to cloudflare to address ddos. We currently use a bunch of Akamai services and one of them protects us from ddos. – Jason Landstrom Mar 04 '14 at 18:38
  • Check out this site. https://www.countryipblocks.net/country_selection.php It can generate the IP addresses for countries in different formats to put in your firewall. You can include allow or deny in the a copy and paste format to add to your firewall. – Jason Landstrom Mar 04 '14 at 18:54
  • will this cause any slowness in the firewall asa 5505? and will this block the ddos for good or just hang when the ddos tries to reach the network? – user3376096 Mar 10 '14 at 18:33