Blocking unwanted traffic to a web server - help please

Answered Question
Apr 1st, 2008
User Badges:

hi,


I am doing some work for this Web Hosting company and have faced a very kind of odd situation! a customer who is based in Asia, Japan, i think has demanded to restric all traffic from Japan excepot for a few blocks to their web server. there is a Firewall in front of their server and then the web Hosting company's core router and an OC3 circuit to the Internet.


If i want to put deny statement and ACLs for all thos eblaks, well there will be no router or firewall to be able to process that plus very slow and tedious task.


I was wondering if you guys can direct me to a right approach please?


Regards,


Mike

Correct Answer by marikakis about 9 years 2 months ago

Hello,


Yes, I believe you cannot put rules in a router to drop all traffic from non-Japan users. You would have to know all the IP addresses from Japan and the IP numbering scheme is not as flat as the one used in old telephone systems for example (where there is a country code and we are done). There can be many many blocks and this would be an impossible configuration. Summarization would not be of much help, because even the supernets can be a lot. This kind of information could be available by the local registry that gives out IP addresses for Japan (I would not even dare to take a look at it). And yet, traffic could still reach your router only to be dropped and those packets that correspond to users would not be served.


A better way is to direct non-Japanese users to the non-Japanese box to get their service there and the Japanese to the Japanese box. This way no traffic needs to be dropped, everybody gets the service they requested and load is balanced between the servers. I would suggest you talked to people familiar with server load balancing issues and people that develop the website content. Some things that look very cumbersome to configure at the network layer can be done very efficiently at the application layer with just having a user choose between "English" or "Japanese" and redirecting the browser to the appropriate server. The web developers could put in the webpage code the different servers according to language selection by the user and you would be done.


Kind Regards,

M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
marikakis Tue, 04/01/2008 - 11:57
User Badges:
  • Gold, 750 points or more

Hello,


Not sure I understood exactly the network topology, but in cases where the ACL deny's are too many, you are better off going with explicit permit's and let the implicit deny at the end of the ACL handle the rest. So, check out exactly what they want to permit (since you implied that the exceptions to permit are few, less tedious task) and configure that at the best position in the network (device, interface) that accomplishes the task (avoid too much unecessary traffic traversing the network only to be dropped), while not interfering with other types of traffic too much.


Kind Regards,

M.

m-abooali Tue, 04/01/2008 - 12:05
User Badges:

Thanks for getting back to me. The reason for lack of info is that i don't have the full scope of that demand except that they don't want the whole Japan to hit their box (the Box is here at US).


I also thought about working with Permits and let the implecit deny take cae of the rest but where in the network as you suggested, I have to see. I am yet to see the actual network myself.


how about the core router where traffic enters this web hosting's network inorder to not allow the unwanted traffic to travell through the switch, Firewall and then get dropped?


a few permit statements for blocks that thay want to allow only. one question, do i have to use the host in my permit statements? host being that particular web server.


would it make sense to write the ACL for various services/protocols or just for IP protocol?


Please advise.


Regards,


Mike

sundar.palaniappan Tue, 04/01/2008 - 12:15
User Badges:
  • Green, 3000 points or more

Mike,


Access list to block a extremely high number of networks might be a overkill for the router. If the router platform you are using supports turbo ACL that might ease the burden of the router to some extent.


I don't know what kind of problem your customer is having as far as the web server is concerned. If they are experiencing DOS attack targeted at the Web server you may be able to use the 'ip tcp intercept feature' to mitigate the attacks against the server to a considerable extent.


Have a look at this link for more information on tcp intercept feature to see if this is something that would address your problem.


http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scdenial.html


HTH


Sundar

m-abooali Tue, 04/01/2008 - 12:21
User Badges:

Hi Sundar,


I have not been exposed to Turbo ACL yet! what it is and how can I create thos eon a Cisco Core router?


I will look into that tcp intercept concept for sure. I hav enot been fully educated on the full nature of the customer's problem but i will. I am travelling and they have posed this question to me over the phone just to address it when i am back onsite!


Please advise on the tubo ACLs.


Regards,


Mike

m-abooali Tue, 04/01/2008 - 12:30
User Badges:

THANKS AND I SURE NEED HELP FROM YOU GUYS. I VERY MUCH APPRECITE THAT.


REGARDS,


MIKE

marikakis Tue, 04/01/2008 - 12:34
User Badges:
  • Gold, 750 points or more

Hello,


I suppose that when they say they do not want the whole Japan to hit the US box, they would rather the traffic didn't traverse the expensive connection to the Internet only to be dropped in US at the input of the OC3 interface. You should discuss this with them anyway and explore the possibility of entering the ACL in the output of Japan box as well (maybe you need this in US input interface anyway just to be extra cautious).


A problem you might encounter is interfering with other types of traffic that you do not want to deny. The particular host IP address is very helpful in this case for buiding your ACL. If putting this ACL in Japan box and use the host as destination you do not have to think much about the source addresses. In the US you will probably have to think about the source addresses, because they most probably do not want all the traffic from non-Japan sources towards their web server to be dropped. So, in US you could put the permit's from the Japan source addresses towards the web server, then deny everything else from those source addresses and then continue permitting/denying all other types of traffic they already permit/deny.


Yes, you can write an ACL for various protocols/services and in your case you actually might have to depending on the requirements. Working with just IP might or might not cover the requirement for allowing only specific services. [Have edited this part, because particular host might be just ok to cover requirements, depends on what they actually want.]


Have a look at the following document for more help in configuring ACLs:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#defport


Kind Regards,

M.


p.s. Anyway, you have to clarify exactly what to topology is. Then everything will be more clear to you and us.

m-abooali Tue, 04/01/2008 - 12:44
User Badges:

Hey thanks very much for your explanation although I have some questions on the folowing statemnet that you made:


"

If putting this ACL in Japan box and use the host as destination you do not have to think much about the source addresses. In the US you will probably have to think about the source addresses, because they most probably do not want all the traffic from non-Japan sources towards their web server to be dropped


"


I really don't know how they enter US but I know that they have a BOX in our location and we have two OC3s to the Internet (I am still to see the actual network by being onsite as i am travelling). so i really disn't quit understand the Jpan side and the US side. I onlyhave control over the core routers here and th etwo OC3s connecting us to the Internet. there is only one switch and one PIX firewall between the BOX in question and our core routers connecting us to the Internet using two OC3s using BGP.


I kno wthat i have not provided a lot of information but beleive me this is all I have been told! I will find out more when I get to the site.


Please advise.


Regards,


Mike.

marikakis Tue, 04/01/2008 - 12:58
User Badges:
  • Gold, 750 points or more

Hello,


I might have misinterpreted a sentence of yours. You said that "a customer who is based in Asia, Japan, i think has demanded to restric all traffic from Japan" and "they don't want the whole Japan to hit their box (the Box is here at US)". I can't think of a reasonable way to deny all the IP addresses from the whole country of Japan, so I thought they mean their own site IP addreses there in Japan side not hitting the US side box. Is that correct? If it is, then they could restrict the traffic there in Japan site, before it enters the Internet (don't they from Japan site reach US box via the global Internet?) and ever reaches the US boxes.


Kind Regards,

M.

m-abooali Tue, 04/01/2008 - 13:54
User Badges:

I totally agree.


as I made correction in my earlier posting, they had it wrong, they want Japanees to be able to hit thebox but block US users as they have a separate box for US users!


still I don't know how to deny or permitt all traffic from US on a single Router's Interface?


this is whatthey want and i am lost!


Regards,


Mike

marikakis Tue, 04/01/2008 - 13:09
User Badges:
  • Gold, 750 points or more

Hello,


Ok, I might have got a bit confused here. If you clarify the topology, we will all feel better. Ask them as many questions as you can. The US box is known. Traffic from which source addresses do they want to permit/deny towards the US box?


Kind Regards,

M.

m-abooali Tue, 04/01/2008 - 13:51
User Badges:

you are right as they got me confused too. it seems that the problem is the other way around! langugue barriers has led o the confusion.


They want only Japan users to hit this web server and not the US users which doesn't change the solution and approach, I guess.


still need to identify blocks that need to be blocked and blocks that need to be permitted but ho wmany blocks to permitt? how can we right permitt ACLs for all the IP blocks that Japanees have? and block US's blocks?


I think, IP aggregation and may be route summerization also need to come into play too?!


Regards,


Mike

marikakis Tue, 04/01/2008 - 14:26
User Badges:
  • Gold, 750 points or more

Hello,


Ok, this sounds to me like a problem that cannot be normally solved with ACL and routing tricks. It sounds to me more like the "how do I distribute traffic to my Web servers that reside across the globe?". What do you think about that? If it is so, then I cannot be of much help. I am aware that tricks do exist to achieve some traffic distribution, but I do not know exactly how they do it (maybe mirroring, maybe some DNS tricks, maybe something else, know actually nothing on this field). Do they want to balance the traffic towards their web servers to the extent possible or do they want to strictly drop traffic that is strictly from non-Japan users?


Kind Regards,

M.

m-abooali Wed, 04/02/2008 - 07:39
User Badges:

TCP ot IP nocking does exist but I don't know much about it either!


i am researching this issue currently.


Regareds,


Mike

marikakis Tue, 04/01/2008 - 14:37
User Badges:
  • Gold, 750 points or more

Hello,


I might not know how to do the Web server load balancing tricks, but I just thought of a perhaps stupid way to do something in that direction. I suppose that not many non-Japan users would view the Web site content in the Japanese language. If they have Japanese content and English content for their website, then you can put the Japanese content inside the box that is supposed to serve Japanese. I suppose that not many US people will request the Japanese content. If this cannot be a solution, we can just view it as a joke to cheer up until problem is clarified. :-)


Kind Regards,

M.


p.s. I meant above that it will be the job of the main website page to redirect the user's web browser to the appropriate server (english or japanese) according to the language the user requests for viewing the website content.

m-abooali Wed, 04/02/2008 - 07:38
User Badges:

hey, thanks for the advise. and it is not stupid at all!


these customers have asked for something that no router can do?


how about IP aggregation / summerization to reduce the number of permit or deny statemnets?


do you know any document that can help me try to summerize all these blocks?


Thx,


Mike

Correct Answer
marikakis Wed, 04/02/2008 - 11:50
User Badges:
  • Gold, 750 points or more

Hello,


Yes, I believe you cannot put rules in a router to drop all traffic from non-Japan users. You would have to know all the IP addresses from Japan and the IP numbering scheme is not as flat as the one used in old telephone systems for example (where there is a country code and we are done). There can be many many blocks and this would be an impossible configuration. Summarization would not be of much help, because even the supernets can be a lot. This kind of information could be available by the local registry that gives out IP addresses for Japan (I would not even dare to take a look at it). And yet, traffic could still reach your router only to be dropped and those packets that correspond to users would not be served.


A better way is to direct non-Japanese users to the non-Japanese box to get their service there and the Japanese to the Japanese box. This way no traffic needs to be dropped, everybody gets the service they requested and load is balanced between the servers. I would suggest you talked to people familiar with server load balancing issues and people that develop the website content. Some things that look very cumbersome to configure at the network layer can be done very efficiently at the application layer with just having a user choose between "English" or "Japanese" and redirecting the browser to the appropriate server. The web developers could put in the webpage code the different servers according to language selection by the user and you would be done.


Kind Regards,

M.

m-abooali Wed, 04/02/2008 - 13:38
User Badges:

You are 100% right and I have already advised them that this is not a Networking issue rather a systems/Web developers one.


I really apprecaite you help and good advices.


Regards,


Mike

marikakis Wed, 04/02/2008 - 13:57
User Badges:
  • Gold, 750 points or more

Mike,


It was a pleasure discussing this issue with you. It encouraged me to think differently from the "L3 networking" way I usually do :-)


Hope everything goes well!

m-abooali Thu, 04/03/2008 - 08:25
User Badges:

you are welcom man, the plesure is all mine working with you.


i want to use the opportunity and ask you aboout L2, LACP between a core 6500 (Fiber blades) and server rack switches (Cisco 3560s gigi) running 4 stends of Fibers for redundancy basically creating a 4 gig bundel.


can you please share some info with me if you happen to have done thi sin the past or have documents that explian this too the point please?


Regards,


Mike

marikakis Thu, 04/03/2008 - 08:37
User Badges:
  • Gold, 750 points or more

Thanks man, but I am a woman (should I be proud that it is not usually apparent from my writing? :-)


I am afraid I do not know a lot of things about switches, only very basic stuff.


The LAN, Switching and Routing forum is more appropriate. Usually people see the conversations in various sections of NetPro and could answer here, but you will have more luck there. It is discouraging for most people to start reading a conversation that contains many posts such as this one if they haven't followed from the beginning. Since this is another type of question, it would be better to open a new conversation.


Kind Regards,

Maria

m-abooali Thu, 04/03/2008 - 08:59
User Badges:

well, i am glad you are!


I usually don't pay attention to writtings and just from the first initial, I couldn't say! I am sorry.


a professional is always a professional and gender doesn't matter. in fact women pay more attention to the details of technical stuff!


once again, It was a pleasure working wit you on this very important issue to me.


where are U located? if you don't mind me asking!



Regards,


Miks

marikakis Thu, 04/03/2008 - 09:29
User Badges:
  • Gold, 750 points or more

I live in Greece. People in this forum are from all across the globe and this is part of the fun here.

m-abooali Thu, 04/03/2008 - 09:37
User Badges:

the country of SUN SHINE!


i have planed to Visit Greece for the late summer this year.


I may post a Technical question for you while there!


it is a beautiful country and i really enjoyed being there like 4 years ago!


thanks again.


Mike

Actions

This Discussion