cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1303
Views
0
Helpful
24
Replies

Blocking unwanted traffic to a web server - help please

m-abooali
Level 4
Level 4

hi,

I am doing some work for this Web Hosting company and have faced a very kind of odd situation! a customer who is based in Asia, Japan, i think has demanded to restric all traffic from Japan excepot for a few blocks to their web server. there is a Firewall in front of their server and then the web Hosting company's core router and an OC3 circuit to the Internet.

If i want to put deny statement and ACLs for all thos eblaks, well there will be no router or firewall to be able to process that plus very slow and tedious task.

I was wondering if you guys can direct me to a right approach please?

Regards,

Mike

1 Accepted Solution

Accepted Solutions

Hello,

Yes, I believe you cannot put rules in a router to drop all traffic from non-Japan users. You would have to know all the IP addresses from Japan and the IP numbering scheme is not as flat as the one used in old telephone systems for example (where there is a country code and we are done). There can be many many blocks and this would be an impossible configuration. Summarization would not be of much help, because even the supernets can be a lot. This kind of information could be available by the local registry that gives out IP addresses for Japan (I would not even dare to take a look at it). And yet, traffic could still reach your router only to be dropped and those packets that correspond to users would not be served.

A better way is to direct non-Japanese users to the non-Japanese box to get their service there and the Japanese to the Japanese box. This way no traffic needs to be dropped, everybody gets the service they requested and load is balanced between the servers. I would suggest you talked to people familiar with server load balancing issues and people that develop the website content. Some things that look very cumbersome to configure at the network layer can be done very efficiently at the application layer with just having a user choose between "English" or "Japanese" and redirecting the browser to the appropriate server. The web developers could put in the webpage code the different servers according to language selection by the user and you would be done.

Kind Regards,

M.

View solution in original post

24 Replies 24

marikakis
Level 7
Level 7

Hello,

Not sure I understood exactly the network topology, but in cases where the ACL deny's are too many, you are better off going with explicit permit's and let the implicit deny at the end of the ACL handle the rest. So, check out exactly what they want to permit (since you implied that the exceptions to permit are few, less tedious task) and configure that at the best position in the network (device, interface) that accomplishes the task (avoid too much unecessary traffic traversing the network only to be dropped), while not interfering with other types of traffic too much.

Kind Regards,

M.

Thanks for getting back to me. The reason for lack of info is that i don't have the full scope of that demand except that they don't want the whole Japan to hit their box (the Box is here at US).

I also thought about working with Permits and let the implecit deny take cae of the rest but where in the network as you suggested, I have to see. I am yet to see the actual network myself.

how about the core router where traffic enters this web hosting's network inorder to not allow the unwanted traffic to travell through the switch, Firewall and then get dropped?

a few permit statements for blocks that thay want to allow only. one question, do i have to use the host in my permit statements? host being that particular web server.

would it make sense to write the ACL for various services/protocols or just for IP protocol?

Please advise.

Regards,

Mike

Mike,

Access list to block a extremely high number of networks might be a overkill for the router. If the router platform you are using supports turbo ACL that might ease the burden of the router to some extent.

I don't know what kind of problem your customer is having as far as the web server is concerned. If they are experiencing DOS attack targeted at the Web server you may be able to use the 'ip tcp intercept feature' to mitigate the attacks against the server to a considerable extent.

Have a look at this link for more information on tcp intercept feature to see if this is something that would address your problem.

http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scdenial.html

HTH

Sundar

Hi Sundar,

I have not been exposed to Turbo ACL yet! what it is and how can I create thos eon a Cisco Core router?

I will look into that tcp intercept concept for sure. I hav enot been fully educated on the full nature of the customer's problem but i will. I am travelling and they have posed this question to me over the phone just to address it when i am back onsite!

Please advise on the tubo ACLs.

Regards,

Mike

THANKS AND I SURE NEED HELP FROM YOU GUYS. I VERY MUCH APPRECITE THAT.

REGARDS,

MIKE

Hello,

I suppose that when they say they do not want the whole Japan to hit the US box, they would rather the traffic didn't traverse the expensive connection to the Internet only to be dropped in US at the input of the OC3 interface. You should discuss this with them anyway and explore the possibility of entering the ACL in the output of Japan box as well (maybe you need this in US input interface anyway just to be extra cautious).

A problem you might encounter is interfering with other types of traffic that you do not want to deny. The particular host IP address is very helpful in this case for buiding your ACL. If putting this ACL in Japan box and use the host as destination you do not have to think much about the source addresses. In the US you will probably have to think about the source addresses, because they most probably do not want all the traffic from non-Japan sources towards their web server to be dropped. So, in US you could put the permit's from the Japan source addresses towards the web server, then deny everything else from those source addresses and then continue permitting/denying all other types of traffic they already permit/deny.

Yes, you can write an ACL for various protocols/services and in your case you actually might have to depending on the requirements. Working with just IP might or might not cover the requirement for allowing only specific services. [Have edited this part, because particular host might be just ok to cover requirements, depends on what they actually want.]

Have a look at the following document for more help in configuring ACLs:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#defport

Kind Regards,

M.

p.s. Anyway, you have to clarify exactly what to topology is. Then everything will be more clear to you and us.

Hey thanks very much for your explanation although I have some questions on the folowing statemnet that you made:

"

If putting this ACL in Japan box and use the host as destination you do not have to think much about the source addresses. In the US you will probably have to think about the source addresses, because they most probably do not want all the traffic from non-Japan sources towards their web server to be dropped

"

I really don't know how they enter US but I know that they have a BOX in our location and we have two OC3s to the Internet (I am still to see the actual network by being onsite as i am travelling). so i really disn't quit understand the Jpan side and the US side. I onlyhave control over the core routers here and th etwo OC3s connecting us to the Internet. there is only one switch and one PIX firewall between the BOX in question and our core routers connecting us to the Internet using two OC3s using BGP.

I kno wthat i have not provided a lot of information but beleive me this is all I have been told! I will find out more when I get to the site.

Please advise.

Regards,

Mike.

Hello,

I might have misinterpreted a sentence of yours. You said that "a customer who is based in Asia, Japan, i think has demanded to restric all traffic from Japan" and "they don't want the whole Japan to hit their box (the Box is here at US)". I can't think of a reasonable way to deny all the IP addresses from the whole country of Japan, so I thought they mean their own site IP addreses there in Japan side not hitting the US side box. Is that correct? If it is, then they could restrict the traffic there in Japan site, before it enters the Internet (don't they from Japan site reach US box via the global Internet?) and ever reaches the US boxes.

Kind Regards,

M.

I totally agree.

as I made correction in my earlier posting, they had it wrong, they want Japanees to be able to hit thebox but block US users as they have a separate box for US users!

still I don't know how to deny or permitt all traffic from US on a single Router's Interface?

this is whatthey want and i am lost!

Regards,

Mike

Hello,

Ok, I might have got a bit confused here. If you clarify the topology, we will all feel better. Ask them as many questions as you can. The US box is known. Traffic from which source addresses do they want to permit/deny towards the US box?

Kind Regards,

M.

you are right as they got me confused too. it seems that the problem is the other way around! langugue barriers has led o the confusion.

They want only Japan users to hit this web server and not the US users which doesn't change the solution and approach, I guess.

still need to identify blocks that need to be blocked and blocks that need to be permitted but ho wmany blocks to permitt? how can we right permitt ACLs for all the IP blocks that Japanees have? and block US's blocks?

I think, IP aggregation and may be route summerization also need to come into play too?!

Regards,

Mike

Hello,

Ok, this sounds to me like a problem that cannot be normally solved with ACL and routing tricks. It sounds to me more like the "how do I distribute traffic to my Web servers that reside across the globe?". What do you think about that? If it is so, then I cannot be of much help. I am aware that tricks do exist to achieve some traffic distribution, but I do not know exactly how they do it (maybe mirroring, maybe some DNS tricks, maybe something else, know actually nothing on this field). Do they want to balance the traffic towards their web servers to the extent possible or do they want to strictly drop traffic that is strictly from non-Japan users?

Kind Regards,

M.

TCP ot IP nocking does exist but I don't know much about it either!

i am researching this issue currently.

Regareds,

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco