Blocking malicous IP's

Unanswered Question
Aug 8th, 2008


I have identified a few malicious IP's that are constantly hammering our web server. To block them I create an access rule for the outside interface, source ip is the malicious ip, destination is any, service is tcp-udp 1-65535 action is deny. Is this a proper way to block a malicious ip? I have been given an impression that they are more complicated and that it's not done properly.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 08/08/2008 - 06:44


A simpler access-list would be

source ip / destination any / deny ip

if you use "deny ip" that covers all the tcp/udp ports + ICMP etc.

Bear in mind that is easy to spoof a source IP address so if you are going to block IP addresses be careful that you are sure you want to block them otherwise you could end up denying access to your web server from valid clients.


netperception Fri, 08/08/2008 - 13:16

hmmmm,... I see. I understand. What would the process look like of banning someone then? What I'm going by is when I see xx packets from an IP in the top usage chart, I look that up in the access log and if it looks bad I am now banning the IP by 'deny IP'.

Secondly, do you know how to exclude some IP's from the Top Usage chart? Or do you know how I can view a large usage list? Maybe using the CLI?


This Discussion