Solved: Re: Blocking unwanted traffic to a web server - help please - Page 2

m-abooali · ‎04-01-2008

hi,

I am doing some work for this Web Hosting company and have faced a very kind of odd situation! a customer who is based in Asia, Japan, i think has demanded to restric all traffic from Japan excepot for a few blocks to their web server. there is a Firewall in front of their server and then the web Hosting company's core router and an OC3 circuit to the Internet.

If i want to put deny statement and ACLs for all thos eblaks, well there will be no router or firewall to be able to process that plus very slow and tedious task.

I was wondering if you guys can direct me to a right approach please?

Regards,

Mike

marikakis · ‎04-01-2008

Hello,

I might not know how to do the Web server load balancing tricks, but I just thought of a perhaps stupid way to do something in that direction. I suppose that not many non-Japan users would view the Web site content in the Japanese language. If they have Japanese content and English content for their website, then you can put the Japanese content inside the box that is supposed to serve Japanese. I suppose that not many US people will request the Japanese content. If this cannot be a solution, we can just view it as a joke to cheer up until problem is clarified. :-)

Kind Regards,

M.

p.s. I meant above that it will be the job of the main website page to redirect the user's web browser to the appropriate server (english or japanese) according to the language the user requests for viewing the website content.

m-abooali · ‎04-02-2008

hey, thanks for the advise. and it is not stupid at all!

these customers have asked for something that no router can do?

how about IP aggregation / summerization to reduce the number of permit or deny statemnets?

do you know any document that can help me try to summerize all these blocks?

Thx,

Mike

marikakis · ‎04-02-2008

Hello,

Yes, I believe you cannot put rules in a router to drop all traffic from non-Japan users. You would have to know all the IP addresses from Japan and the IP numbering scheme is not as flat as the one used in old telephone systems for example (where there is a country code and we are done). There can be many many blocks and this would be an impossible configuration. Summarization would not be of much help, because even the supernets can be a lot. This kind of information could be available by the local registry that gives out IP addresses for Japan (I would not even dare to take a look at it). And yet, traffic could still reach your router only to be dropped and those packets that correspond to users would not be served.

A better way is to direct non-Japanese users to the non-Japanese box to get their service there and the Japanese to the Japanese box. This way no traffic needs to be dropped, everybody gets the service they requested and load is balanced between the servers. I would suggest you talked to people familiar with server load balancing issues and people that develop the website content. Some things that look very cumbersome to configure at the network layer can be done very efficiently at the application layer with just having a user choose between "English" or "Japanese" and redirecting the browser to the appropriate server. The web developers could put in the webpage code the different servers according to language selection by the user and you would be done.

Kind Regards,

M.

m-abooali · ‎04-02-2008

You are 100% right and I have already advised them that this is not a Networking issue rather a systems/Web developers one.

I really apprecaite you help and good advices.

Regards,

Mike

marikakis · ‎04-02-2008

Mike,

It was a pleasure discussing this issue with you. It encouraged me to think differently from the "L3 networking" way I usually do :-)

Hope everything goes well!

m-abooali · ‎04-03-2008

you are welcom man, the plesure is all mine working with you.

i want to use the opportunity and ask you aboout L2, LACP between a core 6500 (Fiber blades) and server rack switches (Cisco 3560s gigi) running 4 stends of Fibers for redundancy basically creating a 4 gig bundel.

can you please share some info with me if you happen to have done thi sin the past or have documents that explian this too the point please?

Regards,

Mike

marikakis · ‎04-03-2008

Thanks man, but I am a woman (should I be proud that it is not usually apparent from my writing? :-)

I am afraid I do not know a lot of things about switches, only very basic stuff.

The LAN, Switching and Routing forum is more appropriate. Usually people see the conversations in various sections of NetPro and could answer here, but you will have more luck there. It is discouraging for most people to start reading a conversation that contains many posts such as this one if they haven't followed from the beginning. Since this is another type of question, it would be better to open a new conversation.

Kind Regards,

Maria

m-abooali · ‎04-03-2008

well, i am glad you are!

I usually don't pay attention to writtings and just from the first initial, I couldn't say! I am sorry.

a professional is always a professional and gender doesn't matter. in fact women pay more attention to the details of technical stuff!

once again, It was a pleasure working wit you on this very important issue to me.

where are U located? if you don't mind me asking!

Regards,

Miks

marikakis · ‎04-03-2008

I live in Greece. People in this forum are from all across the globe and this is part of the fun here.

m-abooali · ‎04-03-2008

the country of SUN SHINE!

i have planed to Visit Greece for the late summer this year.

I may post a Technical question for you while there!

it is a beautiful country and i really enjoyed being there like 4 years ago!

thanks again.

Mike