New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Easiest way to 'blacklist' all IP ranges from a specific BGP session
Void_Whisperer
Member
in Help
I'm having an issue with people using vpns to connect to something that I'm hosting. I need to get rid of them, and I've come to the conclusion that the easiest way to do this, given that I know who the ip range belongs to, is to blacklist all the ip ranges of this specific company with the BGP. Is there an easy way to do this?
Comments
If it's TCP connections you can set a nonexistent nexthop to the routes from this AS, this way they will still send you packets but the TCP connections can't be established (your traffic will not reach them).
I'm just hoping I don't have to ban the ips by hand because that would be a huge pain.
Instead of blackhole the entire IP range which might result in potential issues with mail or web server, why not drop the vpn port of the IP range?
Which router do you have?
Not sure. Don't have access to the router.
I don't think it uses the same port.
So you want to drop an entire AS?
http://lowendtalk.com/discussion/29827/vpn-ip-check-work-in-progress
BGP blacklisting is really overkill. At most you should blacklist the IP blocks an AS announces.
If you have a list of IPs or prefixes, you can just drop traffic on the edge of your network. If you want to drop the whole AS then just make a BGP filter and filter the incoming BGP advertisement; but don't forget to also drop the traffic as well if you are default routing traffic back to your upstream.