How to block all requests from sudomains like *.dynamic-ip.hinet.net

veto64 · 01-14-2014, 02:27 AM

hi,

i'm getting a massive attack requests from different subomains like
36-225-122-51.dynamic-ip.hinet.net
36-226-148-210111-249-1-88.dynamic.hinet.net
111-249-5-234.dynamic.hinet.net
111-249-1-88.dynamic.hinet.net
etc
etc....

how on a debian wheezy can i simply block all request comming from the
subdomains *.dynamic.hinet.net

or block just the root domain with its subdomains.

acid_kewpie · 01-14-2014, 02:47 AM

You might want to actually tell us what kind of requests these are.... HTTP requests??

At a network level you can't realistically block it by domain *name*, that's too resource intensive and never done. However, those are (presumably) home user IP ranges on that ISP, and as such will all come from a set of fixed ranges. if you look up the IP's http://wq.apnic.net/apnic-bin/whois.pl you can see the range that they come from:

Code:

inetnum:        111.249.0.0 - 111.249.127.255
netname:        HINET-NET
descr:          Taipei Taiwan
country:        TW
admin-c:        HN184-TW
tech-c:         HN184-TW
mnt-by:         MAINT-TW-TWNIC
remarks:        This information has been partially mirrored by APNIC from
remarks:        TWNIC. To obtain more specific information, please use the
remarks:        TWNIC whois server at whois.twnic.net.
changed:        network-adm@hinet.net 20100428
status:         ASSIGNED NON-PORTABLE
source:         TWNIC

so an iptables rule for 111.249.0.0/17 would cover two of those 4 examples.

veto64 · 01-14-2014, 04:19 AM

thanks man you saved my day.
there are to to many different ip to look it up, so
i just brutally blocked temporally the complete range

iptables -I INPUT -s 36.0.0.0/8 -j DROP
iptables -I INPUT -s 118.0.0.0/8 -j DROP
iptables -I INPUT -s 114.0.0.0/8 -j DROP
iptables -I INPUT -s 111.0.0.0/8 -j DROP

unSpawn · 01-14-2014, 12:32 PM

Performance, ease of use, multiple vs one iptables rule: iptables vs ipset.

Noway2 · 01-16-2014, 01:15 PM

Out of curiosity, since we're talking about hinet.net, are you perchance running a mail server? If so, I would recommend subscribing and using one of the RBL service as this will reject the vast majority of their attempts.

veto64 · 01-16-2014, 08:43 PM

yes, running a postfix/courier mail server on a Debian Wheezy mininal.
all are smtp requests, still today and never so massively, always with a new ip addresses when one get dropped, if not, they go on stubbornly knocking on.

the postfix is blocking them, i'm getting this kind of log when a client tries to send via smtp but not deliver any authentication.

Jan 17 03:03:42 postfix/smtpd[20319]: NOQUEUE: reject: RCPT from 1-171-230-239.dynamic.hinet.net[1.171.230.239]: 450 4.7.1 Helo command rejected: Host not found; from=<cvimaabj@yahoo.com> to=<a83f@yahoo.com.tw> proto=SMTP helo

i have fail2ban installed but it not cover this,i think because the hin.net crowd not even try to authenticate themselves.

RBL service:
i put those to my smtpd_recipient_restrictions

reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com

not sure if this is enough. or is there any more effective way to protect the server resources.

kbp · 01-19-2014, 09:35 PM

You could try postgrey or policyd-weight and also set connection limits, the policy servers drop connections after basic connection info is established which reduces the resource demands of accepting and processing. The conection limits also slow them down a lot, I once had a host that tried to connect every second so I limited connections to 4 a minute and only 1 at a time.