Considerations for automating firewall prefix management via XML

‎01-28-2014 09:20 AM

We have a home built DoS attack mitigator which, when an attack is triggered, adds iptables-rules to our public servers and which blocks the attackers.

This has obvious drawbacks in terms of scalability and manageability. There are hundreds of servers and hundreds of prefixes, probably thousands before soon.


We are looking into wether it would be possible for the "DoS attack mitigator" to instead add the prefix to a firewall filter at our edge routers (via XML).

What would be the things too look out for here when implementing a solution like this? Maximum number of firewall prefixes? Doing configuration commits too often? Is the firewalling done in hardware or would we run into issues when prefix lists are too long? If i remember correctly, arbor works in a similar way (but only with SRX's?) so the method as such probably wouldn't be that exotic.




Re: Considerations for automating firewall prefix management via XML

‎01-28-2014 10:32 AM

Novel dea which would work, but yes there are issues you would probably see when the number firewall filters and lines increases. However to also minimize that problem, you could create the appropriate firewall filter and reference a prefix-list instead of adding multiple prefixes to filter itself. So you would only need your xml to add the prefixes to the prefi-list. The firewall filters are implemented in hardward in the forwarding plane. personally I have no expereince working with the xml stuff so I cannot offer any help there, but have you considered testing the AppSecure suite which would give you AppDOS? You may also want to ask about the effectiveness of the :

If the servers are webservers, you want check out WebApp Secure (formerly Mykonos - Track Attackers Beyond the IP Address). Not sure why marketing seems non existent, but personally I beleive this is a great weapon! I have not had any experience with it either, but maybe a consideration for future equipment if your companay so desires.

Track Attackers Beyond the IP Address

IP Address Is Only the Start

Mykonos Web Security captures the IP address as one data point for tracking the attacker, but realizes that making decisions on attackers identified only by an IP address is fundamentally flawed because many legitimate users could be accessing your site from the same IP address. For this reason, Mykonos Web Security tracks the attackers in, significantly, more granular ways.

Track Browser Attacks

For attackers who are using a browser to hack your website, the Mykonos Web Security tracks attackers by injecting a persistent token into the attacker's client. The token persists even if the attacker clears cache and cookies and has the capacity to persist in all browsers including those with various privacy control features.As a result of this persistent token, the Mykonos Web Security can prevent a single attacker from attacking your site while allowing all legitimate users normal access.

Track Software and Script Attacks

For attackers who are using software and scripts to hack your website, the Mykonos Web Security tracks attackers using a fingerprinting technique to identify the machine delivering the script.


[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]