Blocking tens of thousands of IP's

Cox, Eric S eric.cox at kroger.com
Tue Nov 1 22:35:34 UTC 2016


Currently we track all access logs realtime via an in house built log aggregation solution. Various algorithms are setup to detect said IPS whether it be by hit rate, country, known types of attacks etc. These IPS are typically identified within a few mins and we reload to banned list every 60 seconds. We just moved some services from apache where we were doing this without any noticable performance impact. Have this working in nginx but was looking for general suggestion on how to optimize if at all possible.

-----Original Message-----
From: Rainer Duffner [rainer at ultra-secure.de]
Received: Tuesday, 01 Nov 2016, 5:51PM
To: nginx at nginx.org [nginx at nginx.org]
Subject: Re: Blocking tens of thousands of IP's


> Am 01.11.2016 um 22:46 schrieb Jeff Dyke <jeff.dyke at gmail.com>:
>
> what is your firewall?, that is the place to block subnets etc, i assume they are not random ips, they are likely from a block owned by someone??



Depends on the firewall, but our network-guys would refuse to do that (and have so in the past).
Apparently, the performance of firewalls when loaded with thousands of rules isn’t much to brag about ;-)

Additionally, they like to create their rules by hand instead of generating them (old school).

How are the IPs gathered?

_______________________________________________
nginx mailing list
nginx at nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwIGaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=FMODc3JSzrdrdzR0wbnGKDiUZI8s8iei9P6-WI1uOp8&s=AduDjg3qFeqZtQhu6YkSmcp-pwUZ6xy-IjPk0rGo0Xs&e=

________________________________

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161101/dab9e86a/attachment.html>


More information about the nginx mailing list