Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Easiest way to 'blacklist' all IP ranges from a specific BGP session
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Easiest way to 'blacklist' all IP ranges from a specific BGP session

I'm having an issue with people using vpns to connect to something that I'm hosting. I need to get rid of them, and I've come to the conclusion that the easiest way to do this, given that I know who the ip range belongs to, is to blacklist all the ip ranges of this specific company with the BGP. Is there an easy way to do this?

Comments

  • rds100rds100 Member

    If it's TCP connections you can set a nonexistent nexthop to the routes from this AS, this way they will still send you packets but the TCP connections can't be established (your traffic will not reach them).

  • @rds100 said:
    If it's TCP connections you can set a nonexistent nexthop to the routes from this AS, this way they will still send you packets but the TCP connections can't be established (your traffic will not reach them).

    I'm just hoping I don't have to ban the ips by hand because that would be a huge pain.

  • ExpertVMExpertVM Member, Host Rep

    Instead of blackhole the entire IP range which might result in potential issues with mail or web server, why not drop the vpn port of the IP range?

  • Which router do you have?

  • @MarkTurner said:
    Which router do you have?

    Not sure. Don't have access to the router.

    @ExpertVM said:
    Instead of blackhole the entire IP range which might result in potential issues with mail or web server, why not drop the vpn port of the IP range?

    I don't think it uses the same port.

  • MicrolinuxMicrolinux Member
    edited July 2014

    So you want to drop an entire AS?

  • blackblack Member
    edited July 2014

    http://lowendtalk.com/discussion/29827/vpn-ip-check-work-in-progress


    BGP blacklisting is really overkill. At most you should blacklist the IP blocks an AS announces.

  • If you have a list of IPs or prefixes, you can just drop traffic on the edge of your network. If you want to drop the whole AS then just make a BGP filter and filter the incoming BGP advertisement; but don't forget to also drop the traffic as well if you are default routing traffic back to your upstream.

    Thanked by 1retry
Sign In or Register to comment.