3 Replies Latest reply on Mar 7, 2013 10:06 AM by rdestics

    Can I blackhole IP's using command line...IP obtained from TeaLeaf

      All,

       

      I want to see if its possible and if so how to blackhole an IP that is identified as an IP hitting us way too aggressively.  We are using TeaLeaf customer experience monitoring to idnentify the IP and want to send that IP to the Sidewinder and have it automatically block them.

       

      Can anyone shed some light on how to do that or if its even possible?

       

      Thank you in advance.

        • 1. Re: Can I blackhole IP's using command line...IP obtained from TeaLeaf

          You can use 'blackhole add x.x.x.x' to add an IP to the blackhole list (man blackhole). Otherwise, just create a deny rule with the source address set to the IP with a service set to block the port(s) you wish to deny. If you want to deny all TCP/UDP, I recommend creating a TCP/UDP packet filter with ports 1-65535 and use that as the service in the deny rule.

          1 of 1 people found this helpful
          • 2. Re: Can I blackhole IP's using command line...IP obtained from TeaLeaf

            Thank you rdestics.....I appreciate it greatly!

            I should have done a better job of explaining how I'd like it to work and I'll let you tell me if its possible or not:

            1. Tealeaf will somehow send an IP that is to be blackholed from hitting our website
            2. An automated script will run on the Sidewinder to actually block them for ...say 12 hours or so.
            3. After the 12 hours they are unblocked.

             

            Our reasons for doing this are bots are opening sessions on our site with several hundred to a few thousand page requests in a short period of time and we want to block them.

             

            Does that help and is that possible with that command you provided?

            • 3. Re: Can I blackhole IP's using command line...IP obtained from TeaLeaf

              Yes. You can specify additional options with the blackhole command. Let's say you want to blackhole the IP '1.1.1.1' on the external zone for 12 hours. The format of the command is:

               

              blackhole add <address> <zone> <timeout>

               

              So, the command you would run is:

               

              blackhole add 1.1.1.1 external 43200

               

              'Timeout' is in seconds - the blackhole entry will expire after the specified amount of time has elapsed.

               

              I am not sure how you would have the TeaLeaf product update or run a script on the firewall to run these commands. Good luck!

              1 of 1 people found this helpful