DDoS Protection by country based filtering

DDoS prevention

DDoS prevention is a hot topic. DDoS attacks have become a weapon of choice for malicious actors to conduct cyberattacks. I did a posting on Defending Against Apache Web Server DDoS Attacks and contributed to a DDoS: Proactive and reactive measures document from CERT.be.

Country based IP filtering

One of the mitigation measures that you can apply is doing country based IP filtering. This basically limits access to your network from a limited set of prefixes. I consider this as a last resort when other mitigations do not help.

Country based IP filtering is based on only allowing prefixes that belong to ‘your’ country. Where do you get these prefixes? Via the BGP announcements! For Europe, RIPE.net makes this list available via ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest. Based on the information in the blogpost Generating country IP ranges lists I added a script to my tools section on Github.

Get if from https://github.com/cudeso/tools/blob/master/ip_per_country/ip_per_country_ripe.py.

Usage is

./ip_per_country_ripe.py BE

This will result in

5.23.128.0/17
5.35.192.0/21
5.134.0.0/21
5.149.136.0/21
5.255.128.0/21
31.12.64.0/21
31.14.50.0/23
...

You can then use this list in your access routers or firewalls. Note that such a filterlist should only be applied as a temporary measure. It basically ‘closes’ the borders and partially does what attackers want to achieve : make your service un-available.

Leave a Reply

Your email address will not be published. Required fields are marked *