Meraki

Community

Blocking Botnet Attacks

EricD10
Conversationalist
‎Jan 18 2021 5:05 PM
‎Jan 18 2021 5:05 PM

Blocking Botnet Attacks

Hello All,

 

I have a public-facing web server on my network that has been getting a number of attacks.

 

I have an MX84 with advanced security. I set the mode to Prevention and the ruleset to Security in hopes that it would stop the attacks.

 

While many attacks have been blocked, there are still a few getting by that is causing  my web service to lock up.

 

I only need people in WA and ID state to access my web server, so I tried adding a Firewall rule to block countries. It appears to block both in and outward traffic though, which I do not want. I only want to block inward traffic to the web server.

 

Are there any other options besides monitoring and blocking subnets of attackers?

0 Kudos
6 Replies 6
bmehta
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jan 18 2021 8:19 PM
‎Jan 18 2021 8:19 PM

Hello,
@EricD10 If you have a NAT rule configured for the server you can restrict the IPs / allow only specific IPs in the "Allow inbound connections". Also, having the server in DMZ vlan is always recommended. 
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

0 Kudos
In response to bmehta
EricD10
Conversationalist
‎Jan 19 2021 9:22 AM
‎Jan 19 2021 9:22 AM

Thanks @bmehta ,

 

Unfortunately I don't know all of the specific IPs connecting inward. It is an employee portal that staff in our area use, but they are in various cities in our area using varying ISPs and phone services. I can't get a definitive whitelist.

 

What do other admins do in situations like these? I had an admin once that kept blacklisting individual IP addresses, but it was ineffective as there were too many shifting IP addresses.

0 Kudos
In response to EricD10
BrandonS
Kind of a big deal
‎Jan 19 2021 9:53 AM
‎Jan 19 2021 9:53 AM

Can't you host this via a hosting provider that has the protection and resiliency you require?  

 

This seems like the same/similar reason people use RingCentral, Vonage, etc. instead of putting their own IP PBX on the public internet.  Any interesting services that are open to the public internet will get constantly probed and attacked and eventually hacked.  Companies like Cloudflare as an example exist for this reason.

 

 

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
EricD10
Conversationalist
‎Jan 19 2021 10:00 AM
‎Jan 19 2021 10:00 AM

I'm a huge fan of cloud service (we use O365, Netsuite, RingCentral, etc.) For this service there is no cloud option. The site is part of a niche local controlled environment tracking solution. The service must communicate with local devices on site.

 

Best I could do is create a couple of cloud servers (web and database), site to site vpn them back home, and possibly leverage the cloud provider's IPS. That's really involved though and I was hoping that the advanced security licensing I bought would take care of it. Perhaps I was wrong.

0 Kudos
In response to EricD10
BrandonS
Kind of a big deal
‎Jan 19 2021 1:35 PM
‎Jan 19 2021 1:35 PM

Why not try Cloudflare (or find competitors)?  Your use case is exactly what they are designed for.  I can see thinking the Meraki and advanced security would be up to the task, but really it is designed to protect users and not server assets.  There is no firewall you can purchase that can protect you from a malicious DDOS attack.  

 

https://support.cloudflare.com/hc/en-us/articles/205177068-How-does-Cloudflare-work-

 

 

 

 

- Ex community all-star (⌐⊙_⊙)
In response to BrandonS
EricD10
Conversationalist
‎Jan 19 2021 1:46 PM
‎Jan 19 2021 1:46 PM

Thank you, this is good to know. I may need to try them out.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.