Solved

Block a range of IP addresses

Posted on 2004-08-16
16
13,036 Views
Last Modified: 2007-12-19
Hi,

I am trying to add some IP addresses to an IP block list on my smoothwall firewall.

Firstly I do a whois lookup to return a range of IP's

So if I get a bunch of portscans from  202.124.136.46
I get info about the source network http://www.whois.sc/202.124.136.46
Which returns a network range  202.124.136.0 - 202.124.136.127

Now sometimes I get an IP range represented like this 202.124.0.0/12
this is easy to then block the entire nework by entering 202.124.0.0/12  into ipblock

What I want to know: Is there anyway to or any software around that can represent the range returned in the format that I can enter into IPBLOCK GUI

So enter start address and end address (202.124.136.0 - 202.124.136.127) get a result that encapsulates the range like: 202.124.0.0/16       <<<<<< I know this range is too broad, thats what I need to know how to calculate.


Do you know what I mean???

Alan
0
Comment
Question by:Alan Warren
  • 6
  • 4
  • 3
  • +3
16 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 11808367
block

201.124.136.0 255.255.255.128

or
202.124.136.0/26 if you prefer the short notation
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11808382
or if you support wildcard masking

block

201.124.136.0            0.0.0.127

wil block that first IP range your concerned with
0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11808396
Hi Pete

how did you derive this address: 202.124.136.0/26

thats my question
and is there any sofware out there that will derive it for me?


thanks for the response

Alan :)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 7

Expert Comment

by:EmpKent
ID: 11808580
Solarwinds has a good, free subnet calculator here: http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm

Todd Lammle wrote an excellent chapter on subnetting IP in his Sybex CCNA book. If you can pick that up, it is good reading. If not, try this:

http://www.learntosubnet.com/

Kent
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 11809034
202.124.136.0 .... 202.124.136.127 subnet, have 255.255.255.128 mask, i.e.

255         .255        .255         .128
11111111.11111111.11111111.10000000
|<---------  25 bits '1' --------->|

(is /25, not /26; /26 is .192)


0
 
LVL 7

Expert Comment

by:gnegrota
ID: 11809077
202.124.0.0/12 is


NET : 202         .124         .0            .0
Mask: 11111111.11111111.11110000.00000000

i.e. 202.124.0.0 mask 255.255.240.0

:-)
0
 
LVL 28

Expert Comment

by:peakpeak
ID: 11809100
Why don't you block ALL incoming addresses? Your outgoing traffic will be let back in in any case.
If you want to allow a certain computer in you can just enable that address.
Much easier and MUCH more effective than collecting intruder addresses.

Regards
Peter
0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11809118
Hi gnegrota,

sorry for seeming so dumb here but how doing that?
are you subtracting one from the other?


I dont get it ... :)






0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11809129
hey Peter


tell me more...

Alan
0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11809146
Hi EmpKent

downloaded solarwinds but I cant find anywhere to imput a range and return an address I can use to block a range


Alan
0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11809179
The Intrusion detection logs show stuff like this:

Date: 08/16 21:23:48 Name: spp_portscan: portscan status from 203.23.158.157: 1 connections across 1 hosts: TCP(1), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

so I do a whois: http://www.whois.sc/203.23.158.157 and get stuff like:

SSL Cert:  No valid SSL on this Host, Get Secure
Record Type:  IP Address
IP Location:   Australia - Victoria - Melbourne - Australia On Line
Reverse IP:  No websites hosted using this IP address
 

--------------------------------------------------------------------------------
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      203.23.152.0 - 203.23.159.255
netname:      AOL2-AU
descr:        Australia On Line

So what do I type in the IP Block GUI, and how do I get that from the above range.


Dont mean to be difficult, just dont get it.... LOL


Alan


0
 
LVL 7

Expert Comment

by:gnegrota
ID: 11809299
You can try 203.23.152.0 mask 255.255.248.0   ( that mean your interval; and is /21 ), but if you receive an error....leave alone IP Subneting and block :
203.23.152.0/24
203.23.153.0/24
203.23.154.0/24
203.23.155.0/24
203.23.156.0/24
203.23.157.0/24
203.23.158.0/24
203.23.159.0/24

203.23.x.x is a Class C network and a valid mask is 255.255.255.x , but if theAOL" are using something like superneting....:-)

Anyway, you have the solution. The rest is TCP/IP theory and some CISCO stuff.


0
 
LVL 9

Expert Comment

by:fixnix
ID: 11813983
I migtht be reading Alan's question wrong, but it looks like he's simply asking for an explanation of CIDR notation or how to convert from a xxx.xxx.xxx.xxx-xxx.xxx.xxx.yyy range to xxx.xxx.xxx.xxx/yy format.  Perhaps http://infocenter.guardiandigital.com/manuals/IDDS/node9.html and http://itadmin.appfa.auckland.ac.nz/FAQ/Network/IP-CIDR.htm can make it a tad clearer for you.  Sorry if that's not what you were confused about.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11814509
as peakpeak says above

your firewall should be blocking everything (inbound) never try to work out what to block - block everything then you can work out what you want to let in

remember statefull firewall will let your clients out (if you let them) and will let the same traffic back in implicitly

if you get stuck with subnetting theres an online subnet calculator here http://www.telusplanet.net/public/sparkman/netcalc.htm

0
 
LVL 26

Author Comment

by:Alan Warren
ID: 11816815
Hi

this is the deal.

1... I believe that all inbound traffic is blocked by default for any SmoothWall Express 2.0 installation.
2... Each day I check the Intrusion Detection System logs(IDS) for attempts to gain access.
  eg...
  Date: 08/17 01:13:57 Name: WEB-CLIENT javascript URL host spoofing attempt
  Priority: 1 Type: Attempted User Privilege Gain
  IP info: 66.218.71.196:80 -> 203.23.152.162:2938
  References: 1  


3... To confirm that the intruder was not succesfull, I check for the IP address in the Firewalling log.
4... If the firewalling log has no record matching the IDS log then something is fishy, possible breach, hmmm.
  oOOH cant find it in the firewalling log!

5... So then I lookup the Net Range of the IP that was detected by IDS
  NetRange:   66.218.64.0 - 66.218.95.255
  CIDR:       66.218.64.0/19
  NetName:    A-YAHOO-U23


6... Sometimes the CIDR notation is returned by the lookup    CIDR:       66.218.64.0/19
   I believe that if I add this CIDR address to the IP Blocklist then the entire NetRange:  
   66.218.64.0 - 66.218.95.255 will be  explicitely blocked.
   How am I doing so far?

7... Sometimes I dont get a CIDR: I only get a NetRange: 66.218.64.0 - 66.218.95.255  hmmmm??? This is the problem.
  How do I derive the CIDR that encapsulates the entire netrange.

Got a glimmer of insight from converting the upper range 66.218.95.255 to binary octecs 01000010 11011010 01011111 11111111 then counting the 1's  but there are 21 1's not 19 as the CIDR notation suggests

Working on this best guess theory LOL I then take the base address 66.218.64.0 and append /21 to the end of it.

Is this making any sense at all?
Still dont know how /19 was derived arrggghhhhhh!!!!!

Unless there are 2 reserved; one for base address and one for broadcast address, 21 - 2 = 19.
Bloody guessing here now.

I did some cisco certification a few years ago, but it's all a black hole to me now.

Alan





0
 
LVL 7

Accepted Solution

by:
gnegrota earned 500 total points
ID: 11818137
:-) Ok... /19 means the MASK 11111111.11111111.11100000.00000000 i.e. 255.255.224.0 You can count 19 of "1" in mask so .... It's more clear, now ? And, yes, 66.218.64.0/19 is a network range 66.218.64.0 - 66.218.95.255 (with some exclusions; anyway, there are 2046 subnets definible)
For me, the attack seams a simple spoofing to gain access in a victim mailbox, and it is "normal" to receive something like this. After all, Yahoo is not responsible for that.Not at the first sight...for the free accounts.But this is another ...
Rules about the subneting:
1) IP (AND) Mask = Broadcast address ( AND logical, in binary)
2) IP (OR) ! Mask = Network address ( OR logical in binari, !Mask is the NOT Mask )

0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question