Solved

Block a range of IP addresses

Posted on 2004-08-16
16
13,029 Views
Last Modified: 2007-12-19
Hi,

I am trying to add some IP addresses to an IP block list on my smoothwall firewall.

Firstly I do a whois lookup to return a range of IP's

So if I get a bunch of portscans from  202.124.136.46
I get info about the source network http://www.whois.sc/202.124.136.46
Which returns a network range  202.124.136.0 - 202.124.136.127

Now sometimes I get an IP range represented like this 202.124.0.0/12
this is easy to then block the entire nework by entering 202.124.0.0/12  into ipblock

What I want to know: Is there anyway to or any software around that can represent the range returned in the format that I can enter into IPBLOCK GUI

So enter start address and end address (202.124.136.0 - 202.124.136.127) get a result that encapsulates the range like: 202.124.0.0/16       <<<<<< I know this range is too broad, thats what I need to know how to calculate.


Do you know what I mean???

Alan
0
Comment
Question by:Alan Warren
  • 6
  • 4
  • 3
  • +3
16 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
block

201.124.136.0 255.255.255.128

or
202.124.136.0/26 if you prefer the short notation
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
or if you support wildcard masking

block

201.124.136.0            0.0.0.127

wil block that first IP range your concerned with
0
 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
Hi Pete

how did you derive this address: 202.124.136.0/26

thats my question
and is there any sofware out there that will derive it for me?


thanks for the response

Alan :)
0
 
LVL 7

Expert Comment

by:EmpKent
Comment Utility
Solarwinds has a good, free subnet calculator here: http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm

Todd Lammle wrote an excellent chapter on subnetting IP in his Sybex CCNA book. If you can pick that up, it is good reading. If not, try this:

http://www.learntosubnet.com/

Kent
0
 
LVL 7

Expert Comment

by:gnegrota
Comment Utility
202.124.136.0 .... 202.124.136.127 subnet, have 255.255.255.128 mask, i.e.

255         .255        .255         .128
11111111.11111111.11111111.10000000
|<---------  25 bits '1' --------->|

(is /25, not /26; /26 is .192)


0
 
LVL 7

Expert Comment

by:gnegrota
Comment Utility
202.124.0.0/12 is


NET : 202         .124         .0            .0
Mask: 11111111.11111111.11110000.00000000

i.e. 202.124.0.0 mask 255.255.240.0

:-)
0
 
LVL 28

Expert Comment

by:peakpeak
Comment Utility
Why don't you block ALL incoming addresses? Your outgoing traffic will be let back in in any case.
If you want to allow a certain computer in you can just enable that address.
Much easier and MUCH more effective than collecting intruder addresses.

Regards
Peter
0
 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
Hi gnegrota,

sorry for seeming so dumb here but how doing that?
are you subtracting one from the other?


I dont get it ... :)






0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
hey Peter


tell me more...

Alan
0
 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
Hi EmpKent

downloaded solarwinds but I cant find anywhere to imput a range and return an address I can use to block a range


Alan
0
 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
The Intrusion detection logs show stuff like this:

Date: 08/16 21:23:48 Name: spp_portscan: portscan status from 203.23.158.157: 1 connections across 1 hosts: TCP(1), UDP(0)
Priority: n/a Type: n/a
IP info: n/a:n/a -> n/a:n/a
References: none found

so I do a whois: http://www.whois.sc/203.23.158.157 and get stuff like:

SSL Cert:  No valid SSL on this Host, Get Secure
Record Type:  IP Address
IP Location:   Australia - Victoria - Melbourne - Australia On Line
Reverse IP:  No websites hosted using this IP address
 

--------------------------------------------------------------------------------
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      203.23.152.0 - 203.23.159.255
netname:      AOL2-AU
descr:        Australia On Line

So what do I type in the IP Block GUI, and how do I get that from the above range.


Dont mean to be difficult, just dont get it.... LOL


Alan


0
 
LVL 7

Expert Comment

by:gnegrota
Comment Utility
You can try 203.23.152.0 mask 255.255.248.0   ( that mean your interval; and is /21 ), but if you receive an error....leave alone IP Subneting and block :
203.23.152.0/24
203.23.153.0/24
203.23.154.0/24
203.23.155.0/24
203.23.156.0/24
203.23.157.0/24
203.23.158.0/24
203.23.159.0/24

203.23.x.x is a Class C network and a valid mask is 255.255.255.x , but if theAOL" are using something like superneting....:-)

Anyway, you have the solution. The rest is TCP/IP theory and some CISCO stuff.


0
 
LVL 9

Expert Comment

by:fixnix
Comment Utility
I migtht be reading Alan's question wrong, but it looks like he's simply asking for an explanation of CIDR notation or how to convert from a xxx.xxx.xxx.xxx-xxx.xxx.xxx.yyy range to xxx.xxx.xxx.xxx/yy format.  Perhaps http://infocenter.guardiandigital.com/manuals/IDDS/node9.html and http://itadmin.appfa.auckland.ac.nz/FAQ/Network/IP-CIDR.htm can make it a tad clearer for you.  Sorry if that's not what you were confused about.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
as peakpeak says above

your firewall should be blocking everything (inbound) never try to work out what to block - block everything then you can work out what you want to let in

remember statefull firewall will let your clients out (if you let them) and will let the same traffic back in implicitly

if you get stuck with subnetting theres an online subnet calculator here http://www.telusplanet.net/public/sparkman/netcalc.htm

0
 
LVL 26

Author Comment

by:Alan Warren
Comment Utility
Hi

this is the deal.

1... I believe that all inbound traffic is blocked by default for any SmoothWall Express 2.0 installation.
2... Each day I check the Intrusion Detection System logs(IDS) for attempts to gain access.
  eg...
  Date: 08/17 01:13:57 Name: WEB-CLIENT javascript URL host spoofing attempt
  Priority: 1 Type: Attempted User Privilege Gain
  IP info: 66.218.71.196:80 -> 203.23.152.162:2938
  References: 1  


3... To confirm that the intruder was not succesfull, I check for the IP address in the Firewalling log.
4... If the firewalling log has no record matching the IDS log then something is fishy, possible breach, hmmm.
  oOOH cant find it in the firewalling log!

5... So then I lookup the Net Range of the IP that was detected by IDS
  NetRange:   66.218.64.0 - 66.218.95.255
  CIDR:       66.218.64.0/19
  NetName:    A-YAHOO-U23


6... Sometimes the CIDR notation is returned by the lookup    CIDR:       66.218.64.0/19
   I believe that if I add this CIDR address to the IP Blocklist then the entire NetRange:  
   66.218.64.0 - 66.218.95.255 will be  explicitely blocked.
   How am I doing so far?

7... Sometimes I dont get a CIDR: I only get a NetRange: 66.218.64.0 - 66.218.95.255  hmmmm??? This is the problem.
  How do I derive the CIDR that encapsulates the entire netrange.

Got a glimmer of insight from converting the upper range 66.218.95.255 to binary octecs 01000010 11011010 01011111 11111111 then counting the 1's  but there are 21 1's not 19 as the CIDR notation suggests

Working on this best guess theory LOL I then take the base address 66.218.64.0 and append /21 to the end of it.

Is this making any sense at all?
Still dont know how /19 was derived arrggghhhhhh!!!!!

Unless there are 2 reserved; one for base address and one for broadcast address, 21 - 2 = 19.
Bloody guessing here now.

I did some cisco certification a few years ago, but it's all a black hole to me now.

Alan





0
 
LVL 7

Accepted Solution

by:
gnegrota earned 500 total points
Comment Utility
:-) Ok... /19 means the MASK 11111111.11111111.11100000.00000000 i.e. 255.255.224.0 You can count 19 of "1" in mask so .... It's more clear, now ? And, yes, 66.218.64.0/19 is a network range 66.218.64.0 - 66.218.95.255 (with some exclusions; anyway, there are 2046 subnets definible)
For me, the attack seams a simple spoofing to gain access in a victim mailbox, and it is "normal" to receive something like this. After all, Yahoo is not responsible for that.Not at the first sight...for the free accounts.But this is another ...
Rules about the subneting:
1) IP (AND) Mask = Broadcast address ( AND logical, in binary)
2) IP (OR) ! Mask = Network address ( OR logical in binari, !Mask is the NOT Mask )

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now