Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: tuatara on October 03, 2022, 03:07:40 PM

Title: under attack, want to block incoming traffic from some sub domains
Post by: tuatara on October 03, 2022, 03:07:40 PM
Since a couple of days, I receive a lot of attacks on my OPNsense Firewall WAN interface.
It is more than the usual port scanning etc.
I've blocked many of the source IP addresses but they keep changing, and appearing,
but the always have this syntax for their FQDN:
<number>-<number>-<number>-<number>.hinet-ip.hinet.net
Preferable I want to block: *.hinet.net  to include all hosts and/or sub-domains from that domain name
I already spent many hours searching for this, can anyone please let me know if this is possible ?

BTW: China is already Geoblocked, but these slip through that.

Thanks in advance
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: manilx on October 03, 2022, 03:54:08 PM
Hi

check here: https://www.allthingstech.ch/using-fqdn-domain-lists-for-blocking-with-opnsense

Should help you....
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: manilx on October 03, 2022, 04:24:02 PM
Just tried it.

Create a text file with the FQDN on each line.
Tried "hinet.net".

Put it on an accessible web server (I usey my QNAP NAS).
Create an alias "URL Table (IPs)" with the url of your file as content.
Create respective firewall rule in WAN blocking this alias as source.
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: tuatara on October 03, 2022, 04:25:54 PM
Thanks Manilx,

I am going to test that right now !

But you can't use something like: *.hinet.net in that text file found by the URL ?
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: tuatara on October 03, 2022, 04:57:40 PM
Sadly,
I don't know what their IP range is yet.
It seems that I can only add known hosts in that file.
Since there are new hosts popping up every time, I need to keep 24/7 monitoring which new hosts I see,
and than manually adding each host to the list since wildcards can not be used.
like *.hinet.net

btw I am running a deciso.com appliance
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: Supermule on October 03, 2022, 05:10:37 PM
You need to implement AS Number blocking...

Then everything from a certain domain is blocked.
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: tuatara on October 03, 2022, 06:17:08 PM
Yep Supermule, That might do the trick!

Found the BGP ASN of that party , implementing now ..

Thanks a lot !
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: tuatara on October 03, 2022, 06:18:36 PM
SOLVED !!!   ;D

pfff... that saves a lot of work !
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: manilx on October 04, 2022, 12:06:04 PM
Quote from: tuatara on October 03, 2022, 04:57:40 PM
Sadly,
I don't know what their IP range is yet.
It seems that I can only add known hosts in that file.
Since there are new hosts popping up every time, I need to keep 24/7 monitoring which new hosts I see,
and than manually adding each host to the list since wildcards can not be used.
like *.hinet.net

btw I am running a deciso.com appliance

As I described just put "hinet.net" on a line by itself in the file!!!
Title: Re: under attack, want to block incoming traffic from some sub domains
Post by: manilx on October 04, 2022, 12:27:11 PM
Guess the ASN solution above is better....

https://api.hackertarget.com/aslookup/?q=AS[asn] as an alias to block.

Learned something from this too :)
Text only | Text with Images