under attack, want to block incoming traffic from some sub domains

Started by tuatara, October 03, 2022, 03:07:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 03, 2022, 03:07:40 PM
Since a couple of days, I receive a lot of attacks on my OPNsense Firewall WAN interface.
It is more than the usual port scanning etc.
I've blocked many of the source IP addresses but they keep changing, and appearing,
but the always have this syntax for their FQDN:
<number>-<number>-<number>-<number>.hinet-ip.hinet.net
Preferable I want to block: *.hinet.net  to include all hosts and/or sub-domains from that domain name
I already spent many hours searching for this, can anyone please let me know if this is possible ?

BTW: China is already Geoblocked, but these slip through that.

Thanks in advance
October 03, 2022, 03:54:08 PM #1
October 03, 2022, 04:24:02 PM #2
Just tried it.

Create a text file with the FQDN on each line.
Tried "hinet.net".

Put it on an accessible web server (I usey my QNAP NAS).
Create an alias "URL Table (IPs)" with the url of your file as content.
Create respective firewall rule in WAN blocking this alias as source.
October 03, 2022, 04:25:54 PM #3
Thanks Manilx,

I am going to test that right now !

But you can't use something like: *.hinet.net in that text file found by the URL ?
October 03, 2022, 04:57:40 PM #4
Sadly,
I don't know what their IP range is yet.
It seems that I can only add known hosts in that file.
Since there are new hosts popping up every time, I need to keep 24/7 monitoring which new hosts I see,
and than manually adding each host to the list since wildcards can not be used.
like *.hinet.net

btw I am running a deciso.com appliance
October 03, 2022, 05:10:37 PM #5
You need to implement AS Number blocking...

Then everything from a certain domain is blocked.
October 03, 2022, 06:17:08 PM #6
Yep Supermule, That might do the trick!

Found the BGP ASN of that party , implementing now ..

Thanks a lot !
October 03, 2022, 06:18:36 PM #7
SOLVED !!!   ;D

pfff... that saves a lot of work !
October 04, 2022, 12:06:04 PM #8
Quote from: tuatara on October 03, 2022, 04:57:40 PM
Sadly,
I don't know what their IP range is yet.
It seems that I can only add known hosts in that file.
Since there are new hosts popping up every time, I need to keep 24/7 monitoring which new hosts I see,
and than manually adding each host to the list since wildcards can not be used.
like *.hinet.net

btw I am running a deciso.com appliance

As I described just put "hinet.net" on a line by itself in the file!!!
October 04, 2022, 12:27:11 PM #9
Guess the ASN solution above is better....

https://api.hackertarget.com/aslookup/?q=AS[asn] as an alias to block.

Learned something from this too :)
Print
Go Up Pages1
User actions