C
CrowdSec3mo ago
bbuddha

How to massively ban a pool of @ip?

Hello, I'm having an issue on several servers. Sometimes there's a high load caused by a pool of IP addresses making massive requests (lots of bots). The problem is that CrowdSec doesn't ban them because it's one IP at a time. Do you have a solution for this?
14 Replies
CrowdSec
CrowdSec3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz3mo ago
Depends is there an identifier you can use to group these together? Here is an example of using bytedance spider to ban a range 
type: leaky
name: my/ban-byte-range
description: "Ban a range if more than 10 Ips from same /24 with bytespider user-agent"
filter: "evt.Parsed.http_user_agent contains '(compatible; Bytespider; spider-feedback@bytedance.com)'"
groupby: "IpToRange(evt.Meta.source_ip, '/24')"
distinct: "evt.Meta.source_ip"
capacity: 10
leakspeed: "1m"
blackhole: 5m
labels:
 remediation: true
scope:
 type: Range
 expression: IpToRange(evt.Meta.source_ip, '/24')
type: leaky
name: my/ban-byte-range
description: "Ban a range if more than 10 Ips from same /24 with bytespider user-agent"
filter: "evt.Parsed.http_user_agent contains '(compatible; Bytespider; spider-feedback@bytedance.com)'"
groupby: "IpToRange(evt.Meta.source_ip, '/24')"
distinct: "evt.Meta.source_ip"
capacity: 10
leakspeed: "1m"
blackhole: 5m
labels:
 remediation: true
scope:
 type: Range
 expression: IpToRange(evt.Meta.source_ip, '/24')
but obviously this depends if your using a remediation that supports ranges
bbuddha
bbuddhaOP3mo ago
I have IP pools starting with 47.79 or 47.82, for example, and user-agents like PetalBot or SemrushBot, for example.
iiamloz
iiamloz3mo ago
but are using a hard remediation like a firewall cause if not they will still cause load
bbuddha
bbuddhaOP3mo ago
yes i have
iiamloz
iiamloz3mo ago
nd is it nftables or iptables or pf if your using a BSD based one?
bbuddha
bbuddhaOP3mo ago
I'm using iptables
iiamloz
iiamloz3mo ago
sweet so it supports ranges, so you can adapt the example I gave and maybe narrow down the /24 range to be smaller and my advice is created a profile to issue a short term ban like 30 minutes.
bbuddha
bbuddhaOP3mo ago
I'll test it like this for now. 
type: leaky
name: testing/ban-ip-range-bot
description: "Ban an IP range (/24) if more than 10 different IPs with known bad bots user-agents"
filter: |
  evt.Parsed.http_user_agent contains "PetalBot" ||
  evt.Parsed.http_user_agent contains "SemrushBot"
groupby: IpToRange(evt.Meta.source_ip, "/16")
distinct: evt.Meta.source_ip
capacity: 10
leakspeed: 1m
blackhole: 10m
labels:
  remediation: true
scope:
  type: Range
  expression: IpToRange(evt.Meta.source_ip, "/16")
type: leaky
name: testing/ban-ip-range-bot
description: "Ban an IP range (/24) if more than 10 different IPs with known bad bots user-agents"
filter: |
  evt.Parsed.http_user_agent contains "PetalBot" ||
  evt.Parsed.http_user_agent contains "SemrushBot"
groupby: IpToRange(evt.Meta.source_ip, "/16")
distinct: evt.Meta.source_ip
capacity: 10
leakspeed: 1m
blackhole: 10m
labels:
  remediation: true
scope:
  type: Range
  expression: IpToRange(evt.Meta.source_ip, "/16")
iiamloz
iiamloz3mo ago
just note the default profile will issue a 4hr ban on the range, so I advise to make a custom profile above all to issue a short term ban as you might catch alot of people 😄
bbuddha
bbuddhaOP3mo ago
Oh yes, you're absolutely right. like this ? 
name: short_range_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source == "custom/ban-bot-ip-range"
decisions:
 - type: ban
   duration: 30m
notifications:
 - wazuh
on_success: break
name: short_range_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range" && Alert.Source == "custom/ban-bot-ip-range"
decisions:
 - type: ban
   duration: 30m
notifications:
 - wazuh
on_success: break
iiamloz
iiamloz3mo ago
Yes!, just make sure its above the default remeidation for ranges and it will catch them 👍
bbuddha
bbuddhaOP3mo ago
right thx for yr help
CrowdSec
CrowdSec3mo ago
Resolving How to massively ban a pool of @ip? This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?