Community discussions

MikroTik App
 
roxanaschram
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 7:59 am

ASN Blocking

Wed Jan 13, 2021 1:28 pm

I have search and found old threads that haven't been active since 2017. I'm hoping to use my CCR1009 to block inbound ASN's to my server. Currently I'm using Cloudflare to do this but when people are downloading and Cloudflare is on, there seams to be a 20MBs download rate from the server. With cloudflare off there is a 95MBs. So I have a list of ASNs belonging to VPN, VPS, cloud hosting that I block from the sites. It has dramatically reduced the number of bruteforce attempts into the server.

So I've tried everything I've found but when testing using my mobile carrier ASN, I can still connect when Cloudflare is off which tells me those ways aren't working. Does anyone please have a working method to block ASNs from accessing through the firewall? Whether it's a firewall rule and list or routing with a list.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: ASN Blocking

Wed Jan 13, 2021 5:43 pm

If there are specific ASNs you want the list of prefixes for to then add to a FW rule, the easiest way would probably be a route-set query

https://www.arin.net/resources/manage/irr/
 
roxanaschram
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 7:59 am

Re: ASN Blocking

Wed Jan 13, 2021 6:50 pm

I have compiled a list of 500 +/- ASNs belonging to VPS/VPN servers. Trying to create a list to query each one would be exhaustive I would think. I want to use ASNs because then I don't need a 50k lines of IP subsets to block.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: ASN Blocking

Wed Jan 13, 2021 9:18 pm

ASN isn't a piece of information carried in the packet header - only the routing table of a BGP border router.

Do you have a border router with a full table and no default route?
 
roxanaschram
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 7:59 am

Re: ASN Blocking

Thu Jan 14, 2021 10:39 pm

No I don't. Didn't realize how ASN info was passed on either. Unless I can build one or buy one cheap, I may just have to leave Cloudflare on. Just was hoping to remove them to improve speeds to server.
 
roxanaschram
just joined
Topic Author
Posts: 10
Joined: Sat Oct 10, 2020 7:59 am

Re: ASN Blocking

Fri Jan 22, 2021 3:26 pm

So I saw someone mention they used a MikroTik router as a border router but can't find anything on how they did that. Is this actually possible? I have 2 other MikroTik routers laying about.
 
MarcSN
just joined
Posts: 15
Joined: Wed Jul 01, 2020 7:18 pm

Re: ASN Blocking

Mon Jan 25, 2021 11:42 pm

Of course it's possible. You just need to get an ASN, and IP Blocks. IPv6 is cheap, a /24 IPv4 block can be leased starting at 100$/Month or bought around 10k$.

Who is online

Users browsing this forum: No registered users and 19 guests