We need a device api to add a network to Grouped Networks.
Currently we have to use an undocumented call and it requires us to first read all of the networks for that named_network into an array , then add the new one and then repost it.
Having this available as a device api, would be great as it would allow us to better integrate with scripts to block or allow ips.
Also please add the ability to add a comment next to a network , johns pc etc.
and allow the ability to switch to csv mode in gui.
Yes, I have a similar request already in.
This is of higher priority than previously, due to the increase in both DDOS and brute force attacks.
Yesterday we had 13 switch nodes come under a broad distributed brute force attack. at any given moment 13 different IPs were hitting the 13 nodes, trying random user IDs. When blocked after 5 failed attempts the ip would switch to a different node. When an Ip was blocked on all 13 it was swapped for a different one.
We were getting about 5 per second per node - enough to be annoying, not enough to cause an issue, but if it had been maybe 5 times faster 25 per second per node it would have started causing issues.
And of course, normal fail2ban activity releases a blocked IP after a time out period, so they recycled.
So, I wrote a quick log watcher to identify by the userid pattern (did not match what our userids look like), fail after single attempt and post the info to a DB.
Then a cron job running once a minute to pick up those new entries and add them to an “idiots” grouped network on each or our data center border routers, so within a minute of one attempt they were blocked totally and forever.
BUT…the method we are using requires reading the current grouped network list, adding the new entries and reposting the entire list.
Once it hit about 600 entries it hit the CPU pretty hard for each update.
Luckily, the attacker evidently has a “small” bot farm of about 950 IPs, as it petered out overnight at that number.
So - we are requesting THREE things:
1API call to add/delete/change a single entry, and please make sure this is very well optimized for large lists
2Improved GUI for large grouped networks, using option to switch from fields to a large text box, with that happening automatically at say 100 entries.
3Verify that firewall rules using grouped networks are VERY well optimized and tested under load with large lists - say up to 25,000 entries. I previously used low end Juniper firewalls and ran for years with a 13,000 entry block list of IP net blocks in China and several other companies. This is VERY COMMON, and note that the recent attack was all domestic IPs, so GEOIP is not an answer. If this had been a larger bot farm we could easily have 10 or 20,000 entries as /32, collapsing some to /24 etc.