cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

How to block country ip ranges without overloading the router

Jump to solution

Hello All..

I have a mail server that is under attack by spammers. I would like to block all country ip ranges except for those assigned to the US. The problem I see is that you can't create an acl that big without killing the router. So is there a way to craft an acl to accomplish this task?

Any help appreciated.

Thanks!

ACL

Labels (1)
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: How to block country ip ranges without overloading the router

Jump to solution

Can you implement this in your mail server?  This might be more scalable.

View solution in original post

0 Kudos
4 Replies
jayh
Honored Contributor
Honored Contributor

Re: How to block country ip ranges without overloading the router

Jump to solution

Can you implement this in your mail server?  This might be more scalable.

0 Kudos
Anonymous
Not applicable

Re: How to block country ip ranges without overloading the router

Jump to solution

:

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi

Anonymous
Not applicable

Re: How to block country ip ranges without overloading the router

Jump to solution

Levi,

      I feel like this wasn't answered.    Can the router block IP's by country?

jayh
Honored Contributor
Honored Contributor

Re: How to block country ip ranges without overloading the router

Jump to solution

Not really. You could in theory attempt to build an access-list based on assignments by the RIRs. With the IPv4 space essentially depleted, there is a lot of IP space that is traded among RIRs and this trend is increasing. Companies with large allocations spanning multiple countries are a problem as well, as are VPNs. You would need to update the access list very frequently, it wouldn't scale well. Various companies attempt to do geolocation based on IP address such as maxmind.com, but their data isn't always accurate. See mild example below.

Dipping MaxMind's database or a similar service, most of which are only available on a paid subscription basis, is best deployed on the server, where each connection is tested by querying the database. This is typically done by DNS lookup on the IP to the geolocation server. Keeping an ACL on the router would result in a very large ACL as well as requiring frequent updates.

Mild example of IP geolocation gone wrong: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/