I manage a number of Internet firewalls and external border routers, all of which are independent of each other. Each Internet portal is monitored by an Intrusion Detection system. Managers have started requesting us to block specific IP addresses, subnets or even IP blocks after hacking attempts have been observed to have originated from them.
This is very time consuming and in my opinion probably ineffective. Most hackers use forwarded or spoofed addresses, or will simply move on to another host to reduce their chance of detection or being blocked.
1. Do you filter or block inbound IP traffic based on past probes or hacking attempts?
2. If so, do you apply filters on your external border routers to reduce chances of a Denial of Service attack, or on your firewall due to its improved logging and reporting capabilities?
3. What criteria do you use to determine if a filter should be implemented for an IP address, subnet or net block?
4. Do you block entire net blocks solely based on their geographic region? ie. China, North Korea, or IANA Reserved
5. How long should an address be blocked: 3 months, 6 months, a year,
2 years, forever? Do you go back and review blocked addresses?
6. How many blocked addresses is too many? At what point does it become too burdonsome?