Once upon a time DOSarrest used the same status code (403 Forbidden) to respond to any illegitimate traffic. For webservers this is sufficient, but sometimes people want to know why a request is forbidden. As we added more and more filters that 403 became less and less meaningful, so we started to differentiate Forbidden traffic into different classes using the 461-469 range of status codes.
468, in particular, is assigned to filters that block based on IP reputation. There are a few optional filters available that use this: Block Bot, Block TOR, Block Region, and the newest Block Proxy.
Block Proxy is an optional filter that operates on the IP usage type, which is determined by who the IPs were assigned to, and their intended usage. The most common usage type we see is ISP/MOB (Internet Service Provider / Mobility). This usage type is for your end users home computers / laptops / smart phones etc.
Block proxy will allow you to block any combination of:
- VPN: VPN anonymizing services
- TOR: The Onion Router exit nodes
- DCH: Datacenter Hosting provider
- PUB: Public proxies
- WEB: Web proxies
- SES: Search Engine Spiders
Why would anyone want to block any of these?
VPN and TOR: in addition to legitimate use, these anonymizing services are also popular with mischief makers who want to hide their identity. We typically see large increases in TOR/VPN traffic associated with http variant flood attacks where IP spoofing is not possible.
PUB and WEB: Similar in function, Public proxies forward IP and ports whereas Web proxies are HTTP(s) based. We don’t see many illegitimate uses of these services, but they can play havoc with sites designed around the visitors’ identity. Blocking is an option if it makes sense for your application.
SES: There is probably very little demand ever for blocking all search engines from accessing your whole site, but maybe, if there is a portion of the site, admin or otherwise that you don’t want crawled or you notice that not all the bots are obeying the robots.txt you can apply this filter only on select portions of your application.
DCH: DCH is the second most common usage type we see. Thanks to cloud computing provisioning servers is fast, easy and affordable, and they get churned out at an astonishing rate. But not all of these servers are legitimate, if you’ve got the provisioning scripts you can have a botnet up and running, and taking down targets before the credit card info you bought has been reported stolen. Changing the botnet IPs to thwart ACLs is as simple as reprovisioning. So, if you’re not expecting any legitimate traffic from these sources a simple Block DCH Proxy filter is far more effective than playing whack-a-mole with everchanging IPs.
DDoS attacks aren’t the only way to misuse the power of cloud computing, here is an example of a DCH IP that has been configured to scan for vulnerable servers on the internet.
Sean Power
Senior Application Security Architect, DOSarrest Internet Security
