One of my servers was under attack from an IP in China recently (some lame automated SQLi), but I figured I’d blackhole the source IP anyway.
My first step was to blacklist in Dome9, which I use to manage that server’s firewall, but after noticing that the attacks were still hitting my server I remembered that because I also use Cloudflare and those attacks were getting tunnelled through their network. So the solution (for that particular attack) was to also blacklist the source IP in Cloudflare. When another stupid attack came in a day or so later, I did the same and realised that it would be much easier if I automated the whole process.
So I threw together a Bash script (and then a Python script) that leverages the Cloudflare and Dome9 APIs to submit a given IP address to one or both services.
I’ve put these into my scripts repo on GitHub. Simply insert your Cloudflare and/or Dome9 API keys into the configuration portion of the script and go. Using this you could conceivably fully automate it by auto-detecting brute-force type attacks using a script on the server and calling this script to make the blacklist updates.
Bearing in mind these were very hastily put together, any feedback/improvements are welcome!
Update: Now that SOPA has been put on the back burner, the next thing to protest is the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty which could have massive repercussions on the freedom of the internet.
Update 2 (5 July 2012): ACTA rejected by EU :)
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
[vimeo http://vimeo.com/31100268 w=600]
This is my favorite anti-SOPA song so far:
CloudFlare’s newly announced IPv6 support brings much more than just the ability to provide their caching and security features to IPv6-based websites. A few weeks ago CloudFlare co-founder Matthew Prince cryptically announced that they were working on a new groundbreaking feature. Whilst IPv6 is a great addition, IPv6 support alone is not what makes this new feature as cool as it is.
The main issue with IPv6 today is not the fact that ISP’s haven’t made the switch yet – this will be a fairly simple process – but rather that most websites themselves don’t yet support IPv6. This is one of the main reasons why ISPs don’t want to go full IPv6 – most content would be inaccessible to their customers. What CloudFlare have done is to make all current IPv4 CloudFlare-enabled sites accessible to IPv6-only clients, even if those websites don’t have IPv6 addresses. Because CloudFlare acts as a proxy, they simply add their own IPv6 address to the DNS of CloudFlare-enabled sites, allowing them to receive requests for those sites. Now all they have to do is serve up exactly the same cached content, and for everything else, proxy the request over onto IPv4. To make things even better, it works both ways, allowing IPv4-only clients to access IPv6-only websites, and vice-versa.
CloudFlare allows you can choose between two options: Full Mode which will enable IPv6 on all subdomains that are CloudFlare-enabled, or Safe Mode which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com). You do not need to change any of your DNS settings. After it is up and running, you can test your IPv6 compatibility and get a badge for your site (mine’s at the bottom of the page).
I was able to take part in CloudFlare’s beta for this new feature and it works great. As you can see from the Security Generation host information below, on top of CloudFlare’s two IPv4 IPs, they’ve now added two IPv6 IPs.
securitygeneration.com has address 126.96.36.199
securitygeneration.com has address 188.8.131.52
securitygeneration.com has IPv6 address 2400:cb00:2048:1::adf5:3c63
securitygeneration.com has IPv6 address 2400:cb00:2048:1::c71b:8720
The IPv6 transition can now go ahead… Security Generation will be available when we get there ;)
As of today all CloudFlare members can now enable IPv6 support on the Settings page for the relevant domain(s). To enable ‘Automatic IPv6’ on your site, log in to CloudFlare.com > My websites > Settings (pull down menu) > CloudFlare Settings > Automatic IPv6: On.
Hit the jump to see CloudFlare’s funky new IPv6 infographic.