Some technical help, please?

Oct. 19th, 2007 09:10
mapsedge: (scowl)
[personal profile] mapsedge
Regarding Subnet Masks:

We're getting some SQL injection attacks through our websites from someone in China, specifically (today) 219.135.103.53.  Our system is written to be resistant to that sort of thing but because I'm a vindictive bastard, and because I'm tired of my Inbox being full of notifications of "un-runnable queries", I use IIS to block access by IP.


What I'd like to do now is use a subnet mask and just block everything from 219.135.0.0  up to 219.135.255.255. 

Am I correct to set the IP to 219.135.0.0 and the subnet mask to 0.0.255.255...?

EDIT: SORRY.  Subnet mask is 255.255.0.0

I've tried to make sense of the documentation - and kinda do within the amount of time I have to do so - and used an online calculator to arrive here.  I just want to confirm it because I'm the only guy on this friggin' boat with a hand in the engine.
Flat | Top-Level Comments Only

Date: 2007-10-19 14:58 (UTC)
From: [identity profile] sacristan.livejournal.com
Depends on if you're using a Cisco or not. The above is fine for a Cisco ACL.

Date: 2007-10-19 14:59 (UTC)
From: [identity profile] sacristan.livejournal.com
For IIS, change the subnet mask to 255.255.0.0.

Wha??

Date: 2007-10-19 14:59 (UTC)
From: [identity profile] cobracao.livejournal.com
This doesnt look right. I don't think that will work the way you are expecting. It is also highly possible that you would end up blocking a lot more than you would expect.
The Subnet masks should be used merely to limit the scope of your network.

It seems to me you should be able to more simply block the range of IP Addresses that are giving you problems. That would be the safest bet...

Re: Wha??

Date: 2007-10-19 16:05 (UTC)
From: [identity profile] billthetailor.livejournal.com
Sorry. Had my zero's and 255's mixed up. Got it worked out.

Re: Wha??

Date: 2007-10-20 01:57 (UTC)
From: [identity profile] thebruce.livejournal.com
I should give you my list. Blocks everything from China and Korea, and most of India and a lot of Eastern Europe.

You'll find that access lists (IP Security) on IIS eats processor, which is fine if you've got it to spare, but the right way to do that is with either a firewall or with an acl on a router. Or a combination of both, if you happen to have a Cisco router with a firewalling IOS.

Wikipedia used to have a rather educational article on subnetting and subnet masks.

Re: Wha??

Date: 2007-10-21 16:26 (UTC)
From: [identity profile] billthetailor.livejournal.com
Unfortunately we don't have control of our router, although our ISP might be willing to set up the entries for us. I'll email them and see; in the meantime, yes, please, I would love to have the list.
Flat | Top-Level Comments Only

Profile

mapsedge: Me at Stone Bridge Coffee House (Default)
mapsedge
Seamlyne Reproductions

Navigation

June 2023

S M T W T F S
    123
45678910
11121314151617
1819 2021222324
252627282930 

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Dec. 29th, 2025 04:33
Powered by Dreamwidth Studios