Support Center > Search Results > SecureKnowledge Details
How to block traffic coming from known malicious IP addresses
Solution

Table of Contents:

  1. Background
  2. Known Limitations
  3. How to block traffic from custom IP feeds (managed from Management Server)
  4. How to block traffic from known TOR Exit Nodes
  5. How to monitor
  6. Related solutions

 

(1) Background

This article describes a mechanism to block traffic coming from known malicious IP addresses:

  • Based on the list of known malicious IP addresses
  • Based on the list of known TOR Exit Nodes

The traffic is blocked using the Anti-DoS feature (named "Rate Limiting for DoS mitigation" in R77.X Security Gateway Technical Administration Guide - refer to sk112454 - How to configure Rate Limiting rules for DoS Mitigation).

This mechanism is supported on Security Gateways R77 and above.

Check Point's Security Intelligence maintains a list of IP addresses known as TOR Exit Nodes.
The Security Gateway queries Check Point's Threat Cloud and blocks all traffic from these source IP addresses (Check Point updates these lists periodically):

 

(2) Known Limitations

  • Supported on Security Gateway running Gaia OS only.
  • Security Gateway behind a proxy is supported only with the modified scripts from
    section "(3) How to block traffic from custom IP feeds (managed from Management Server)".

 

(3) How to block traffic from custom IP feeds (managed from Management Server)

The Security Gateway R77 and above is able to block IP addresses given by custom IP feeds with automatic updates.
This feature can also be managed centrally from the Security Management Server.

Feeds will be downloaded and updated by the Security Gateway (using the proxy, if configured) every 20 minutes. A control log will be sent when updating the rules.

When blocking an IP address from the feed, a log will be shown in SmartLog with "Action" field saying Drop and with "Information" field saying "SecureXL message: Quota Violation".

Procedure (All these steps must be performed on the Management Server):

  1. Prepare a plain text file that contains a list of Security Gateways / each Cluster Member (R77 and above) that should perform this enforcement (denoted below as <gw_list_file>):

    • Each line should contain a name or IP address of the Security Gateway / each Cluster Member object
    • For comments, use the pound character (#) at the beginning of a line.
  2. Prepare a plain text file that contains a list of URLs (feeds), from which Security Gateways / each Cluster Member will download the IP addresses that should be blocked - e.g., https://secureupdates.checkpoint.com/IP-list/TOR.txt (this file is denoted below as <feed_file>):

    • Each line should contain a single complete URL
    • For comments, use the pound character (#) at the beginning of a line.
    Notes:
    • The IP feeds should contain one IP address (IPv4 or IPv6), or a range of IP addresses (e.g., 172.23.42.2-172.23.42.15) per line.
    • For comments, use the pound character (#) at the beginning of a line.
  3. (Optional) Prepare a plain text file that contains a list of IP addresses (in the IP-feed format mentioned above)
    that should be bypassed (denoted below as <bypass_file>).
    Even if the custom feeds contain those IP addresses, they will be excepted and bypassed.

  4. Download these shell scripts (ip_block_sk103154.tar).

  5. Transfer these shell scripts to the Management Server (into some directory, e.g., /some_path_to_scripts/).

  6. Connect to the command line on the Management Server.

  7. Log in to the Expert mode.

  8. Unpack the shell scripts:

    [Expert@HostName:0]# cd /some_path_to_scripts/
    [Expert@HostName:0]# tar -xvf ip_block_sk103154.tar
  9. Assign the execute permission:

    [Expert@HostName:0]# chmod -v u+x ip_block*
  10. Use the ip_block_activate.sh script to manage the Security Gateways / each Cluster Member:

    [Expert@HostName:0]# ./ip_block_activate.sh -a <on|off|stat|allow> [-g <gw_list_file>] [-b <bypass_file>] [-f <feed_file>] [-s /full_path_to/ip_block.sh]

    Important Note: When executing the ip_block_activate.sh script for the first time, must also use the "-s /full_path_to/ip_block.sh" argument.

    Where:

    Argument Description
    -a on Activates blocking of the IP addresses in the feeds
    on each Security Gateway specified in the <gw_list_file>
    -a off Stops blocking the IP addresses in the feeds
    on each Security Gateway specified in the <gw_list_file>
    -a stat Prints the feature status
    for each Security Gateway specified in the <gw_list_file>
    -a allow Activates bypass for given IP addresses, even if they are on the blocking feeds
    on each Security Gateway specified in the <gw_list_file>
    -a delete_bypass Deactivate bypass list
    on each Security Gateway specified in the <gw_list_file>
    -g <gw_list_file> Specifies a plain text file that contains a list of
    Security Gateways / each Cluster Member that should perform this enforcement
    -b <bypass_file> Specifies a list of IP addresses that should be bypassed
    on each Security Gateway / each Cluster Member specified in the <gw_list_file>
    -f <feed_file> Specifies a plain text file that contains a list of URLs (feeds), from which to download
    the IP addresses that should be blocked on each Security Gateway /
    each Cluster Member specified in the <gw_list_file>
    For example: https://secureupdates.checkpoint.com/IP-list/TOR.txt
    -s /full_path_to/ip_block.sh Specifies a full path to the ip_block.sh script to copy it to each Security Gateway /
    each Cluster Member specified in the <gw_list_file>
    Important Note: Must use this argument when executing
    the ip_block_activate.sh script for the first time

Examples:

  • To start the feature:

    [Expert@HostName:0]# ip_block_activate.sh -a on -g gw_list.txt -f feeds_list.txt [-s /full_path_to/ip_block.sh]
  • To stop the feature:

    [Expert@HostName:0]# ip_block_activate.sh -a off -g gw_list.txt
  • To bypass IP addresses (add an exception list):

    [Expert@HostName:0]# ip_block_activate.sh -a allow -g gw_list.txt -b bypass_file.txt
  • To remove the IP bypass list:

    [Expert@HostName:0]# ip_block_activate.sh -a delete_bypass -g gw_list.txt
  • To check if feature is active on the specified Security Gateways:

    [Expert@HostName:0]# ip_block_activate.sh -a stat -g gw_list.txt
  • To see the relevant logs:

    [Expert@HostName:0]# cat $FWDIR/log/ip_block_activate.log

 

(4) How to block traffic from known TOR Exit Nodes

Important Notes:

  • It is recommended to use the solution from section "(3) How to block traffic from custom IP feeds (managed from Management Server)" with the Check Point's feed database https://secureupdates.checkpoint.com/IP-list/TOR.txt.
  • The Check Point's feed database https://secureupdates.checkpoint.com/IP-list/TOR.txt is a best-effort database only.
    In order to block access completely, Application Control blade and HTTPS Inspection must be enabled on the Security Gateway / Cluster.

TOR networks are deployed worldwide in order to keep their users anonymous. This is usually the stepping stone for suspicious/malicious web activity or anonymous server fingerprinting.

  • On Security Gateway R77.30 and above

    1. Create a copy of the current $CPDIR/bin/IP-blacklist.sh script:

      [Expert@HostName:0]# cp -v $CPDIR/bin/IP-blacklist.sh $CPDIR/bin/IP-blacklist-TOR.sh
    2. Modify the default values in the $CPDIR/bin/IP-blacklist-TOR.sh script:

      1. Edit the $CPDIR/bin/IP-blacklist-TOR.sh script:

        [Expert@HostName:0]# vi $CPDIR/bin/IP-blacklist-TOR.sh
      2. Modify Line #3:

        from: url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"
        to: url="https://secureupdates.checkpoint.com/IP-list/TOR.txt"
      3. Modify Line #5:

        from: comment="threatcloud_ip_block"
        to: comment="threatcloud_TOR_block"
      4. Save the changes and exit from Vi editor.

    3. Create a copy of the current $CPDIR/bin/ip_block.sh script:

      [Expert@HostName:0]# cp -v $CPDIR/bin/ip_block.sh $CPDIR/bin/ip_block_TOR.sh
    4. Modify the default values in the $CPDIR/bin/ip_block_TOR.sh script:

      1. Edit the $CPDIR/bin/ip_block_TOR.sh script:

        [Expert@HostName:0]# vi $CPDIR/bin/ip_block_TOR.sh
      2. Modify Line #15:

        from: echo "$(date): Starting" >> $FWDIR/log/ip_block.log
        to: echo "$(date): Starting" >> $FWDIR/log/ip_block_TOR.log
      3. Modify Line #19:

        from: $CPDIR/bin/cpd_sched_config add ip_block -c "$CPDIR/bin/IP-blacklist.sh" -e 1200 -r -s
        to: $CPDIR/bin/cpd_sched_config add ip_block_TOR -c "$CPDIR/bin/IP-blacklist-TOR.sh" -e 1200 -r -s
      4. Modify Line #20:

        from: echo "ip_block: Known malicious IP blocking mechanism is ON"
        to: echo "ip_block_TOR: Known TOR Exit Nodes blocking mechanism is ON"
      5. Modify Line #24:

        from: $CPDIR/bin/cpd_sched_config delete ip_block -r
        to: $CPDIR/bin/cpd_sched_config delete ip_block_TOR -r
      6. Modify Line #26:

        from: echo "ip_block: Known malicious IP blocking mechanism is OFF"
        to: echo "ip_block_TOR: Known TOR Exit Nodes blocking mechanism is OFF"
      7. Modify Line #30:

        from: cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/ip_block/{flag=1}/Active: true/{if(flag)res="ON"}END{print "ip_block: Known malicious IP blocking mechanism status is "res}'
        to: cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/ip_block_TOR/{flag=1}/Active: true/{if(flag)res="ON"}END{print "ip_block_TOR: Known TOR Exit Nodes blocking mechanism status is "res}'
      8. Modify Lines #34-39:

        from: echo 'Usage:'
        echo '  ip_block.sh <option>'
        echo 'Option:'
        echo '  on: blocks malicious IPs'
        echo '  off: stops malicious IPs blocking'
        echo '  stat: prints the status of malicious IP blocking'
        to: echo 'Usage:'
        echo '  ip_block_TOR.sh <option>'
        echo 'Option:'
        echo '  on: blocks Known TOR Exit Nodes'
        echo '  off: stops Known TOR Exit Nodes blocking'
        echo '  stat: prints the status of Known TOR Exit Nodes blocking'
      9. Modify Line #45:

        from: echo "ip_block: This utility is supported on GAIA Security Gateway only"
        to: echo "ip_block_TOR: This utility is supported on GAIA Security Gateway only"
      10. Save the changes and exit from Vi editor.

      11. Manually execute this script:

        [Expert@HostName:0]# ip_block_TOR.sh { on | off | stat }

        where:

        Parameter Description
        on Enables TOR Exit Nodes block
        off Disables TOR Exit Nodes block (default state)
        stat Displays the current state of TOR Exit Nodes block
  • On Security Gateway R77 / R77.10 / R77.20

    1. Download the relevant shell script:

      • In case your Security Gateway connects directly to the Internet (without a proxy), download the IP-blacklist.sh script.

      • For Security Gateways that connect to the Internet via a proxy, a script will be available soon.

    2. Transfer the script to the Security Gateway (into some directory, e.g., /some_path_to_script/).

    3. Rename the script from IP-blacklist.sh to a desired name (e.g., IP-blacklist-TOR.sh):

      [Expert@HostName:0]# cd /some_path_to_script/
      [Expert@HostName:0]# mv -v IP-blacklist.sh IP-blacklist-TOR.sh
    4. Assign the required permissions:

      [Expert@HostName:0]# chmod -v 750 IP-blacklist-TOR.sh
    5. Run the dos2unix command:

      [Expert@HostName:0]# dos2unix IP-blacklist-TOR.sh
    6. Modify the default values in the IP-blacklist-TOR.sh script:

      1. Edit the IP-blacklist-TOR.sh script:

        [Expert@HostName:0]# vi IP-blacklist-TOR.sh
      2. Modify Line #3:

        from: url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"
        to: url="https://secureupdates.checkpoint.com/IP-list/TOR.txt"
      3. Modify Line #5:

        from: comment="IP-blacklist"
        to: comment="IP-blacklist-TOR"
      4. Modify Line #17:

        from: echo "$(date): Starting" >> $FWDIR/log/IP-blacklist.log
        to: echo "$(date): Starting" >> $FWDIR/log/IP-blacklist-TOR.log
      5. Save the changes and exit from Vi editor.

    7. Copy the script into the $CPDIR/bin/ directory:

      [Expert@HostName:0]# cp -v IP-blacklist-TOR.sh $CPDIR/bin/
    8. Manually execute this script in the background:

      [Expert@HostName:0]# IP-blacklist-TOR.sh &
    9. You can configure Check Point WatchDog process to monitor and invoke this script automatically if it stops:

      • In the current uptime session only:

        Run:

        [Expert@HostName:0]# cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh & > /dev/null

      • During each boot:

        1. Backup the current $FWDIR/bin/fwstart script:

          [Expert@HostName:0]# cp -v $FWDIR/bin/fwstart{,_ORIGINAL}
        2. Edit the current $FWDIR/bin/fwstart script:

          [Expert@HostName:0]# vi $FWDIR/bin/fwstart
        3. Add the following command - below the line that contains the string "CI_CLEANUP":

          Important Note: Perform these steps with extra care.

          cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh

      To disable the Check Point WatchDog monitoring of this script:

      • In the current uptime session only:

        Run:

        [Expert@HostName:0]# cpwd_admin stop -name IP_BLACKLIST_TOR

      • During each boot:

        1. Backup the current $FWDIR/bin/fwstart script:

          [Expert@HostName:0]# cp -v $FWDIR/bin/fwstart{,_with_IP_BLACKLIST_TOR}
        2. Edit the current $FWDIR/bin/fwstart script:

          [Expert@HostName:0]# vi $FWDIR/bin/fwstart
        3. Delete the following line:

          Important Note: Perform these steps with extra care.

          cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh

 

(5) How to monitor

  • To monitor the list of blocked IP address indicators:

    1. Connect to the command line on the Security Gateway.

    2. Log in to the Expert mode.

    3. Get the current rate limiting policy:

      [Expert@HostName:0]# fw samp get | grep threatcloud_ip_block
    4. In SmartView Tracker, search for:

      Comment = threatcloud_ip_block"

      The source IP address is in:
      Information attribute - Source field.

  • To monitor the list of blocked TOR nodes address indicators:

    1. Connect to the command line on the Security Gateway.

    2. Log in to the Expert mode.

    3. Get the current rate limiting policy:

      [Expert@HostName:0]# fw samp get | grep threatcloud_TOR_block
    4. In SmartView Tracker, search for:

      Comment = threatcloud_TOR_block"

      The source IP address is in:
      Information attribute - Source field.

  • To monitor the blocked IP addresses:

    In SmartView Tracker, search for "SecureXL message: Quota violation".

    The text in the logs "SecureXL message: Quota violation" is not only for the IP Block feature. This text can also be used for the Rate Limiting for DoS mitigation feature in the R77.X Security Gateway Technical Administration Guide - refer to sk112454 - How to configure Rate Limiting rules for DoS Mitigation.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment