AWS Network ACLs to block IP or Subnet

AWS provides many tools for securing VPCs and, more generally, resources within them.

The most common method to protect Ec2 instances from external network access is to use AWS security groups, which are stateful, and they let you to manage access to ports or protocols to the Ec2 instances. However, they do not allow you to control the IP or subnet which tries to connect to Ec2 instances,
for example as a result of an attack or unlawful conduct.

For this AWS provides NACLs, which are stateless, and allow (among other things) to filter IP or subnet to the VPC on which they are defined.

In this article we won’t provide a complete guide to NACLs, but rather we’ll just show how to use them to temporarily block traffic from a source IP or from a subnet.

We have prepared a simple script that, given an IP and a region, allows you to filter the single IP or all the subnet announced for routing (RIPE source).

This script, therefore, allows you to quickly block an IP address or a subnet, which, for example, is causing abnormal traffic to our services. Obviously, it does not want to be the definitive solution, but only a temporary tool that allows us to block the source of an anomaly, and then be able to carry out a thorough network forensics activity.

That’s all folks!

Default image
Loreno Edelmondo
Articles: 22

Leave a Reply

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.