Feed on
Posts
Comments

IP blacklist on Windows

There’s probably a better way to do this – if you know of one, please comment on this post. I have a pretty high opinion of myself, but I’m not so stubborn as to think I already know the best way to do everything.

Firewall options for a Windows server are kind of sparse. I’ve heard good things about ZoneAlarm, but haven’t used it myself. I tend to believe that any OS worth running should provide the ability to blacklist an IP. Windows Firewall is nice for closing off a few ports, but realistically it’s not a competent firewall. It has no capacity to whitelist or blacklist an IP. Don’t start ranting at me about how you can change the scope an open port so only certain subnets can access a server – that’s not a blacklist or a whitelist, it’s port-filtering.

So, assume your server’s Remote Desktop service is getting brute-forced by 10.0.0.5. How do you block the attacker? You could find and install some third-party software, but that’s annoying. You could enable Windows Firewall and open port 3389, then change the scope to only allow your office network, but then what if you want to connect from home, or your DHCP lease runs out, or you forget to open a different important port (53/tcp for example, which would break all your domain keys and SPF records)? Face it- Windows Firewall is good at what it does, but it doesn’t do enough to be useful. Here’s a method that will effectively blacklist that pesky 10.0.0.5 attacker:

First get some leg-work out of the way. You’ll only need to do this the first time:
Open up “Add Hardware” from the Control Panel.
Tell the www.yzzerdd that you’ve already connected the hardware.
Select “Add a new hardware device” from the bottom of the list.
Install manually by selecting from a list.
Network adapters.
Microsoft -> Microsoft Loopback Adapter

Installed? Good. You’ll never have to do that again.

Now we get into the steps you need to take for every IP you want to block.

Open Network Connections from your Control Panel. There will be a new one there with the device name “Microsoft Loopback Adapter”. You can change its name from “Local Area Connection 4” to something meaningful (Loopback, perhaps?) if you’d like.

Note: During the next paragraph, Windows might insist you need to reboot for changes to take effect. Windows is lying.

Open it up and set its IP to 10.0.0.5 and the netmask to 255.255.255.0. Leave everything else blank. Yes this will block 255 addresses, and not just 10.0.0.5. To block only 10.0.0.5, we’d have to use the netmask 255.255.255.255, and Windows won’t let you do that. Go ahead and try it. I’ll wait.

.

. .

. . .

Didn’t work, did it? Told you. Why not? Probably because Windows thinks it’s smarter than you. Don’t get mad – it’s probably right. Here’s how to be smarter than Windows:

Start -> Run -> regedit

  • KHEY_LOCAL_MACHINE
  • SYSTEM
  • CurrentControlSet
  • Services
  • Tcpip
  • Parameters
  • Interfaces

Find the folder (“key”) that contains a REG_MULTI_SZ with the name “IPAddress” and the value “10.0.0.5”. In this folder (“key”), you’ll need to edit the REG_MULTI_SZ with the name “SubnetMask”, and change “255.255.255.0” to “255.255.255.255”.

Close regedit before you break something.

Open Network Connections from Control Panel. Right-click on “Loopback” (you did change the name, right?) and select Disable. Right-click again and select Enable. Now you’re done. Open up a command prompt and type “ipconfig” if you want verification that the subnet mask is now 255.255.255.255. While you’re there, run “netstat -ano” and marvel at the lack of connections to RDP from 10.0.0.5. Congratulations, you “blacklisted” an IP in Windows.

Why does this work?

For the system at 10.0.0.5 to attempt a login to RDP on your server, it needs to first establish a TCP connection. That means they send a SYN to port 3389, you send a SYNACK back to them, then they send an ACK, at which point a connection comes into existence. By binding the IP locally, your server creates a new route for traffic destined to 10.0.0.5. Traffic to this IP used to fall on your default gateway, and go out to the internet. Now traffic to the IP goes to your loopback adapter.

So, 10.0.0.5 sends you a SYN. Your public adapter receives this SYN and sends a SYNACK to 10.0.0.5, which gets caught by the new route and this SYNACK goes to your loopback adapter.

Your loopback adapter receives a SYNACK for which it sent no SYN, which means someone is violating TCP/IP protocol. Instead of building a connection, your loopback adapter sends a RESET back to your public adapter. The loopback adapter now washes its hands of this nonsense.

The public adapter receives a RESET, but was expecting an ACK. This means something, somewhere, went horribly wrong. The public adapter, having failed to establish a connection, forgets any of this ever happened.

The server at 10.0.0.5, having sent a SYN and never receiving anything in response, eventually gives up. When the attacker notices all these TCP timeouts, he/she assumes you have blocked their IP on a firewall.

In conclusion…

Is it perfect? No. Is it better than being hammered by a DDOS or brute-force attack? Obviously.

Leave a Reply