Is there a limit on how many IP can be block in blocklist before performance is affected ?
Is performance can be affected ?
I'm around 2500 now.
Thank you
Blocklist limit before performance impact
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Blocklist limit before performance impact
In general not really, but it can if either of the follow is true:
1) you're using a really old kernel, where you can not use ipset. The performance hit would be on loading your blocklist where iptables takes longer to load a really big set of firewall rules. 2500 isnt a lot for iptables, but if you have hundreds of thousands of ips in your blocklist that can take time for iptables to load. Newer kernels support ipset which can load hundreds of millions of entries in a few seconds.
2) you're using a hypervirtualization solution like openvz that limits the number of firewall rules you can have, because you're sharing one systems kernel with every other user on the system. In which case your hosting provider may limit the number of firewall rules you can add.
If neither of these is the case for you, then you can add hundreds of millions of entries to your blocklist without any performance impact.
1) you're using a really old kernel, where you can not use ipset. The performance hit would be on loading your blocklist where iptables takes longer to load a really big set of firewall rules. 2500 isnt a lot for iptables, but if you have hundreds of thousands of ips in your blocklist that can take time for iptables to load. Newer kernels support ipset which can load hundreds of millions of entries in a few seconds.
2) you're using a hypervirtualization solution like openvz that limits the number of firewall rules you can have, because you're sharing one systems kernel with every other user on the system. In which case your hosting provider may limit the number of firewall rules you can add.
If neither of these is the case for you, then you can add hundreds of millions of entries to your blocklist without any performance impact.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Blocklist limit before performance impact
Remember that each IP you block results in two firewall rules -- one for in, one for out.
I would ask WHY you need to block so many IPs.
If you are manually adding them following an attack or spam run, remember that 90+ will never be seen again - they are probably part of a botnet.
I would ask WHY you need to block so many IPs.
If you are manually adding them following an attack or spam run, remember that 90+ will never be seen again - they are probably part of a botnet.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Blocklist limit before performance impact
It's not that I need but that I can.
I just unchecked Enable Active Response timeout. Nothing is done manually.
When we blacklist/whitelist load is going sky crazy so I'm using blocklist as a kind of blacklist.
I just unchecked Enable Active Response timeout. Nothing is done manually.
When we blacklist/whitelist load is going sky crazy so I'm using blocklist as a kind of blacklist.
Re: Blocklist limit before performance impact
what kernel is your system? u can run this command to find out
uname -r
uname -r
If everything was easy, then the world wouldn't need engineers.
Re: Blocklist limit before performance impact
2.6.32hostingg wrote:what kernel is your system? u can run this command to find out
uname -r
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Blocklist limit before performance impact
So thats not one of our kernels then (and thats a very very old kernel too). Are you using a virtualization solution, for example virtuzzo, openvz by any chance?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone