How did TA succeed in intercepting tens of millions of malicious addresses?

Want to self-check and improve your cybersecurity emergency response capabilities?

Want to quickly increase the practical experience of security operations personnel?

Want to improve the weak points of your security defense system?

The best way is to conduct actual attack and defense drills, and emergency response to security incidents is a very important part of it.

At this stage, the defender will encounter various problems.

Blocking attacking IP in real time is too tiring

When attack traffic is discovered, there are generally three ways to handle it:

1. Block the session;

2. Block the session and temporarily block the IP address;

3. Block sessions and permanently block IPs.

In attack and defense drills, the defender cannot predict the means and tools used by the attacker. Security equipment may have blocked this attack, but no one can guarantee that it can block the next attack or even all attacks.

Therefore, the defender needs to block the attacking IP in real time to prevent subsequent attacks from this IP, forcing the attacker to constantly change IP or give up the attack, thereby increasing the cost of the attack.

This makes the defenders very tired and even requires them to be on duty 24/7.

There are many malicious addresses, and blacklists are not enough

There are a large number of malicious IP addresses and domain names on the Internet, and the number recorded in a certain threat intelligence platform has reached tens of millions.

The number of blacklists on general firewalls ranges from a few thousand to tens of thousands . In attack and defense drill scenarios, a blacklist of this magnitude is completely insufficient.

Defenders need security products that can support more IP blocking entries.

Manual blocking, low efficiency

At present, the emergency response method is mostly: after an alarm occurs, manually configure the attacking IP to be added to the blacklist. The problem with this method is that it has poor timeliness.

If the attacker finds a breakthrough point, they can invade the system within a few minutes and steal information or destroy the system. Manual blocking may not be able to deal with it in time.

During periods of concentrated attacks, there will be hundreds of alarms at the same time, and manually sending and blocking configurations one by one is inefficient.

Defenders also need more efficient and automated emergency response methods.

Automated security incident response

Tens of millions of malicious addresses blocked

To solve these problems, Anbotong launched an emergency interception gateway product for network attack and defense scenarios.

Professional emergency response: Deployed in series or in bypass mode at the front end of the network egress, it can intercept 100% of malicious IPv4/IPv6 addresses and domain name addresses, leaving no opportunity for attackers to detect or scan.

· 10 million-level blacklist: Supports 10 million-level blacklist rules to meet the needs of banning massive discrete IP addresses; expired rules are automatically deleted without manual intervention, making emergency response easy.

Fast matching takes effect: During the query and matching process, the Hash algorithm only needs to read the memory once, reducing query time and achieving high-speed matching. The matching rules are stored in a Hash bucket. When adding or modifying rules, there is no need to process the entire rule, which speeds up the configuration and reduces system resource consumption. It can also avoid hash conflicts.

RESTful API: Through the REST API and the security data platform, intelligence data is converted into actual blocking actions to expand its value; it cooperates to complete the "detection-analysis-interception" fully automated processing, shortening the time attackers can exploit and leaving them no chance to take advantage.

The emergency interception gateway has the characteristics of large capacity, fast response, and high reliability . It is designed for attack and defense drill scenarios, helping the defender to easily complete emergency response to security incidents.