We have a web/database server on Amazon AWS and I have recently discovered it is getting a ton of attack attempts from various international IPs. After checking a few they mostly seem to reside in China. This is causing performance issues and occasionally web requests are being dropped all together.
The web server services developers and clients in California by they are mobile so we can't nail down their IP addresses.
Since I don't care about any traffic outside of the US how can I best block this? The AWS Security Groups don't really seem to allow that, unless I created inbound rules whitlisting any US IP classes that would fit but that's pretty time consuming.
Is there a table of Class B ranges or something that I could filter out US ranges and cut and paste into a Windows Firewall Inbound Rule?
Matt,
You can go to https://www.countryipblocks.net/ to view common blocks of countries. However, any type of blocking like this is not really feasible for a simple firewall. It would take a ton of time to parse through all of the rules and would have a huge performance impact on your server. I would just lock down your server to specific ports for your users that need it and for admin ports, you can have your staff funnel through a jumpbox or some type of VPN on an off port to get that level of access. You can always do some one off blocking of ranges that are hitting you hard but doing such a large scale block on a server is not recommended from what I've seen.
Update:
On Linux, I have used fail2ban, deny_hosts, and iptables rate limiting to block hosts that are talking to much to the server. I am not a Windows admin but you could probably do this with OSSEC and tie in an automated response if X happens. Also, after doing some quick Googling, I see people have done similar things with Powershell. Here is one I found but I have no idea if it works or not.