WAF http:BL

Nova WAF's can integrate with the Project Honey Pot HTTP Blacklist service automatically for you.

{warning} Key required! To use the http:BL you must register for a free API key.


Introduction

When an IP address connects to a Nova ADC with WAF enabled and you have turned on the http:BL a DNS query is sent with the connecting IP inside of it. Based on the DNS reply from Project Honey Pot we can then identify that IP as matching something we may want to block, like a spammer.

Nova caches this information for a short time for performance reasons, but naturally this does create a performance delay depending on your DNS and network performance. Generally, it is minimal.


How it Works

Assuming you are querying the IP address 127.1.1.7 and your access key is yourprivatekey, a DNS query looks like this:

yourprivatekey.7.1.1.127.dnsbl.httpbl.org
[Access Key] [Octet-Reversed IP] 

Note that the IP address being queried is sent in the reversed octet format. In other words, "127.1.1.7" should become "7.1.1.127" for all DNS queries.

Project Honey Pot then replies with a DNS address to the Nova ADC. We read the last octet of that address and translate it like so:

Value   Meaning
0       Search Engine
1       Suspicious
2       Harvester
4       Comment Spammer

For more information please read the documentation at Project Honey Pot.


Blacklists

Nova WAF supports blocking 4 types of classifications of IP addresses:

List Description
Search Engines Block IP addresses attached to known search engine bots. This is generally not recommended.
Suspicious Block IP addresses that are SUSPECTED to be abusive, but have not yet actually committed an act.
Harvester Block IP addresses that are known to be scraping email addresses and personal details for spam.
Spammers Block IP addresses that have been used for comment spam on websites and are known to be spam sources.