Nova WAF's can integrate with the Project Honey Pot HTTP Blocklist service automatically for you.
To use the http:BL you must register for a free API key.
When an IP address connects to a Nova with WAF enabled, and you have turned on the http:BL a DNS query is sent with the connecting IP inside of it. Based on the DNS reply from Project Honey Pot we can then identify that IP as matching something we may want to block, like a spammer.
Nova caches this information for a short time for performance reasons, but naturally this does create a performance delay depending on your DNS and network performance. Generally, it is minimal.
How it Works
Assuming you are querying the IP address 127.1.1.7 and your access key is yourprivatekey, a DNS query looks like this:
yourprivatekey.22.214.171.124.dnsbl.httpbl.org [Access Key] [Octet-Reversed IP]
Note that the IP address being queried is sent in the reversed octet format. In other words, "127.1.1.7" should become "126.96.36.199" for all DNS queries.
Project Honey Pot then replies with a DNS address to the Nova. We read the last octet of that address and translate it like so:
Value Meaning 0 Search Engine 1 Suspicious 2 Harvester 4 Comment Spammer
For more information please read the documentation at Project Honey Pot.
Nova WAF supports blocking 4 types of classifications of IP addresses:
|Search Engines||Block IP addresses attached to known search engine bots. This is generally not recommended.|
|Suspicious||Block IP addresses that are SUSPECTED to be abusive, but have not yet actually committed an act.|
|Harvester||Block IP addresses that are known to be scraping email addresses and personal details for spam.|
|Spammers||Block IP addresses that have been used for comment spam on websites and are known to be spam sources.|