A few days ago, https://gomore.dk was being hammered by traffic from some IP address in Dubai.

It looked like someone was running a scan with Acunetix and it was causing a 30x increase in traffic to some URLs. So obviously I wanted to block all traffic from that single IP, and after some digging in the AWS console, I found out how to do this.

So here is a quick tutorial.

1. Open your VPC dashboard

VPC dashboard

2. Open the “Network ACLs” view

Select Network ACLs

3. Open the ACL editor

  1. Select the subnet to which your EC2 instances or load balancers are connected.
  2. Click “Inbound Rules”
  3. Click “Edit”

Select subnet

4. Add a rule to block the traffic

You will now see the ACL editor. On the last row, you can add a new rule.

ACL editor

Here is how you should fill out the fields:

Rule # Use any number less than 100, which is the number of the default accept-all rule. This is important because rules are evaluated in order, and your rule needs to come before the default.
Type Select “All traffic”
Protocol Locked to “ALL”
Source The CIDR you want to block. To match a single IP address, enter it here and append /32. For example, I blocked 86.98.149.37/32
Allow/Deny Select “DENY”

Now click Save and you should see the updated rules table.

Note

While searching for a way to block traffic, I found lots of articles saying that it wasn’t possible because the security group rules in AWS only support whitelisting. So I think this level of control may be a relatively recent addition to AWS.