Slashdot Mirror
Blocking a Nation's IP Space
SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
What is your opinion of this and what do you propose to help correct this?
/8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).
.br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.
.0/24 to the firewall list.
Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.
Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?
I have an extensive ban list on my firewall including tons of
I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.
If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block
After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another
They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.
What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.
Evolution or ID?
Chinee Ip Space should TOTALLY be blocked. Those Chinee, they are always up to no good.
Who are the Chinee anyhow?
Depends...do you want to do business or communicate with China or not?
I think blocking an entire country is a bit much, and a bit to mucho discrimination for the globalized world that we live in right now...
Maybe to get around the great firewall of china. Also, the company I work for is global. We have offices in china connected via IPSec. Not smart of us to block china telecom addresses...
For most businesses (at least those that operate globally), that isn't an option. However, for my home network and home mail server it drastically cut both spam and probes against my network.
Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.
Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?
This seems a rather murky route to go down, that ultimately, will be in no one's best interests.
I've got a friend that blocks email from Nigeria, but I'd never do that. You never know when someone really does need help moving millions of dollars out of the country and will gladly give me a cut of the proceeds. For that reason alone I'd never block them.
Looking for a computer support specialist for your small business? Check out
Them damn commies don't deserve the letter "S". That's for us capitalists. Along with the number 4.
Isn't that "heathen chinee"?
As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.
Student Research and Development
Why even bother. I just use these to block people from all access (not just the port they were pissing me off on). Very effective, yet only knocks out those up to no good.
Course I dont run windows on my servers.
would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there, the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware etc etc
hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight
OH NO MONGORIAN break down Great Wall of China
Some friends and I discussed this once. The original purpose of the internet was so that no one place could be brought down in case of attack. Hence if you block china's IP space that may prevent some minor inconveniences but they will still be able to bounce through other servers. The only way to block them out would be if everyone else blocked china.
Scuttlemonkey & Co. Please edit, don't opine.
I will determine an article's relevance to me, whether or not the article is any good, what questions it poses, and whether the answer to those is either yea or nay.
Adding a trollish question to the end is NOT "discussion inspiring", its more like Roland Piquipaille's "give me money for more info" taglines.
I want to delete my account but Slashdot doesn't allow it.
Cool! As an independent/home user myself, I can definitely empathize - another individual's rights to express themselves end at my eyes/ears - personally, I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
For email, you can use the countries.nerd.dk RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is cn.countries.nerd.dk.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Why block the IPs when you can blackhole them via BGP? Just kill their peering at all the major NAP's and route their IP's to null0, problem solved. They definately don't have enough bandwith to get around it. It's just alike a USENET Death Sentence, only we'll call it the BGP Death Sentence. In case many of you /.ers don't remember or weren't aware of it, Finland suffered a similiar fate many years ago because of the hacking problems. CapVideo is my GOD.
Since we're generalizing here, you wouldn't by any chance be American, would you?
It's fairly apparent where I'm from. I didn't feel the need to state it -- if you'd like more info my post history and personal URL are there.
As far as America being full of hackers. This is true. They don't typically fuck with me from American IPs though. The main problems I see from America are morons running unpatched shit on residential connections.
Anyone else from America that is tryin to exploit me is generally coming from a foreign IP (to try and mask their accountability). It's been going on like that for years. Get over yourself.
Isolationism is alive and well in the homes of America as well as the White House!
Off-topic, but, I wish we were practicing Isolationism in the White House. We wouldn't be fucking shit up in Iraq.
I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.
Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.
If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).
Yea, I'm more and more blocking entire nets. It seems like besides comcast, most of the annoyance probes are coming from any ip's in APNIC.
We play the game with the bravery of being out of range
Ahh... This must be the "chinee foo" some guy keeps trying to deliver to my door!
I think we should spam China with lots of politically sensitive things - basically give their firewall a run for its money and shake things up a bit. But not in a nasty way, make sure all the spam is interesting at least.
This comment does not represent the views or opinions of the user.
10.0.0.0 /8 is blocked and I'm sure that all the bad guys are behind that one.
In fact, I don't even need to keep my XP firewall on anymore now that I've blocked that subnet at my router
It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.
I work for a UK company who deals with multi-nationals, but they all have European channels. I can't see such a block having anything but a positive effect.
Just surprising that the very day I have this thought there is a story on Slashdot.
access-list 1000 deny tcp 218.0.0.0 0.31.255.255 any eq 25 log
We got tired of the many, many attempts to relay and break mail. Maybe time to add port 80?
You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through. False positives only cause problems for ME, nobody else.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Hypocrisy is the greatest luxury.
I'm curious on why this wouldn't be filed under "Your Rights Online". It seems to me, that this is a huge concern and if this was happening to anyone else the article would be filed as such.
blocking Chinee IP space
Speaking Lunar now, I see.
instead of blocking China for being a rouge IP space, why dont they ban America for being a clueless IP space. You would remove 90% of the easy targets on the internet.
What is your opinion of this and what do you propose to help correct this?"
well, if these are people blocking large ip ranges from accessing their home/residential machines: sure whatever..go ahead guys do what you want..try blocking EVERY ip and just whitelisting countries you like if thats what floats your boat
if these are serveradmins blocking large ip ranges from accessing either their own buisness or their clients buisness website: enjoy being fired and/or your company loosing out on large blocks of contracts for hosting when knowledge of your practice of doing this becomes available to customers.
Well I hated to do it, but after my website was replaced with this:
(anyone know what it means? I'm still trying to figure it out, hence why it's saved in a text file on my computer)
I blocked china and haven't gotten hacked since.
But yes, I long since blocked access to most services for most of Asia, and large parts of Brazil and Mexico. Started with this very useful list of Chinese and Korean ip-blocks: http://www.okean.com/thegoods.html and grew from there (mostly to include Taiwan). (Note: I've found the list to be 99% accurate, but some small /24 or smaller blocks in Australia got included erroneously. Use with caution)
and expect others to treat it like a sewer. Chinese (and other apnic networks) isps just dont give a damn how much abuse their users heap on the rest of the net. Between the spam, worms, and other crap they spew, they've gotten a hard earned spot in my firewall. Granted i am not a huge business or isp, but at the rate they're going, it wont be long before big isps and businesses DO firewall all of apnic as a pre-emptive measure.
Lawyers, MBA's, RIAA? A jedi fears not these things!
I worked for an ISP and we did alot of IP blocking, whole countries, entire classes of addresses. Whatever it took to stop the onslaught of spam to our mail servers and our users. It dosen't make sense to add more mail servers, just to combat spam, when you can block a set of addresses and cut the load on the servers in half.
"What is your opinion of this and what do you propose to help correct this?"
If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?
I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.
AccountKiller
well, I can't see the scientific world doing wholesale blocking of China, for example, in that many of the recent papers I've been reading in Biochemistry are from that country, including ones in the areas I've been working on - malaria.
But for the local newspaper in Tukwila, WA - this might not be a bad idea.
Mind you, when I travel - so far to France, Italy, the Caribbean, Canada, Mexico, Australia, New Zealand but not yet China or Japan - I do like to read the local newspaper back home online, so I can see this not being a good solution especially on the West Coast.
-- Tigger warning: This post may contain tiggers! --
This Chineeman is not the issue! I'm talking about drawing a line in the sand, Dude. Across this line you do not, uh--and also, Dude, Chineeman is not the preferred, uh... Asian-American. Please.
This is not the greatest sig in the world, no. This is a tribute.
Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.
From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.
I have a corporate network to run, and we are only expanding in China. There is no realistic way to resolve any issues at the IP or DNS/domain level, as same ISPs providing services to spammers and crackers, are also hosts of my customers.
;)
Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balance: if the costs of doing business (of which the human and technical solutions needed to avoid across-the-board denial are mandatorily included) become higher than the return/profit, we will rethink the options. Until then we are happy when others (preferably competitors of ours) apply the knee-jerk solution of blocking country-wide networks
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
.. all of .il with an iptables script a mile long.
b ycountry/rirstats/ and with a little bash magic, I had a bunch of
.il ruined it for everyone else over there by hammering too much.
Got the info from http://www.completewhois.com/statistics/data/ips-
iptables -A INPUT -s x.x.x.x/x -j DROP
in one big script.
Why? I used to serve large files in an IRC channel with a fat EDU connection, but a handful of tools from
But " Chinee "?
Makes me think of the Wild West, railroads and laundry service more than modern-day questions of internet protocols and global politik.
... according to http://www.trustedsource.org/ featured today in another ./ article the US is the biggest source of spam.
This is a lot easier if you are outside the US.
Greetings from a blue country.
This was eventual, no surprise here.
No, I will not work for your startup
You order chinee foo?
They block your IP address space!
Awesome, I like your style, and I find myself doing the same things, having to block out entire countries and portions of the world from getting to my stuff. I hope a lot of PC weenies try to argue with you, because they have no footing to stand on.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
what is your point?
he made a decision that those people will not be dealt with, why do you care.
go about doing what you want.
DROP the bastards
Firewalls of any sort are a menace. They're not part of the open internet. Every port of every publicly routable IP should either be open, because it's providing a service accessible from the open internet, or closed, in which case it should respond appropriately when it gets packets there and not just drop them. I don't actively block them, but I try to avoid enabling any options on my services that would help firewalled users.
I am trolling
You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through.
Pompous? No, I'm just not concerned w/mail getting through. NOTHING is important enough for me to deal with spam, viruses, trojan, and spyware.
It's like anything else. If you want to contact me you do it my way, otherwise, I don't care. Believe me... The three people it might affect every year isn't a big deal. If anything, I did them, and everyone else, a favor.
At the end of the article, the author talks about how he thinks the Chinese government doesn't know about this activity.
Actually, they probably condone it. The more web servers that are blocked from the Chinese people, the more likely they'll be isolated behind the Great Firewall of China.
---Technology will liberate us if it doesn't enslave us first.
Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.
/16's and /24's should consider wrapping their CAT5 in tin foil.
Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.
People who advocate blocking
Blocking ip blocks is silly and stupid. You will end up blocking
the whole world eventually. What you need is signature based
detection at your firewall level. This way you can construct
rulesets to effectively mitigate probes and attacks.
--skyhigh
I've banned 80% more IPs from RU than everywhere else combined. Noone wants Hot Russian Blonde Escorts when you can have Hot Asian Escorts.. :P
-my inner racer is pointing at him and laughing.-
Blacklists are temporary solutions. The larger the blacklist, the more temporary. It's like censorship in this regard.
Blacklisting is a balancing act between the nature of the Internet and what you want out of it. It only "works" to a degree, but it never solves the problem. I'm not saying give up or stop blocking IP's, but people need to come to grips about the real world. The Internet is a two-way street, so let's start looking at it that way, eh? Blocking whole countries is extreme. Some people really seem to like being extreme though.
Besides, some smart rulesets and decent filtering can drop the vast majority of troublesome content.
Following up on my own post - title is misleading by omission: what I meant to say was "Block nothing at the original posts' suggested level" (i.e. country-wide network(s))
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
The problem with blocking IP space, especially in the case of email, is that most valid email traffic is not between sysadmins. When you have Joe user from FizzCo sending a business document from home to Jane User at BangCo, neither of them is going to understand any rejection notices they get, nor will they understand it if a message just disappears.
I've seen small businesses that contracted out their IT help have serious trouble when their ISP suddenly changed their spam filter rules without telling them. Suddenly your lawyer's emails aren't getting through and no one knows why. In this particular instance it fell on me to diagnose the problem and get it fixed simply because I was the only person at either of the two organizations who had any clue how mail servers worked.
The president has been kidnapped by ninjas!
Are you a bad enough dude to rescue the president?
For my own use, to block spam email, I use procmail to filter foreign language encodings in languages that I can't read. Of course there are problems, many spammers don't properly tag their encodings, assuming the target audience has their mailreader set to that language as a default. And it won't filter UTF-8 foreign language encoded mail (you have to leave that one unblocked). And of course it doesn't filter non-email attacks against my domain.
But it's a good start, and a totally benign one. Email in a language I can't read is always spam.
Reading the original article (always a bad move) it talked about blocking dodgy looking web requests which, I'm guessing, took up a significant fraction of the server's resources. In such a case I'd go ahead and block. You might loose some potential valid users but that is a lot less than loosing everyone if your server clogs up.
However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.
This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.
Its about time people realize that the internet is a worldwide network and there are issues that come with that !
Why are Chinese IP addresses more dangerous than other IP addresses is what I don't understand ! Unless of course you watch a lot of Lou Dobbs and are fond of calling China "Communist China".
Chinese computers are infected with hacker tools and worms because of American companies like M$ that produce crap shit OSes ! Not because "Communist China" is producing crap shit OSes !!
I say you should block machines running windows if that's your concern whether they are in China or on the moon...
I think it is slang for Chin-less (as in no chin) Native Apache Indians (Chinee). There was one on the Phil Donahue show a number of years ago I think ;)
I was using www.blackholes.us for awhile to help construct my ACL's. Now that it's MIA, anyone got an alternative?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
At least the author didn't "beg the question."
Because, someone would have to finally lose their editorial rights. But ScuttleMonkey can live to edit another day, as long as he can fix the grammar in that sentence.
Don't disappoint your bird dog. Go to the range.
This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.
Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...
Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.
On slashdot we always make a big deal out of censorship particular to the Chinese government. Why then, would it be ok for us to do the same thing to it's people. Many attacks do come from there, but that doesn't make it any less wrong.
If your going to do this at your company then don't whine about Chinese censorship any longer.
At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives. If employees need to send/receive email from these countries for personal correspondence they can do it from home. It seems like a relatively no-brainer, not unlike having a receptionist screen calls or visitors.
If our firewall could easily block IP addresses, I'd do that too.
It's not just China (in fact, the bloke from SecurityFocus says this towards the end). I tend to see logs containing a lot of stuff from China, Taiwan and Korea, but also Argentina, Italy, France, Canada and the US. If you blacklisted every country which turned up unannounced in your logs you'd soon run out of countries to ban.
However, the question should be asked - who, exactly, do you expect to legitimately want to access your server? If it's a group of friends accessing some common stuff on one machine, it should be accessible to those people only.
It's not going to be practical to do this with www.bigcompany.com, but instead of starting with the assumption that, for example, an ssh server should be open to all but password protected start from the other end - ask what subnets should be able to access it.
I'm not sure I'd call the original article "a good commentary" either - it does look like someone had a requirement to submit something to the Register and it got rather closer to pub opening time then planned before he submitted it. You can almost see the "Will this do?" on the end (or maybe I've just been reading Private Eye too much).
I wonder if this is something the government in China want to see happen. Think about the amount of effort they spend on reviewing sites and blocking on their end. It also becomes a political issue for their civilians. What is our government keeping from us? Yet if millions of people are freely allowed to have a part on our dime from their shores, more and more companies will do this. I know of at least 3 fortune 200 companies that have this practice or are implementing blocking all Chinese ip's. So if we block them on our end, then they will not have to block them on their end. Then they can shift the blame to the western countries when their citizens complain about not being able to access a site.
As someone who has suffered a tidal wave of spam and some other hack attempts the problem isn't particuarly with the average Chinese internaut but with US citizens hiding behind lax Chinese ISPs.
Chinanet Henan Province and Chinatelecom are notorious homes to US based spammers. I've written a brief paper on the subject here
http://www.abcseo.com/papers/referrer-spam.htm
Ok I've moved a bit off the topic of hacking attemps - but hacking/spamming are two sides of the same coin. Personally I've refrained from banning the whole of China when the problem seems to be some rogue individuals and ISPs.
I'm in China, you insensitive clod!
(No joke! Gotta represent..)
He said that other countries are full of hackers, not that ONLY other countries are full of hackers. You filled in the rest with your own stereotype of Americans.
Gamingmuseum.com: Give your 3D accelerator a rest.
My company has been blocking foreign IP space for years. We are a retail outfit and we don't do business with China, Southeast Asia, South America, the Persian Gulf, Africa, or former Eastern Bloc nations. So, consequently, our mail servers block these guys. I use lists from the now-deceased blackholes.us site, plus other netblocks that I have culled on my own. Since blackholes.us is no longer operational, you can download my archive of these lists from me: http://saba.island.nu/blackholes/
Remember this little ditty:
The world today seems absolutely crackers,
With nuclear bombs to blow us all sky high.
There's fools and idiots sitting on the trigger.
It's depressing and it's senseless, and that's why...
I like Chinese.
I like Chinese.
They only come up to your knees,
Yet they're always friendly, and they're ready to please.
I like Chinese.
I like Chinese.
There's nine hundred million of them in the world today.
You'd better learn to like them; that's what I say.
I like Chinese.
I like Chinese.
They come from a long way overseas,
But they're cute and they're cuddly, and they're ready to please.
I like Chinese food.
The waiters never are rude.
Think of the many things they've done to impress.
There's Maoism, Taoism, I Ching, and Chess.
So I like Chinese.
I like Chinese.
I like their tiny little trees,
Their Zen, their ping-pong, their yin, and yang-ese.
I like Chinese thought,
The wisdom that Confucious taught.
If Darwin is anything to shout about,
The Chinese will survive us all without any doubt.
So, I like Chinese.
I like Chinese.
They only come up to your knees,
Yet they're wise and they're witty, and they're ready to please.
All together.
[verse in Chinese]
Wo ai zhongguo ren. (I like Chinese.)
Wo ai zhongguo ren. (I like Chinese.)
Wo ai zhongguo ren. (I like Chinese.)
Ni hao ma; ni hao ma; ni hao ma; zaijien! (How are you; how are you; how are you; goodbye!)
I like Chinese.
I like Chinese.
Their food is guaranteed to please,
A fourteen, a seven, a nine, and lychees.
I like Chinese.
I like Chinese.
I like their tiny little trees,
Their Zen, their ping-pong, their yin, and yang-ese.
I like Chinese.
I like Chinese.
They only come up to your knees...
My honeypots have been trapping a ton of activity from Romania and Sweden. While TW and CN are in my top ten, they rank far below the big offenders. Does this suggest to me that these are all Romanian and Swedish hackers?! No way! These are all likely "owned" servers. In fact, all of the noticably "human" activity in my logs came from servers that are running long abandoned web sites and such, probably someone intelligently implimenting an ssh redirect. The point is, whenever you block by a huge subnet (ALL of China?!) you are going to cause issues for legitimet business AND you will not stop the hackers. They will just stick their redirect somewhere else and get a new bot setup on a server no one has noticed in the past five years.
The key to staying alive is to make sure you have a secure server. If you don't know how to make a secure server then you better learn today! If you are paranoid (not me!) trap them in a honeypot and send an alert, page, or automated event (Muhahahaha!). If you have thousands of attempts a day set up a perl script to redirect these ips to localhost with a set TTL (so they expire after x min).
Somehow my email address recently wound up on quite a number of spam lists. I have no idea what they were trying to sell since all of it was from japan and was written in japanese. As if ads for "v1&gra" weren't hard enough to read. Hell, at least three quarters of the characters weren't even in my unicode font and couldn't be displayed. After weeks of adding filters to block each new address, It finally occurred to me that I know no one from Japan and that chances are that I will never be in communication with anyone from Japan, so I gave up and just blocked anything ending in ".jp".
...just put a bunch of stuff on your website advocating a free and democratic China. They'll block it for you.
When I changed some setting to apache to let people from our company access the web via our proxy, I made an error and I also opened the proxy to the outside.
The next days everything was slow and the log showed that I had a lot of request from outside ip address to other outside ip address. The majority of those address came from China.
I change the setting in apache but I still had request by the hundred. I finally called my ISP and we have blocked a lot of range from China and right after the traffic went to normal.
I have talk with my boss and have decided that it was not worth the trouble to enable those ip ranges since we are not doing business with China.
Chinese hackers. I have no doubt that there are gangs of Chinese hackers - whether employed by the government, organized crime, or freelance - that are working as hard as they can to take over computers around the world for all sorts of nefarious purposes. They're just like hacker gangs anywhere else in the world. Spam networks, phishing, DDOS attacks: it's all being done.
...
Employed by the goverment? I'm in Europe and i've heard of some well know and developed countries to use hackers force for shitting down "suspicious" sites on the web. There are even some "armies" out there who would love this approach to be used more often
Bug 188285 is irrelavant. Autocomplete is disabled for https. So, if you submit your credit card information over an insecure connection, you and your vendor are nutcases.
did you mean Romania by any chance :) ?
The Raven
I don't care if this is yhe USA censoring China or vice versa. Censorship is always wrong no matter what. Always. Our grandmothers and grandfathers have literally died for our freedom of speech and they are spinning in their graves right now.
Karma: Positive (probably because of superiour intellect)
I'd suggest just keeping your services secure. Automated attacks are aimed at the lowest common denominator, even basic security steps will stop them. My smb server gets connect attempts at a rate of around 2 per second, and has done for the last six months or so. So far none have got in. I only take action if I'm getting hammered by a single IP, and then I'm more likely to complain to his ISP than block him.
I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account
As well they should. The internet should be a community, not controlled by big corporations like other media.
and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).
Ooh, because an attacker is obviously so much less likely to use GMail than hotmail. After all, it's made by the holy Google who say "Do no evil", and everyone knows MS are always evil.
I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people.
If you want to be a part of the internet rather than a passive consumer of it, you should let everyone access what you're serving. Anything less is worse than nothing at all.
If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.
Why do you want to block entire countries? Assuming Brazilians are evil because one tried to hack you is pure prejudice and as bad as any other kind.
I am trolling
The three people it might affect every year isn't a big deal. If anything, I did them, and everyone else, a favor.
Dude, seriously, what are you doing on slashdot? Didn't you know that hot babes from all over the world are trying to email us all day every day?
Honestly, for me, email is like the phone- the list of people that I want to have access to me isn't that long. Not because I am a hot commodity, but because I don't like being disturbed.
It is your computer- you can restrict access however you want. If you only want to accept email from people over 6 feet tall and white, it is up to you. It is your computer! What a concept!
Anyhow- good luck with the wedding. (Or as my mom told me, "you aren't planning for a wedding, you are planning for a marriage..." Big difference...)
And All I Ask is a Tall Ship And a Star to Steer Her By
I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.
What's the problem if your SSH is properly configured ? I too get a few SSH attacks a day (about 20-40) and then ? What problem do you have with web shell code ? You fear that Chineese may find bugs in your application that your customers might never notice ?
If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).
Oh, very clever. It will not change a thing, because people doing nasty things to them illegally so there's no control over them. It's like saying that you blacklist every dialup access from your web site because most of them are zombies !
Security through obscurity...
willy
Can you point to a time when the net was safe for families and businesses. When it was still reasonably safe, I don't recall very many businesses and damn few families even being on it, and it's the sheer stupidity of families and businesses that has been part of the problem with net security.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The author mentions that his friends in question here are running a hosting service, and they didn't tell their customers about the blocking.
That's what I see as the biggest issue. Personally, I'm appalled by the idea of blocking an entire country. It feels like some sort of jingoism or racism on a gut level, and on a practical level it interfers with potential business or academic interests who have lots of reasons for reading all kinds of thigns. The internet is one of the coolest tools we have for moving towards in internationalized world, and to block out an entire nation seems really counter productive.
However, that's besides the point. People should be free to block whatever they want. Really. I may not like it, but you are free to do so.
To not tell their customers however, is grossly irresponsible.
Anyone, repeat, ANYONE who decides that the best course of recourse against possible attacks is to block an entire country is inept.
Ive already read many examples of this in previous comments marked as insightful?! From blocking entire subnets of DSL lines, to entire countries. Of course this works, but the solution requires as much thought as turning on a light bulb. If another country is overwhelming you in a territory, in this case the internet, then it should be taken as quite the wakeup call that a percieved solution is to BLACKLIST people from your content, guilty or not. And this is the best solution you can come up with? You call yourself a techie? You should be fired immediately, and without prejudice, from whatever job you have if it involves the responsibility of a computer environment that other people are using.
To use this solution to 'control' network traffic smacks of unimaginable incompetence at best, and a general attitude of no understanding what the hell is going on, at worst.
The 'friends' in this article are nothing but shadetree techies who think they have the slightest idea what they are doing because of a tool at their disposal. And most of the irresponsible key monkeys on this board dont see any problem with the initial pretense, and will ponder the question as if it is somehow legit.
However, just because you know how to use a hammer, doesnt mean every job or problem can be fixed with a hammer.
Sure, you say, whats the solution? If you arent part of the solution you are part of the problem, right? Well, frankly, I make my money by not being part of the problem, so why would I want to increase competition from those who cant figure it out for themselves? Thank goodness for the US education system! Its making me rich!
Sheesh, you could also just block everybody and then you wouldn't have a work load at all.
Got work ethic?
The country I grew up in (USA) now exists in name only...
What I'd like to know is whether most of the Asian ISPs are doing like the ones here in the States. Every broadband connection I've had until recently had a dynamic IP. Even so, the shortest time I ever had an IP was 12 months. That's with Charter cable, Sprint DSL, and a regional telecom outfit Ntelos. If the Asian ISPs are setting super high TTLs on the IPs like they do in the States, then just block the individual problem IPs as needed. IMO that would be a much safer route to take than blocking entire countries.
You've got an easy breezy wind at your back...most of the time.
Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.
/24 will block a C class which is 256 addresses. Blocking /8 means 16 millions addresses. It's most often stupid anyway.
No ! blocking
Willy
Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--
I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.
Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.
Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet.
It allows for very quick processing of ranges or hashes of individual addresses.
If you want info on blocking countries (sorry if I offend anyone) look here:
http://okean.com/asianspamblocks.html
and http://blackholes.us/ (when it's up...)
Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...
Acquiescence leads to obliteration
I guess blocking entire providers that you know full well have mostly legitimate users and uses is just the lazy man's way of avoiding having to install spamassassin?
Windows users have lots of viruses and trojans and spambots. I'm no longer going to accept email from Windows users. I'll insist that they buy a Mac or install linux if they want to speak with me.
I don't get spam. Why take look at oss-lin . BTW it's not only China, I also block US ISP's clients (they should route through their ISP mail server if not, well ...)
Any form of blacklisting has pros and cons.
The post-9/11 American policy of giving "careful scrutiny" of people from certain countries may have protected American lives and property, but it costs America economically as people from those countries chose to do business or take vacations elsewhere rather than be subject to intense scrutiny.
If it is a person doing the blacklisting just for himself, then he gets to suffer any negative consequences of missing out on talking to interesting people. If it's a government, ISP, or other entity acting to "protect" me, the end user, from harm when I have contacts or potential contacts affected by the blacklist, that's just plain wrong.
If it's a "public service" or "business open to the public" that is doing the blacklisting, then other factors come into play. For example, if I am an insurance company and I blacklist all small ISPs that I know serve "undesirable" zip codes, then I may be guilty of illegal discrimination. Yes, I know that doesn't apply to China, but what if those small local ISPs ARE infected by zombies and doing nothing to stop them, and most other American ISPs are pro-actively blocking zombies? Then I'm damned either way - I'll have to explain to the government WHY I'm doing something that on the surface looks to be illegal.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You will be closer to god, won't have to bother with nasty internet worms ever (I can promise !) and will be as far as possible for pornography and kiddy porn as is possible in todays america.
Of course, running water and electricity have to be forfeited, but your family will have the warm feeling of doing the right thing every time they take half an hour to get water for the weekly bath.
Then, if you want to keep some and be protected from the rest, join the closest Mormons, where you will have the possibility of marriying underage teens by the dozen, as long as you find some that are still available....And still be closer to god.
What you are proposing is the ability for microsoft to keep the internet market forever, without having any competitor, and no possibility for you (me) to escape the pigopolist...
"This set of protocols could allow trusted machines to receive properly licensed and authorized content but still filter out other less useful but more dangerous content/extentions like exe's, zips, tar.gz's, bz2, py, and iso's, and additionally any encrypted content, and the major webserver venders would have to outlaw application/octet mime types to regain control of the internet-turned-piracy haven that the thieves like warez groups and gnu have perverted, not to mention all the pornography and child molesting an open internet produces."
There was this sentence from Benjamin Franklin about freedom and what awaits people ready to sacrifice freedom for a little bit more security...look for it, it will be instructive to you....
your data, if really important, can be encrypted, backuped, mirrored, made unreachable to 99.9% of the internet population. you just have to exert some efforts and understanding to make it so...
Well, I'm answering to an anonymous troll, might as well piss in a violin !
Its time to make the slashdot safe again from you for our pleasure and entertainment...
Any chance of you leaving on your own ?
I block several countries at my business: Korea, China, Brazil, Russia and Japan.
However, I do have an automated response that tells the sender they've been blocked by my blacklisting service and that they should contact me (by phone) to resolve the issue. My company has no reason to be in contact with those countries so it is a relatively safe practice. I also use Spamhaus.org. I have only had 2 or 3 incidents in the 8 months of usage.
After blocking those countries and using Spamhaus, my spam went down by 65-70%. Not too bad.
-Nick
"A plan fiendishly clever in its intricacies"- Homer Simpson
..I use a mod that integrates with IDS (Snort rules!! hah hahhahah - ok sry.), and if an incoming, unsolicited connection violates any of the Snort rules (w/Oinkmaster updates) then that IP is blocked (further packets are dropped - not rejected, *dropped*) for an hour.
Of course, it's completely customizable - eg the ban limit can be config'd for 2 hours, or 30 minutes. Similarly, the Oinkmaster rules can also be modified - eg if a Yahoo! login triggers Snort, and Yahoo!'s IP becomes blocked, one can edit the rule to allows allow (or otherwise ignore) that rule - OR IP.
It's not a perfect system - it has a few flaws. However it requires very little maintanence and does the trick for now.
Curious, it was Chinese hack attempts to my site that prompted the search to find such an auto-blocking mod =/
That only works with BGP. Once your hunker down to the local level, taking out a single router can wipe out alot of customers.
Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
Sorry, if your firewall goes out, your office is out.
If your ISP's router feeding your office is out, you're out.
If your ISP's feed has a bad router, they're out and guess what, you're out too.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
China has been the biggest single source of spam and hacking on my server for years. I have blocked all access from China snd Korea.
Well I hated to do it, but after my website was replaced with this: (anyone know what it means? I'm still trying to figure it out, hence why it's saved in a text file on my computer) I blocked china and haven't gotten hacked since.
I've never blocked China and never been hacked. QED. Not.
So wait a minute - weren't we just getting all up-in-arms over the Chinese blocking their people from viewing unsolicited western sites? And now we should go ahead and block the entire country because of the rogue elements? I agree Chinese cr/hackers (take your pick) are a problem, but at the same time, so are any other skilled cr/hackers - just because this one has malicious intent doesn't mean we're doing any good by blocking such a large audience simply because of the possibility. Cracking will still occur, as with worms and trojans. Those who really want to will find alternate means of access (perhaps through countries a bit more generous than the United States). What is there to gain by this?
This is just an example, but the idea goes for other kinds of sites too...
I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses.
But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.
YOU'RE WINNER !
Another lame blog
Everyone here is ranting about Chinese hackers but I wonder how many of you have actually been personally affected as opposed to "my friend was hacked" or "I've heard about foo."
The article, if you care to read it, illustrated that all of the Chinese IPs they tested from which nefarious traffic was coming were infected machines. Zombies, just like all the other zombies all over the world, machines now owned by hackers but were previously the property of uneducated mom-and-pop end users.
Granted there are proportionally more people in China so there's likely to be a lot more hackers as well (private, OC or even government sponsored), but the machines have just as likely been owned by hackers from Europe or the USA.
"They're called Celestials you cocksucker."
I ban all of China and Brazil. Cuts my spam and my hack attempts in half.
My company doen't have any customers in either country so so I say too bad. If you don't want to be banned get an ISP that is not a spammer haven.
Lately I have been playing around with the idea of banning Russa but we have russian speaking users so I would probably hear about that.
Your comments are the most logical I've read so far.
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1"
Whitelisting and vpn's are what is going to get around the loads of krap probes and dipshits trying to "POST
I'm personally sick of hearing this "the internet needs to be free and accessible by everyone" krap. What fu*&ing decade are you living in?
We play the game with the bravery of being out of range
We want to censor ourselves, we don't want a government to censor us. If an individual or company decides to block traffic from a country more power to them. It's a choice they have the right to make. If the government wants to do it then that sucks because the people have lost that choice.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
think of the the amount of scammers that would go out of business
when there is so much money in it, its never gonna stop until we kill the disease, not treat the symptoms
So what do you do? You keep your machine secure. You keep up to date on patches, you use software that has a good security record, and you keep half an eye on your box for signs of intrusions. And you do regular backups, just in case things do go really bad.
But you don't stress out over every wierd line in your Apache log. I used to watch my logs carefully and report cracking attempts, but that was long ago. Now, there's so many I could spend my whole life doing that. That, and most of the attempts come from compromised machines anyways, and the admins of those boxes generally don't care anyways (or at least they just don't respond.) It's tilting at windmills.
(Do keep the logs, mind you, but don't stress out over them. You can use tools to give you summaries and show exceptions if you wish, but you'll need to filter out the really common crack attempts, or eventually you'll just tune out the summaries, because they're always full of ... junk.)
Now, if it's a serious problem, like a DoS attack, then you may need to react. The phone is far more effective than an email, but it's hard to know who to call, especially if it's in a remote country. And the addresses may be spoofed and so you may not know the source at all.
But occasional requests for wierd files on your web server? Forget it.
Blocking the IP address of "offenders", hear recussal from the alleged "offenders" when they express their sincere concern and MD5'd IP address, let time pass, and unblock the IP. That doesn't work in anonymous communication and it shows. I'm stuck on the 'let time pass" part because brothers Rob and Robert hadn't responded yet on their findings in my special case. This is so effective, that this open wireless gateway near this Subway sandwhich shop was temporarily banned by Slashdot. In my situation, some lurker moderators slandered my posting record because of my flame to Oregon Judicial Department. Do you know anyone that would use more than five moderator points on someone they hate, and to make them appear as equal to a shocksite when not? I can't post anymore but through a Spain proxy. The Slashdot server can't determine prejudice from an honestly modded-down shocksite; lurker moderators act on behalf of the Slashdot IP ban mechanism when the greater population of moderators are not at attention. I've incurred such, read about it here. I think the Slashdot moderation mechanism is the most effective only if DRM was integrated into the webbrowser and subjective operating system. There is no denying that regulating communcation leads to privileged access; but I entertain everyone with a Thomas Jefferson quote that is universal and hints privilege as "The only free man is a lawful man." I'm happy to contribute meta-moderation and moderation with good prejudice; I presume everyone is reasonable or acting in good faith, that there is a cause and effect that perhaps I have not seen even in the most inflamatory or offtopic posts. Concerning intent, it's always the unseen minority that causes such casualty, but that is the joy and glory in participating and discerning character in a democratic way of conversation. Websites that have little interactivity need no eyes to scrutinize the information and need only rely on a Smart Firewall to decide where or what needs to be banned. Me: I just want to post on Slashdot naturally, and without a proxy. Thanks lurker moderators.
without prejudice
As is typical with the mass media this report, or maybe I should call him what a hacker, goes on about how hackers are doing all this stuff and are bad. He needs to educate himself about what real hackers are about. A book book to read to get what being a hacker is is Hackers: Heroes of the Computer Revolution by Steven Levy.
FalconShould there be a Law?
The only rogue IP space is that in the hands of the **AA and their cronies. And for that, there's Peer Guardian.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The point of refusing access from certain IP addresses is not to deny service to any particular individual (or nationality, in case of entire countries being affected), but to protect against likely abuse and encourage individuals to use some other IP address. As long as your boycott is aimed at their network infrastructure (for aiding abuse) rather than at the country itself (for political reasons), individual users routing their traffic via other networks is not a problem; it's what you want them to do. The idea is that the secondary network will sort out the abuse (by making sure they know who their customers are, or by other means). If they fail to do so, they will be blacklisted too.
Therefore I see no point in specifically blacklisting any single country, if not for political reasons. Entire countries are blacklisted because they conveniently map to large portions of IP address space. Some Chinese universities probably received their IP blocks before the commercial operators did, and may therefore have addresses in completely separate ranges. If the universities are a bit better at managing their networks, and the bulk of the abuse therefore comes from the commercial blocks, there is no reason both should be listed merely for being assigned to the same country.
Likewise, a single address block may contain several operators in different countries, causing them all to be blacklisted simply because telling them apart takes too much time. It's all about network abuse history, not about nationality. And, I wouldn't have to rely on everyone else blocking a single abused network either, unless they all were to forward that abuse to me.
I have however considered blocking mail servers indiscriminately "bouncing" virus messages having our domain forged onto them, when they have received those messages from IP addresses (often Chinese ones) already included in public blacklists. They could avoid such action on my part by simply using said blacklists themselves, but exactly how they solve their problem is up to them. If they simply avoid "notifying" innocent people every time they receive junk mail or other abuse, I will not bother them.
Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.
It's not hackers who are doing this!!!
FalconShould there be a Law?
Then you need to tell the suits the magical word.
Redundancy. To two different ISPs.
If they don't like the cost for it, ask them what the cost is to be without internet access for 2 days.
There are two types of people in the world: Those who crave closure
Dude, seriously, what are you doing on slashdot? Didn't you know that hot babes from all over the world are trying to email us all day every day?
Anyhow- good luck with the wedding.
Two lines that don't go together. Thanks though. I need it -- friends start arriving today -- family tomorrow.
Can't we ban .ro first as a testcase? If that works out and we lose around 70 - 80 percent of the online script kiddies we can continue some more evaluation.
`iptables -L -n --line-numbers` output of your "idiot list" please!
Censor Your Website For All Chineese Citizens TODAY!
This way you remove the burden of blocking your website at Chineese national routers, allowing the government of China to use the money to build schools and hospitals instead!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
If your ISP only has one upstream provider then I'd suggest finding a new ISP, especially for business. If you're a big enough company, look at the possibility of getting your multiple upstream providers so it's not just one line to fail.
As for not having redundant equipment at a business level, even single redundancy on your firewall/edge router, there is no excuse.
How many people can read hex if only you and dead people can read hex?
I'd love to see a procmail filter that uses countries.nerd.dk to determine the origin of the email. My ISP controls my mail and DNS servers, so my own option for configuration is hacking up my .procmailrc
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Wouldn't hackers simply go through a shell account in some other, unblocked, country?
would be:
1. put some text about freedom of speech and/or human rights in china on your webserver
2. make sure google finds you
then the chinese government itself would see that chinese IP traffic can't reach you.
blacklists and the people who use them are weak.
if I want to contact your site or bombard your computer with shit i'll just use TOR or any number of proxies to give myself an IP outside of your ban list.
there are multiple ways around EVERYTHING.
Yeah, the "ultimate democracy." Where despotic regimes harbor cyber miscreants who piss off the inhabitants of "civilized" countries, who block those despotic regimes, therefore denying the innocent inhabitants of those regimes the ability to communicate unfettered with the rest of the free world.
"Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."
But I guess your own convenience is more important that giving those people a conduit to freedom.
As somebody else pointed out, an individual has every right to block or receive whatever traffic they wish. But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.
There is no point in having mercey with those who let their IP space rot.
I absolutely resent the "argument" that those who are attacked and take protective measures have low ethics or low professional standards. When the vandals are at the gates, you better close the gates. My servers, my rules.
We were a small company that sold sex toys. Kiddies from eastern europe and southeast asia LOVED to test credit cards against our store.
This was when we were first getting up and running with minimal staff. One day we looked and saw "JESUS CHRIST! Someone Just bought $678 worth of fake cock! Yeah!"
We then realized these folks were just testing to see if the credit card numbers they stole were still active, and cancelled the order.
I wrote all sorts of checking routines and so on to make it harder to submit that kind of shit, but in the end it was just easier to not even let placecs like Hungary and Pakistan in, becuase really, it was more trouble to week out the fakes than the odd valid order a year from those areas is worth.
s'wut i sed.
Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...
Nothing wrong with discrimination per se - I'm in the hiring process for a software developer, and you better believe I discriminate against unqualified applicants. I believe the word you're looking for is indiscriminate.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I worked for an ISP for about 5 years... started doing tech support and moved up and on to the NOC and web design. While in the NOC were were fighting spam for our users pretty much non-stop with various black lists / filters. My job was basically to come in each day and clean out the garbage disposal as it were.
Until the glorious day we segragated our mail users. We set up a new beta mail server and split our users into two groups. Those needing international mail, and those not needing it. Over the course of 3 months, we informed users of the change and provided an easy opt-in one-click process to make sure they could send/recieve international mail.
After that grace period, we simply shut off international mail on our main server by blocking any IP space outside the US.
The load on our mail servers (4 dual CPU machines) went from averaging around 50% down to 5% and stayed there.
In our polling of our own customers, we found that 90% or more of them never had any intention or desire to send/recieve international mail. Our spam load went from several thousand spam messages a minute to less than a thousand per day.
The people that needed international mail were put on the new server and left open to all mail.
For the next few months, the staff at our office didn't have to buy lunch or snacks because that corny AOL commercial actually happened. We had customers in all the time taking us out to lunch and dropping off brownies, cupcakes, etc... our satifaction rate was never higher and I would venture to guess that we would not have been that loved had we sent everyone $50 cash.
Why isn't this a more popular choice? Is there really that much of a NEED in the general internet population for international mail? There wasn't at our company.
I think we could make international mail a feature add-on much like web hosts make CGI, PHP, or mySQL a feature add-on. Sure, to me those are just staples, but not everyone needs all that.
Sure, there's still in-country spam sources... but NOTHING like what comes from outside.
[ http://www.dvigroup.net/self ]
I don't see any ethical problem with blocking China's IP ranges. The basics of security are to deny all access by default then allow those who should have access. If no one in China has a valid reason to access my site then good data hiding dictates that I block access from China.
My personal email blackholes all IPs listed in APNIC, LACNIC, RIPE, and the new AFRNIC, and I graylist all Comcast, Roadrunner, and Canadian IPs. If the From address matches the IP (e.g. somebody@rr.com and sent from a Roadrunner IP) I let it through. Cuts my spam load by about 75 percent.
Ignorance is curable, stupid is forever.
/8 = 16m addresses
/16 = 65k addresses
/24 = 256 addresses
:)
hope you aren't in charge of any important networks if you are making those kind of fundamental errors
I Call Bullshit!!!!
China I CALL BULLSHIT!!!!
I have been to China, my wife is Chinese, and the region where I live (Vancouver) is about 25% ethnic Chinese. China is an important country, and its power is growing - look at recent purchases (and attempts) of major Canadian and American companies. China, its culture, and its policies will increasingly impact our lives. We will be exposed to their culture and values. We can't afford to be silent about ours.
My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
I don't like the sound of this. Feel free to block whatever IP's your like, but do it quietly so no dumb government types will get the idea to segment the entire internet. The music industry controlled ISP in UK where you can share music all you like except to other ISP's is enough. No interoperability whatsoever, sounds like microsoft strategies. This is no better than chinas own "great firewall".
Am I the only one? The article is missing the most interesting part! Please tell me what are the IP address ranges so I can block them on my firewall. I couldnt care less if somebody from China cannot connect to my home network.
You blocky too booku baby! Me like to sucky sucky bandwidth baby. Me love you IP long time...
i use blockit http://www.teknofx.com/ and snort www.snort.org to react to bad traffic such as worms,port scans,scanners.brute forceing on ssh. works nice, ive had it up and running 3 days and i already have 200 ip addresses blocked.
I work for Road Runner. In fact, im on a call with a Road Runner right customer right now. I can assure everyone that the majority of Road Runner customers pose no threat to anyone but themselves!
...time to pull out the old form
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Hey, who ever said life is fair?
---- Booth was a patriot ----
The chinese are totally shifty. Just look at their eyes, they clearly up to no good. :-)
But seriously, china is a rogue state notorious for being a country where the term "human rights" is not recognized and is traditionally hostile to every nation on the planet. Pretty much they are opposed to everything the free-world stands for. But why is the entire world kissing China's butt these days? I mean they're hosting the the olympics for goodness sake! It's all about "3. ????, 4. Profit!!!!!"
I reckon as a rule of thumb, you should bock every ip that doesnt want to access your webspace. ;)
Alternatively (and seriously) tune your webserver as you know what material is being served up and you know the page requests that an average user would make. Why not make it so certain ips can only request pages X number of seconds totaling Y per day?
Alrighty, then, troll feeding time!
230 years ago, this nation I live in was under a (different) "despotic regime" - some people decided to take some action, and it changed. The assistances they received happened after they started, not because they whined.
As an individual internet user, I have not ever blocked an email from a political dissident due to its political content. As a website author, I have not blocked anyone from viewing my site.
As a businessman, I respect and obey the laws governing my use of advertising online, by email (I fully comply with CAN-SPAM) and other means as applicable.
The above said, anyone who cannot see fit to play by the same rules can go figure out a different game *elsewhere*, instead of trying to play some bait (political freedom of speech) and switch (illegal spam serving) game.
There is no "divine right" nor requirement to maintain a web presence, to maintain completely open networks, to provide a podium upon which some poor abused oppressed individual can spout their issues to everyone else, no matter how "justified" they might be.... This whole intarweb thing borders so closely to being completely fictional it isn't funny - please *do* seek to force your beliefs concerning how things *should* be onto the current way things are - only time will tell how successful you were.
Please *don't* consider the over-worked net administrators as enemies: The real enemies are those spam servers who bury any legitimate content coming out of dissenting China more effectively than any locally-applied blocks ever could.
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
When I setup a mail server for one of my previous employers I ended up blocking China, India, Israel and most of the rest of Asia/Middle East IP space. The company didn't ship internationally and the likelihood of receiving a legitimate email was so low that it wasn't worth the hundreds of spam messages we'd been receiving. By blocking Asia we eliminated 90% of incoming spam. Spam Assassin and a couple RBLs got rid of most of the rest.
rooooar
I've had several email accounts, private and work related, and never really had spam problems. I have gotten spam and still do, but it doesn't take more than 5 seconds of my day to weed out. I don't post my email address on the net and I'm sure that helpds, but I would think most people here would be just as tech savvy.
Do the people here really get so much spam that they need to create sophisticated control lists to block large chunks of the Internet?
Ninjas don't carry tic tacs
KeS
Not a single server I maintain could use such a broad blocking policy.. Many companies do business with contacts in those countries as it is. It just would not be productive there..Which is the case for the majority of the machines I maintain.
If you're so worried about being hacked, invest in a good layer of defense and pro-active monitoring instead of blindly ignoring traffic. It's pretty amazing what a snort-guru can slap together for network IDS..
Nigerians constantly abuse www.sprintrelayonline.com for fraud purposes. All day long I am forced, by FCC law, to call pharmacies and try to order 50 boxes of 100 count "One Touch Basic" glucose test strips. They put filters in to block the connections from Nigerian IP space. That lasted about 12 hours. Then they started using the *INFINITE* array of open web proxy servers to connect to www.sprintrelayonline.com to bypass the IP block. Anyone can change their web browser to use a proxy anywhere in the world. This is completely pointless. If idiots in Lagos Nigeria can configure a browser to use a proxy, ANYONE can.
My home box gets hit about 60-100 times / hr, most from US, only some from China. The majority of the US sources are from Comcast, but then again they're my ISP, so Hell, maybe I'll pull my own plug and shut the *bleep* up!
I find the hackers using reverse.theplanet most amusing.
I attempt to ban Chinese ISPs from my website. Since nobody in China uses Macs, they have no reason to visit my site except to post comment spam. Right now I just block a specific ISP when one of their people posts spam. It would be nice if I could block all of China.
i admin for a large anime only BT tracker and i have absloutely no problem taking out an entire ISP.
banned all of UCLA for a month last christmas.
Solution one: write an app that directly tracks hits to well known vulnerable urls. Record the ip and every 15 minutes add it to a global deny list. Regenerate the list and remove addresses older than X days - so you do not put addresses on a blacklist that do not have trojans/botnet SW installed ANYMORE..
....
.....
.....
Linear access websites (huhh does that term exist)
I think off access methods like a BBS. when you come, you get redirected to a central point where you procedd, and from that point only your local referer is accepted (othervise back to frontpage)
this is a little aggressive and might pose problem with search engines, however it eliminates the possibility to hot-link (also you have to access a front page where you can generate revenue with ads)
think of a BBS where you had to log-in, and go trhu the last visitors, and new files, and system messages before going anywhere
If all that does not work just put the whole offending ISP on a block list.....
I tried to get anwers/report abuse to several ISP's - no answer or a few times some automatic crap answer (we received your blabla and will do blabla (and then nothin happens) )
I guess when I worked at an ISP the world was a different place
Looking at the average american citizen* or the ruler over this citizen, i would consider locking the american ip-space a better option...
;P
;)
But that's just an average european POV.
* This does NOT include the typical slashdot-user as they are some very special kind of human.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I know how you feel. So many people don't seem to grasp that the Internet is a really flexible, groovy tool that has a lot of sharp edges. The more you remove the sharp edges, the less useful the tool becomes. I can give you the world's
"safest" Internet (and also the least useful): Block everything except 127.0.0.1.
It's a back office server and there's no legitimate reason whatsoever for anyone on Kornet or the rest to access it.
Personally I ban all IPs originating from the Moon and Mars. I block all of the Moon because that's where all those neo-hacker-survivalist freaks go to escape the coming of the end of the world. Really, they hammer my networks and try to bring down my systems, and that just gets irritating after a while. At least they could target their attacks on important systems like fusion plants and WMD storage facilities. I also block Mars because I really don't care if a bunch of aliens can see my websites. Screw the Martians, they're just a race of god-like beings with an ego to match their boundless power. If they want to view my data, they can come over here and download the data straight into their exposed and grossly pulsating brains with their awesome telepathic powers.
Since there seems to be a fairly number people blocking all Chinese IP ranges, does this skew the measurements that are made on the effectiveness of the Great Firewall? Perhaps the Great FIrewall is not as effective as thought?
Taking this a step further, would this not count as a part of the Great Firewall? This would be better that any technical feature added to the wall. Ironic, isn't it.
I recently travelled to China to fix our remote office's computer systems.
The systems there were bogged down with spyware and viruses alike. Most of them contained backdoors/trojan horses.
The majority of computer terminals I saw in china were unpatched windows machines, usually running the wpa_kill patch to prevent activation. Even if they did update all of these systems, the activation counter would reactivate, knocking out their computers. They have no inclination to pay for Windows, so they just use the computers until they stop working, and reinstall.
These users don't have a clue on how to spam or hack or unleash viruses... their computers are merely zombies.
Go after the zombie masters
and .nz?
Hey, what did we NZers do to you?
You don't happen to be Australian, do you? ;)
Real men don't write sigs
"The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh."
So I can imagine you already are blocking the one country that is the number 1 (even if it is the number 2 or 3) regarding crackers and worms, USA, you know...
Don't expect the justice departments or the police anywhere on Earth to figure out that their whole nations got blocked for spam or hacking either. However, do tell them about your reasons, and what you think it means for them. One eMail or fax/phone call costs you very little extra time and money, compared to what you have already spent on parsing the logs and setting up the blocks anyway. There is hardly any nation that doesn't offer some possibility to contact its DoJ/MoJ/police force, its embassy or a CERT - in English: Most governments know they badly need the connectivity, and do care about public perception in the world - so it won't be long before they apply or amend their criminal code - and if they send law enforcement round, it is often quite likely to make much more of an impact on the perpetrators than anyone would expect in the West.
Anyway, it's an effort well spent. If nothing else, once even a substantial fraction of administrators does alert the authorities at least on major incidents, both domestic and foreign investigators and lawmakers will realize the true extent of these problems, and the need for improved international cooperation and laws without loopholes.You just hate them for their freedom to be isolated and controlled by psychopaths.
Blocking based on IP range and or country is pure and simple discrimination.
What's wrong with that discrimination? I don't have anybody Korea/China/Poland that I send/receive email. So, if I choose to block email originating from those countries to me, how am I denying anything other than a spammer one more "deliver to?"
If anything, such action will force spammers to try and locate domestic spamming frontiers, and those are a *lot* easier to shut-down.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
"Windows users have lots of viruses and trojans and spambots. I'm no longer going to accept email from Windows users. I'll insist that they buy a Mac or install linux if they want to speak with me."
Hmm, not a bad idea....
You mean like SPEWS?
Be warned: if you do this you will have all kinds of people accusing you of blocking email sent to some other network you've never heard of. Some people will threaten you with lawsuits, some may actually file against you.
The concept is simple: my email server, I can accept or reject any email sent for any reason. I can unplug the cable. I can reject any email that contains the letter 'e'. I can apply a randomizer and accept/reject messages whenever the computer feels like it. I can ask that guy down in Central America who claimed to be Moses which servers should be filtered out.
Personally, I have never received a single email that wasn't spam from any source within APNIC or RIPE, nor do I ever expect to. Any email coming from anywhere in those areas go straight to \dev\nul (or towards the nearest copy of the federal budget) without a second thought. I've never seen a legitimate email from Brazil either... hasta la pasta, baby.
But your miles may vary and probably do. What works and is appropriate for me may or may not for you. Your server. Do whatever the zork you want with it. I don't have any right or reasonable expectation to care nor would it matter to you if it was the most important thing in the world to me.
But don't send me an email from some internet cafe in Seoul to express your opinion, either for or against - I'll never see it.
Now if only I could get a plugin for Firefox that would indicate if I'm on a website hosted by a spam-tolerant company so I could make a point of never doing business with anybody who hosted with them.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
I've found this list of subnets works pretty well at getting rid of spam.
The only downside is my friends accuse me of spending too much time talking to myself.
My server is my property, just like my house is. I live in a community, and a pretty close one at that, but I don't leave my door open so that anybody can come in and start reading my magazines or browsing my fridge. I don't think I need to do that to foster a good community.
Individual users have every right to refuse anyone they choose.
I don't plan on getting email from anyone in Korea, so I don't allow email from that particular country. Somebody legit wants to email me from a server in Korea? Thats my loss, and I can live with that.
Those customers who are running insecure boxen and have trojaned machines are a headache for the rest of the internet.
Since I'm lazy, could I get those IP blocks in comma separated CIDR notation? Thanks!
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I work for a fairly high-profile site, and our solution is fairly simple. Blocks are applied when an attack is detected, but depending on the type of attack, the blocks are removed after a few seconds. Attacks persist? Blocks stay for 1 minute, and so on.
.0/24 gets blocked permanently until someone complains. It's that simple.
If it's an SSH attach, the
If you are trying to say that blocking an IP for a country is somehow comparable to say, South African apartied, or segregation in the U.S. South, or not letting women vote in Saudi Arabia, or any of the horrors we normally think about when someone mentions "discrimination", then you are crazy! Absolutly crazy!
I just entered a contest online for Coca Cola. The contest is only open to residents of Canada. Are you calling than discrimination? Coca Cola Canada is running the contest, and they have decided to only open it to people in thier market. I don't see anything unethical about that at all.
If I make a phone call to China, I will pay more money than a phone call to somewhere in Canada. Don't you consider that discrimination against China? NO! China is farther away, and outside the national infrastructure, so it makes perfect sense to charge more for a call to china.
If you are in the U.S., and you visit Canada, you can do so without a passport (you only need a photo ID or birth cirtificate). If you visit Canada from China, you will need a passport. Is that discrimination?
Likewise, if I run a buisness that ships fruitcakes to North America, and if hacking attempts into my server from China are causing problems, then it isn't discrimination to block Chinese IPs. If I am running a blog site for my friends to read, and I don't have any friends living in South Korea, there is nothing wrong with banning those IPs.
What you are calling "discrimination" would make most of the tax, immigration, and social services of nearly every country in the world "discrimination".
a) Stop producing faulty software
b) Stop using faulty software
c) Stop goofing around
The measures suggested work against the symptoms, not reasons.
i live in australia and the large majority of hacks attempted on my systems come from asia. i get mostly spam from american ip's. instead of blocking entire countries i'm more inclinded to keep my system uptodate and use RBL's to block spam. less loss of connectivity and a reduction in spam
If you mod me down, I will become more powerful than you can imagine....
For insects, use a pesticide.
For larger animals, use a fence.
For even larger animals, use a taller fence.
For human crackers; take their hard drives, as a trophy. For the occasional noise increase, apply an aluminum base ball bat till the decibal level is changed to an acceptable level.
It has always worked for me, even east of the Rine.
As for crackers, I haven't had a problem. I just keep my Linux systems just reasonable patched (I have a couple of FC systems that haven't been upgraded in a couple of months, and a couple of RH9 systems that haven't been upgraded in years, and none have had security problems so far).
As for Spam, that was my greatest problem until recently, since I'm running my own mail server. I used to be receiving around 150 spams per day, which spamassassin would filter down to around 5-10 per day, which was extremely annoying (especially when being away from home for more than a couple of days). However, I installed milter-greylist a couple of months ago, and now I might be getting a Spam every other week or so. Greylisting really is awesome. It's kind of annoying that it takes half an hour or so to get "invitation" mails for mailing lists, account registration sites, etc., but what can I say? It's just so worth it.
It really doesn't take that much, and I just don't really have any problems at all. Sure, my systems would likely not stand up to a directed, manual attack, but then again: I'm just a home user on DSL.
What we need to do is start blocking the entire country of Vietnam. They have been the #1 source of credit card fraud for the past 3 years for a hosting business I run. They keep coming day after day after day. I've set up IP blocks, and can see the block count still going up every single day.
3 years. 100% fraud rate. Can't argue with that.
Umm, are you not aware that someone could DOS your site by spoofing traffic from AOL, SBC, Comcast, ...
Then, you block those networks, and no one can get to your site.
Gets even worse... I might even be able to block you from reaching the root DNS servers!
Read Dan Kaminsky's DefCon presentations.
Nothing to see here; Move along.
Most of my spam comes from there, I have no legitimate mail from there, and from what I hear they're a bunch of trigger-happy fuckwits.
No, I'm not serious. But points [1] and [2] are true. It seems likely that the same is also true for worm activity reaching my machine.
Try it: put something critical of the PRC on a honeypot site and watch as probes and hack attempts go thru the roof.
I have to say, this sounds kinda like, "The bitch was asking for it... she was dressed like a hooker."
Yes, without targets there wouldn't be attackers, but we don't blame the targets.
If you block at a router somewhere between the target machine and the attacking machine, the packets may find a way to route round it. If, on the other hand, you block the attacking machine at your own firewall, it will not get past.
That won't protect my children from pornography.
Many of the security issues I've seen are directly related to people not heeding oft-repeated warnings to keep their software and operating system patches up to date and not to open strange messages with attachments. Yes, those dirty bastards keep playing these sorts of games, but you know, people have to take responsibility for their own actions sometimes, and while many security issues aren't preventable by the user, a good many are. Almost every virus-laden email still requires someone thoughtless enough to open it.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Anyone know what happened to blackholes.us? I haven't been able to access it for a while now.
I did find a similar blacklist for China/Korea okean.com, but they don't have a DNSBL, just a list.
Eh, nice strawman argument.
Actually, some the stuff you listed I _would_ call discrimination. Maybe you should look up the meaning in the dictionary because it seems like you have an urge to redefine the word to something that suits your liking.
One can discriminate based on practically anything, it isn't always color of skin... See " 3. Treatment or consideration based on class or category rather than individual merit; partiality or prejudice"
When you block an entire country there's certainly treatment based on category rather than individual merit, and there's certainly prejudice when you do this because of hacking.
I'm not too worried about being hammered with 'sploits as TFA talks about, because I run Apache, but not PHP. And I run it on a non-x86 box. I might want to see what kind of crap is going on, but what matters most to me is the lack of spam.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker
This response is rather typical for
I want to drag this out as long as possible. Bring me my protractor.
I would not block any IP addresses belonging to Chinese ISPs. I would just charge 50 Cents per packet for them to come into my firewall. I think that is a reasonable charge. A compromise. Now I just need someone to send the bill to.
No it's not discrimination, its asinine generalization.
People seem to think that X group of people behave in certain ways or have certain scruples or lack thereof. People are fucking people. There are assholes next door, there are assholes in China, there are wonderful people next door and there are wonderful people in China.
Blocking huge (huge = countries) is indescriminate at best.
You can block individual IPs. I mean there are only about 4.2 billion. There are more people in the world than that; large percentage of which aren't send you spam, viruses, or trying to hack you.
But if you want to indescriminately block large blocks of IPs by all means go ahead, censor yourself.
Question everything
one of my friends dialed a wrong number on his modem (the modem was connected to a computer at work that was about the size of a closet) back in 1973, and was shocked shitless when another modem answered the wrong number; it was pretty safe back then
Apocalypse Cancelled, Sorry, No Ticket Refunds
There are so many people giving all sorts of excuses like "blocking IP's from China will not work when they can just use a proxy and get ya", or making theories about how this or that will happen.
Guess what?
Blocking known netblocks of addresses that originate attacks and spam WORKS...
Say all you want. Talk up and down about how the world will end..about how the hacker that had his packets blocked will now suspect your system is there (even though all his packets were dropped) and is now going to take the time or effort to find a proxy server and scan an address that may or may not have a system attached to it.
The argument is like the "OS X virus" argument..."When OS X is popular...viruses will be as prevelant as windows"...yea yea...when..if...will be...5 years and no viruses to speak of (other than rumors)
Before you start spouting theories..at least have some EMPIRICAL evidence.
So far...people who block addresses have the empirical evidence of it's usefulness on their side.
Until I see some that supports the other argument I'm gunna keep on blockin!
"Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."
Amen brother, I suspect the chinese government may actualy either encourgae or at least specificaly look the other way in this matter just so we help them wall off the innocent chinese people. Hurt the many just to get the few.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Just put a few references to Fulan Gong on the web site. The Great Firewall of China will soon block everyone for you.
Oh wait, there're European hackers as well, so let's block 'em too.
Wait again... There're US hackers. Let's block those too.
The only 100% safe computer is a computer that is switched off.
Draconian measures like this don't help anybody and are just plain stupid.
This is a classic public good problem. It's very bad for everyone if everyone chooses to shaft the other guy, and doesn't solve any problems -- you have a broken, useless Internet. On the other hand, for each *individual*, it is worthwhile to make the choice to shaft other people.
It's like eight million other, similar, poorly-engineered measures that people have taken on the Internet. People always do them because they're advantageous for them as an individual in the short run. SPF, for instance.
Mail needs a trust system, but the sort of trust system that would work is utterly uninteresting to all the players involved because it can't be made to be a huge money-maker.
(a) It can't be centralized. Won't work. VeriSign lusts after another market for which it can charge businesses increasingly larger sums of money to "buy" reputability from them. Whoever develops a working solution will not have any ties to VeriSign.
(b) It must be fine-grained enough to at least the user level. Trying to apply a policy to a whole domain just doesn't work. IT types/vendors selling net admin products to IT types love this sort of approach. Unbelivably irritating to the end user. DomainKeys/SPF are currently getting stuck somewhere around here.
(c) It must be easy enough that at least the basic features are usable (and take little enough work and be useful enough *to* be used) by Joe Sixpack's idiot cousin. This is where PGP/GPG falls over.
(d) It can't be controlled by one company. Microsoft is in a great position to push a useful solution, but they're never going to accept something that they don't get to control one way or another. DomainKeys had this problem.
(e) It can't be "one size fits all". Yes, there are some things that we all consider undesireable, but a system must recognize that there is a large gray area, and a system that can't operate differently at the behest of each end user isn't going to make it.
There are other constraints on such a system, but these are the ones that are currently not being fulfilled.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
if you want to block half the world, I believe that's your right.
Actualy I block the whole world, my file wall has a rule that means don't call me, I'll call you, as I'm not running a server, it works good. Some sites maybe running a server but not realy need to allow connections to foriegn Nationals, if my E-store only does business in the United States, why shouldn't evryone else be blocked?
I'm tempted to find out if the HTTP protocol can't detect OS and patch level, might be ammusing to redirect all WinXP W/O SP2 to windows update!
Apocalypse Cancelled, Sorry, No Ticket Refunds
It means that he's scared of little yellow people who are less fat and don't demand SUVs to do work taking his job away, so he's enthusiastic about screwing them over.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Same here; I basicly banned everthing from the Kurile islands to Tasmania. (sorry au) Everything I got from this area was a probe or mail relay attempt. I didn't need it.
Wanadoo was on it also, the only EU vendor.
Forward slashes? NUL? Are you some kind of windows user who wants to pretend they know how to use some kind of unix?
What he said was its okay for an individual to decide who on what country would be allowed to email them. but no other person should decide it for them (ex. the ISP, Goverment, etc.).
Consider someother person who you would like to email (maybe you wanted to talk to him about his very nice opensource product which you just found out about?) if that person has blocked you then there is little you can do since it was his choice. but what if his ISP has blocked you for some pigheaded reason?
blocking ip ranges of anykind should only be an option for the end user. not for anyone else.
we have an 800 number for our clients to call us on. it only works from the US and Canada. we only have clients in the US and Canada. is this somehow abusive to Chinese citizens?
VERY few companies really need connectivity to such a level.
True redundancy is difficult to achieve these days. Sure, you can buy two routers (from different vendors) and get two T1's (from different providers), but odds are, those two T1's cross the same hardware at some point... transported via the same LEC, hung from the same pole, buried in the same ditch, go to the same closet, enter through the same hole in the building, etc.
(And telcos/ISPs will lie about the redundancy they're selling to you as well as their own redundancy.)
Alright, first of all, this is not some current thing, as china's internet presence becomes more effectively administered (their own administrators will get tired of being blocked and do the spam/bot fighting locally) this will cease to be an issue.
/rant off
As far as the chinese government supporting this as a means to extend their cencorship efforts, you're just showing your general ignorance for networking and the internet at large.
Many people block chinese address space only on certain ports, still allowing port 80/443 for web traffic.
Also, living in china, you are putting yourself in considerable danger by connecting directly to any site to post dissenting content. Anyone doing so will already be going through a proxy/anonymizer to disguise their activity. So they will not be affected by any chinese address space bans in the first place.
I'm a strong supporter of free speech, but I can't stand it when people make harsh judgements about people without actually understanding the issue and the technology.
Also, I highly doubt anyone that runs a networks hosting content that would matter to chinese citizens that flat out blocks it. If they did, I'm sure they would have some very upset hosting customers.
If you're providing a hosting service for my business with the expectation that Internet users can reach my site, and I lose all my Asian revenue because you blocked China and Korea without informing me in advance, I'm gonna sue it right back out of you, plus cost and punitive damages. Because it's the right thing to do.
-I like my women like I like my tea: green-
I am certain that PRC would do the same to the US if the situation were reversed.
blocking alot of American ip ranges....simply because of the spam and hacker threats we have received origninating from America. Zombie nets and continual phishing scams that have US (and German) origins. In fact, since Korea has a higher degree of broadband connections and more than America...and since it is more integrated into our lives here..the US has been the origin of some highly pubicized hacks, spam nuisances, and phishing schemes. Honestly, I have read in the newspaper today that in all honesty not only in addition to security threats, but your slow connections and inefficient routing....it might be a better idea to route through Canada. Especially since the handoff between your mess of telcos/private line owners....just adds to the slowdown. I mean really, the article in the Chosun Ilbo asks, why do we need American websites anyways... I think any and all of this defeats the entire purpose of what the internet has become...and that reactionary practices based on blocking ANY nation from access...will just lead to the entire subversion of what a network without borders could have been.
Three years ago, I looked up every net block for China, Taiwan and Brazil and blocked them all at my firewall.
I completely agree. I did the same thing. My systems where under constant ssh dictionary password attacks.. literally, they would use the username "donald" and try several thousand password combinations. Moving ssh to a different port number wasn't really a option for me. After tweaking ssh and making it work with TCPD, my last recourse was to start blocking IP ranges.
I peeled through the logs and 80% of the addresses originated with APNIC addresses. I went to ARIN, get the IP ranges of most of the APNIC and blocked them. Ya, so I can't browse China or Russia.. but who needs to go there anyway? Unless your looking for warez, there's no need to visit Asia.
Since I put these filters in, no more attacks, and the spam to my email accounts has dropped by nearly 50%.
I've been like this for a couple months now.. and not regretting it.
Exactly! The area I live in claims to have multiple redundant upstream providers.
The fact? We live in a large Gorge that stretched about a hundred miles from end to end--if not more. And there are two ways out. The main way is fibre burried about 3 feet below ground on the railroad right-of-way.
The other way is an old microwave link that our *one* local telco has for emergencies. i.e. it can handle emergency calls only.
Sever that fibre link and it all goes down.
It's happened once that I am aware of. It knocked out phone systems in about 10 different small cities throughout the area. The entire 911 center in our county went down. It really sucked.
Especially no slashdot for five hours.
There's no place like
gookspace
APNIC includes Australia, New Zealand, Singapore, Hong Kong ... fuck them then.
I've been banning Malaysian visitors for a year now and I've had very good results. Or more exact -- zero trolls. I was having a bad troll problem and 100% of them were coming from Malaysian IPs. I wasn't having any worthwhile contributing visitors from that country so the decision to institute a country-wide ban was easy. I encourage anyone to do the same.
http://timyang.com/
What are the IP address ranges so I can block them on my firewall??? Does anyone know and care to share?
Sounds like a business opportunity, or if it is too minor, a small public service.
Rome wasn't bilked in a day.
will this 'slippery slope' prove too difficult to walk?
Haha, an article about blocking Chinese ISPs and "slippery slopes"? Must be a Freudian slip.
Network activities should be considered malicious by semantics, not by syntax! ... until he/she will end with no communication at all!
That is, anything coming from an IP address (syntax) cannot be considered malicious unless the activity itself or the content is (semantics).
An intruder can gain control of a computer in another IP space and conduct malicious activities from there, thus hiding his/her originating IP address.
Public email services host millions of email boxes and thousands of spammers: a thief hidden in a crowded market square!
By using a syntax driven filter in the end there will be no communication at all!
Semantics filtering, on the other hand, will keep malicious things aways, wherever they come from.
Useless to say that syntax filtering is much easyer to implement than the semantics counterpart: this is why most people will try to implement it!
There is no way to correct this behaviour: anyone is free to do whatever he/she want
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Aye, there's the rub!
I had carefully provisioned our company with redundant T1 lines (x2) and one DSL line, served by 3 different ISPs, but all the copper was owned & served by PacBell (now SBC). It took some doing, but our city is well wired, and I was able to get metallic pairs coming in from different poles in different directions, and one underground. Still one CLEC, but at least cutting one cable would not knock it all out.
The routing of the cables was traced and verified as separate by the guy in the field, not just the office. Supporting evidence was the different CO prefix for POTS phones lines for alarms served by the given cables, the CO's were in different locations. That's about as good as it gets for telco redundancy.
With 3 different ISPs, a single router/DNS/BGP/accounting fsck-up wouldn't take us down. It took a lot of calls, a lot of persistence, and a long time, but we got it.
Well, recently we moved to a neighboring city (18 miles). All that redundancy is now gone, no infrastructure to support it. Only one cable at the street, hanging up where it can get hit by a tall truck or someone with a long ax handle. Local office that thinks 25 pairs in the same cable is more redundancy than we would ever need. Sigh. Hoping for WiMax soon to add my own redundancy bypassing SBC.
In theory, practice and theory are the same. In practice, they rarely are.
This will be seen as a troll - but should US companies really ignore the nation which holds most of their countries currency? It may make sense for small orginisations that want to remain small, but eventualy the spare part you need may require dealing some someone in a nation that you block email to. I never expected being blacklisted by a mail server in Africa would ever affect me, but it did, consider what it's like to be on the other end of this sort of behavior and just use some decent rule based filtering.
Several years ago, I did it for the US Military's NMCI network... it worked so well that when Welchia and other variant viri took down certain portions of the NMCI network, my part ran smooth as silk. Consider the worms folks, not just the spams. If you don't do business overseas, then cnx the connectivity. You'll be happier you did. Of in the remote event these countries wake up and stop the bullshit, then open the gates. But really, we have physical border gates, why not Internet gates?
There are other issues that have not really been covered in the article. I have recently blocked a large percentage of the chinese and korean IP ranges from my mail servers. That was because of the spam that was not being blocked by spamhaus 95% of it was coming from those ranges of IPs. Since doing that my customers are much happier with the spam levels coming through the system. At the end of the day If there are any chinese users that require email from specific ISPs I am happy to explicitly permit those origins. I dont block web requests as there is nothing that is going to stop attacks if they originate from china, russia or whatever.
The other issues that become even worse. Now that Microsoft have the WGA verification of serials most chinese people will never update their windows and the issue is going to get much worse before it gets better. I have been through china many many times and found pirate software of all kinds easily available. So in the end we should be looking at vendors more closely about their provfit driven motives rather than security driven motives?
After doing some stats i actually decided to block USA instead. Most of my spam comes from there. Works actually very well.
One thing to remember when blocking off huge chunks of IP - leave your root,postmaster,hostmaster and abuse emails unblocked. These almost don't get any spam whatsoever.
Chinese Websites Used As Launchpads For Cracking ... today ...
... got dumped by your Chinese girlfriend?
2005-08-26 The Invasion of The Chinese Cyberspies
Come on, Slashdot editors
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
I can't speak for Brazil, but if you have ever tried to get something done by a Chinese provider about net abuse coming out of their space, you'll know why people just drop them off their internet map. The problem isn't that the abuse takes place, that happens from all over, it is the (lack of) response by the organisations hosting the abusers that results in people taking their own action.
This can be done with OpenBSD's pf.
pass in on $ext_if from any os OpenBSD keep state
block in on $ext_if from any os "Windows 2000"
block in on $ext_if from any os "Linux 2.4 ts"
block in on $ext_if from any os unknown
SHO already blocks all non-US access. The article speaks of this being a slippery slope. I recently started to use a proxy (easy to turn on and off with Mozilla and PrefBar) to go around it.
The blurb was clear and no it's not related to you. You do not run a server hosting a customers website, a customer who may be interested in chinese customers. RTFA
Of course if people routinely block traffic from certain areas of the world with a high concentration of spammers and the like, then it is going to hurt the honest people who happen to be living in the same neighbourhood as the spammers. It is called "collateral damage" by some military organisations.
It looks as if Florids is high on the list of areas to have all its Internet traffic blocked, if we want to block spammers.
Business Week Are Hurricanes Swamping Spammers? Lots of folks think the hits that the Sunshine State (aka Spam State) have taken slowed the volume. Probably isn't so, though
Spamhaus United States Heads Towards Legalization of Spam
The RegisterFlorida spammers sue anti-spam groups
Umm, are you not aware that someone could DOS your site by spoofing traffic from AOL, SBC, Comcast, ...
Tough shit. If someone manages to get in and crap my site, it won't work for anyone.
Then, you block those networks, and no one can get to your site.
If the attack was that extensive, I'd obviously intervene. The reality is that we get attacked several times a day, but with the amount of hardware and bandwidth we have, it most likely goes unnoticed.
Gets even worse... I might even be able to block you from reaching the root DNS servers!
It'll never happen. You'd have to attack my port 53, which is blocked on the firewall anyway. The only ports watching for attacks are listening ports.
Read Dan Kaminsky's DefCon presentations.
Back during that whole spy plane thing, when all of China's script kiddies were targeting US computers is when I started.
have you tried blocking 0.0.0.0/0?
I hear that solves all hacking.
Sorry, you have no rigth to contact anyone at any time unless the recipient wants you to. If I on my own determines that dealing with email from china wastes more time than it gains in entertainment/opportunities/whatever-i-value then that's my desition.
I get the same with cellphones. For a long time I didn't have one, people moaned and bitched that I wasn't "accessible". Then I got one -- for the express purpose of being able to phone for assistance if my old car broke down. People moaned and bitched that I never turned it on. Why would I ? The cellphone was never there for the purpose of making me contactable.
Who the hell ever decided that everyone has a duty to be contactable by anyone at all times ?
I think we should ban ip ranges outside the us and uk, the rest of the world dont like us and dont speak english anyway!
pr0n: now ive got your attention click here
Cutting off Chinese addresses plays right into the hands of the dinosaur that is the Chinese Communist Government.
At the same time we can take reasonable steps not to block but filter what they can and can't see from China, Russia, India, etc. Firewalls have gotten much more powerful and are able to reject attempts that would once have caused havoc.
Just leave port 80 open. Put your web servers in yoru DMZ, keep hot backups and just be ready for the day that your IIS box gets hacked again.
A few months ago, I started having major issues like what was mentioned in the register artical (along with a severe brute force attack on my ssh port) so I slapped together a quick database, some scripts to analyse my logfiles,and log intrusion attempts to the database, then every 5 minutes I update my firewall rules. Basic idea 3 failed logins/ fubar web requests / whatever else I'm logging in 3 minutes = 5 minute block. another attempt in 5 minute of release gives 10 minutes, and so on until a 24 hour block expires, after that, one more attempt and it's a permenant block. All automated, and on an IP by IP basis.
Don't blame Chinese, or Japanese, or Taiwanese, or anyothernese because they are NOT the ones to blame for spam.
Depending on which report you choose to read, spam is responsible for between $500 Mil and $2 Bil a year and more.
As long as that kind of money is involved, greed will always prevail no matter what traffic you decide to block.
The only chance we have is to employ good firewalls and spam/virus filtering.
Then of course, KILL every single knucklhead that buys something because they got an email that claims they can triple the size of their thingy or pay 60% less for their prescriptions!
If your organization's target audience or customer base isn't in a certain country it's perfectly reasonable. If every other IP that showed up in my firewall log trying to do nastiness didn't have a reverse dns that came up .ru or .tw then it wouldn't be an issue.
There are certain IP blocks we permit to come in reflexively, but we don't allow them to initiate contact with us. In 2 years there's been one case where it's caused a (very minor) problem.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Yes, redundancy is the key.
If they think that is costs too much for 2 ISPs, how much would they lose if their ISP was offline for a couple of days?
Sometimes I think of the word "redundancy" as being almost magical.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Though I am a home user, I have no need or want to block anybody.
.5% that I may be in Windows.
I have no firewall, per se. I have one computer, and only one, that is actually on the internet, and of course it runs Linux. In the very rare occurance that Window must be used for something on the internet, the closest it gets to even seeing the internet is through a VNC connection to the main computer. Files that must be downloaded are downloaded to the main machine, and then sftp is used to transfer it to Windows.
No forwarding/masquerading is used.
Yes, this does prevent things like using Windows media player to play streaming content, but it sure has paid off in that I have not gotten any viri, worms, or what have you, on any of my 5 computers (though, only 3 even have Windows on the HD).
I do have the wireless AP locked down so only registered MAC addresses can work. Yeah, it is a bit vulnerable to someone spoofing a MAC addr, but that only concerns me in the far less than
This setup won't work for everyone, but it sure works well.
On a side note: I got my wife to switch to Linux on her laptop and she likes it FAR better than Windows. She says it's even easier to use than Windows. She uses Gnome, which IMO makes things quite simplistic compared to Windows and KDE (way too many buttons in the GUIs).
>> But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.
I block entire netblocks and am a network admin. I am not scum. We are a trucking company that only does business in North America. We don't truck into China, so why would they need to access my site? They can always use anonymous proxys in other countrys, or google cache if they want to see my site.
Then you aren't a "network administrator at an ISP or government," are you? Try reading my comment.
Err...no.
If an end node or a network ingress point blocks a source address or network, there's nowhere to "bounce through" that will let that traffic in unless the source address is changed as part of the "bounce". Think about it...if you were right, then firewalls, etc., wouldn't work.
continues to exists and are perfectly legal.
As the same time, I shall exercise my rights to critize such clubs as not being in the best long term interest of the country. Ethical considerations may also apply.
You answered a technical point without addressing the substance of the original post.
The Wikepedia article you cited indicates that they were blocked twice for a total of 23 days since inception: ~3% of the time. This suggests to me that there were significant forces within China itself pushing for sites such as Wikipedia to be accessible. Such statistics seem to be supportive of the points made by the origianl post in this thread: censorship clearly exists, but is by no means pervasive.
We call this "The September that Never Ended" in polite circles.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
blocking and shutting down complete networks with a /8 mask can only be seen as a act of fear.
For the people who put such blockades in place I have a alternative offering, the ultimate secure environment, in which one will be safe against any monstrous firestorm like Katrina.
There's only a major pitfall which such a environment. Once you enter it, its not that easy to get out, and its guarded and operated by men and women in white coats.
Robert
Thanks :-)
Somebody else already does this for a lot of us, sometimes for free, sometimes for a fee, and that somebody is not the government. As for legal responsibility, everybody are responsible for their own actions, except governments which tend to place themselves above the law. If you don't want to assume responsibility for your own business, your government certainly won't do it for you (and in order for me to be more specific, you will have to explain what actions you are concerned about).
The China story is about blocking the IP space of an entire nation, not individual hosts. It takes a single line of text to block an entire IPv4 range of size /16 assigned to an ISP. When IPv6 takes off, it will take a single line of text to block an address range of size /64 (which I believe is the smallest range normally assigned to a single entity under IPv6, in spite of it containing 2^64 128-bit addresses, or 4 billion times the number of potential IPv4 hosts). There won't overnight be 4 billion times as many network providers to block, and nobody is concerned about individual toasters.
That is, ignoring the current track record of at least one powerful government. As for the government ensuring a manageable process, I'd like to see an example of that first, otherwise it merely looks like wishful thinking.
As you should be doing, if you are an ISP. As I'm not an ISP, but a private Internet user, I'm looking at it from my point of view, since that is the only one that really counts for me. Since I manage a router at work, and I have experience from maintaining a blacklist, I can be fairly specific in my demands when shopping for Internet access. I usually don't do business with vendors who think they know better than me what I want, and I certainly won't give my money to someone who thinks the government knows that better than me.
Read my explanation above. It takes only 0.0.0.0/0 to effectively block the entire IPv4 Internet, if I wanted to. IPv6 addresses are only four times as long, but pose no significant problem to blacklists, unless registrars start distributing individual /128-size addresses randomly worldwide (which they won't). Tell me your IPv6 address range, and I'll show you how to blacklist it in five seconds.
However, I wish you good luck in convincing your government (or any government) to establish an IP address blacklist to protect your servers from network abuse. In order for it to be successful, it must prove effective in comparison with all other blacklists in existance. I work for my government (indirectly), I have seen "legal responsibility" in action, and it's a pretty good antedote to effectiveness, as in "yes, they run an open relay, but since we depend on their money we cannot refuse accepting their mail".
So this guy generalizes about other countries and he's insightful. I generalize about Americans and it's flamebait.
Yes I have some email addresses that left totally unchecked can get 5MB of spam email a day and let me tell you that is a lot of text to filter thru by hand.
Got hosting
I'm more or less an admin for a corporate in New Zealand. And, yes, I've had to convince a website administrator for a site in .ca.gov that we were not a source of viruses, spyware and spam.
(Yep, they'd blocked all of APNIC.)
Please, people that do, don't lump Aussie and NZ in the same category as Korea and China. Judge us on our own merits and reputation, not because we're "sort of in the Asia Pacific Region." Heck, the problematic countries really are "Asia" rather than "Pacific".
Even WE block Korea!
I don't see no horns boy.