Slashdot Mirror
Blocking a Nation's IP Space
SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
Maybe to get around the great firewall of china. Also, the company I work for is global. We have offices in china connected via IPSec. Not smart of us to block china telecom addresses...
As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.
Student Research and Development
Cool! As an independent/home user myself, I can definitely empathize - another individual's rights to express themselves end at my eyes/ears - personally, I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.
Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.
If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).
I work for a UK company who deals with multi-nationals, but they all have European channels. I can't see such a block having anything but a positive effect.
Just surprising that the very day I have this thought there is a story on Slashdot.
You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through. False positives only cause problems for ME, nobody else.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
But yes, I long since blocked access to most services for most of Asia, and large parts of Brazil and Mexico. Started with this very useful list of Chinese and Korean ip-blocks: http://www.okean.com/thegoods.html and grew from there (mostly to include Taiwan). (Note: I've found the list to be 99% accurate, but some small /24 or smaller blocks in Australia got included erroneously. Use with caution)
.. all of .il with an iptables script a mile long.
b ycountry/rirstats/ and with a little bash magic, I had a bunch of
.il ruined it for everyone else over there by hammering too much.
Got the info from http://www.completewhois.com/statistics/data/ips-
iptables -A INPUT -s x.x.x.x/x -j DROP
in one big script.
Why? I used to serve large files in an IRC channel with a fat EDU connection, but a handful of tools from
Exactly. We can't block China where I work (an ISP), because we have customers who are businesses, and there's a lot of economic activity between the US and China. We once had to make an exception for the SBL because someone was on a business trip to China and his only net access was via a spam-infested network that had gotten itself listed on Spamhaus.
I wouldn't consider blocking mail based on geography alone unless I could get input from everyone the policy would affect. You can do that as a home user, and you can do that as a business, but IMO it's not an option for an ISP.
Firewalls of any sort are a menace. They're not part of the open internet. Every port of every publicly routable IP should either be open, because it's providing a service accessible from the open internet, or closed, in which case it should respond appropriately when it gets packets there and not just drop them. I don't actively block them, but I try to avoid enabling any options on my services that would help firewalled users.
I am trolling
Sure, this approach isn't going to be practical in businesses that deal with large numbers of companies or agencies in China, but if you are just dealing with a handful of companies then you are fine. Plus, the chances are that even if your company is heavily involved with China, then it might not be for some of the other rowdy IP blocks on the Internet and could apply the blocks there instead. Or just concentrate on the large blocks of IPs assigned to home users; with the prevalance of BotNets at the moment, that's where the vast majority of the hostile traffic seems to be coming from anyway.
UNIX? They're not even circumcised! Savages!
At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives. If employees need to send/receive email from these countries for personal correspondence they can do it from home. It seems like a relatively no-brainer, not unlike having a receptionist screen calls or visitors.
If our firewall could easily block IP addresses, I'd do that too.
As someone who has suffered a tidal wave of spam and some other hack attempts the problem isn't particuarly with the average Chinese internaut but with US citizens hiding behind lax Chinese ISPs.
Chinanet Henan Province and Chinatelecom are notorious homes to US based spammers. I've written a brief paper on the subject here
http://www.abcseo.com/papers/referrer-spam.htm
Ok I've moved a bit off the topic of hacking attemps - but hacking/spamming are two sides of the same coin. Personally I've refrained from banning the whole of China when the problem seems to be some rogue individuals and ISPs.
When I changed some setting to apache to let people from our company access the web via our proxy, I made an error and I also opened the proxy to the outside.
The next days everything was slow and the log showed that I had a lot of request from outside ip address to other outside ip address. The majority of those address came from China.
I change the setting in apache but I still had request by the hundred. I finally called my ISP and we have blocked a lot of range from China and right after the traffic went to normal.
I have talk with my boss and have decided that it was not worth the trouble to enable those ip ranges since we are not doing business with China.
I agree, it's wrong.
Well, it is wrong because they haven't notified their customers and given them a choice about leaving or staying. It isn't a hard sell ('our servers will be more secure, you'll lose China and Korean readers - but if you want a specific IP we can assist you') but customers deserve to know the state of play.
In fact, I think this should go as far as sending a daily email of blocked spam emails (from and subject lines only, of course).
This is just an example, but the idea goes for other kinds of sites too...
The point of refusing access from certain IP addresses is not to deny service to any particular individual (or nationality, in case of entire countries being affected), but to protect against likely abuse and encourage individuals to use some other IP address. As long as your boycott is aimed at their network infrastructure (for aiding abuse) rather than at the country itself (for political reasons), individual users routing their traffic via other networks is not a problem; it's what you want them to do. The idea is that the secondary network will sort out the abuse (by making sure they know who their customers are, or by other means). If they fail to do so, they will be blacklisted too.
Therefore I see no point in specifically blacklisting any single country, if not for political reasons. Entire countries are blacklisted because they conveniently map to large portions of IP address space. Some Chinese universities probably received their IP blocks before the commercial operators did, and may therefore have addresses in completely separate ranges. If the universities are a bit better at managing their networks, and the bulk of the abuse therefore comes from the commercial blocks, there is no reason both should be listed merely for being assigned to the same country.
Likewise, a single address block may contain several operators in different countries, causing them all to be blacklisted simply because telling them apart takes too much time. It's all about network abuse history, not about nationality. And, I wouldn't have to rely on everyone else blocking a single abused network either, unless they all were to forward that abuse to me.
I have however considered blocking mail servers indiscriminately "bouncing" virus messages having our domain forged onto them, when they have received those messages from IP addresses (often Chinese ones) already included in public blacklists. They could avoid such action on my part by simply using said blacklists themselves, but exactly how they solve their problem is up to them. If they simply avoid "notifying" innocent people every time they receive junk mail or other abuse, I will not bother them.
Then you need to tell the suits the magical word.
Redundancy. To two different ISPs.
If they don't like the cost for it, ask them what the cost is to be without internet access for 2 days.
There are two types of people in the world: Those who crave closure
Yeah, the "ultimate democracy." Where despotic regimes harbor cyber miscreants who piss off the inhabitants of "civilized" countries, who block those despotic regimes, therefore denying the innocent inhabitants of those regimes the ability to communicate unfettered with the rest of the free world.
"Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."
But I guess your own convenience is more important that giving those people a conduit to freedom.
As somebody else pointed out, an individual has every right to block or receive whatever traffic they wish. But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.
We were a small company that sold sex toys. Kiddies from eastern europe and southeast asia LOVED to test credit cards against our store.
This was when we were first getting up and running with minimal staff. One day we looked and saw "JESUS CHRIST! Someone Just bought $678 worth of fake cock! Yeah!"
We then realized these folks were just testing to see if the credit card numbers they stole were still active, and cancelled the order.
I wrote all sorts of checking routines and so on to make it harder to submit that kind of shit, but in the end it was just easier to not even let placecs like Hungary and Pakistan in, becuase really, it was more trouble to week out the fakes than the odd valid order a year from those areas is worth.
s'wut i sed.
I worked for an ISP for about 5 years... started doing tech support and moved up and on to the NOC and web design. While in the NOC were were fighting spam for our users pretty much non-stop with various black lists / filters. My job was basically to come in each day and clean out the garbage disposal as it were.
Until the glorious day we segragated our mail users. We set up a new beta mail server and split our users into two groups. Those needing international mail, and those not needing it. Over the course of 3 months, we informed users of the change and provided an easy opt-in one-click process to make sure they could send/recieve international mail.
After that grace period, we simply shut off international mail on our main server by blocking any IP space outside the US.
The load on our mail servers (4 dual CPU machines) went from averaging around 50% down to 5% and stayed there.
In our polling of our own customers, we found that 90% or more of them never had any intention or desire to send/recieve international mail. Our spam load went from several thousand spam messages a minute to less than a thousand per day.
The people that needed international mail were put on the new server and left open to all mail.
For the next few months, the staff at our office didn't have to buy lunch or snacks because that corny AOL commercial actually happened. We had customers in all the time taking us out to lunch and dropping off brownies, cupcakes, etc... our satifaction rate was never higher and I would venture to guess that we would not have been that loved had we sent everyone $50 cash.
Why isn't this a more popular choice? Is there really that much of a NEED in the general internet population for international mail? There wasn't at our company.
I think we could make international mail a feature add-on much like web hosts make CGI, PHP, or mySQL a feature add-on. Sure, to me those are just staples, but not everyone needs all that.
Sure, there's still in-country spam sources... but NOTHING like what comes from outside.
[ http://www.dvigroup.net/self ]
japan used to be bad. they got widely blocked and eventually realized there was a problem -- so they largely cleaned up. mainly due to the efforts of gaijin network operators living there who managed to convince japanese operators that they needed to get their shit together.
china, korea, etc. are totally rogue. they become more widely blocked each day. both china and korea are hellbent on becoming LANs. which they will be until they realize there's a problem and start dealing with all their criminal operators.
Alrighty, then, troll feeding time!
230 years ago, this nation I live in was under a (different) "despotic regime" - some people decided to take some action, and it changed. The assistances they received happened after they started, not because they whined.
As an individual internet user, I have not ever blocked an email from a political dissident due to its political content. As a website author, I have not blocked anyone from viewing my site.
As a businessman, I respect and obey the laws governing my use of advertising online, by email (I fully comply with CAN-SPAM) and other means as applicable.
The above said, anyone who cannot see fit to play by the same rules can go figure out a different game *elsewhere*, instead of trying to play some bait (political freedom of speech) and switch (illegal spam serving) game.
There is no "divine right" nor requirement to maintain a web presence, to maintain completely open networks, to provide a podium upon which some poor abused oppressed individual can spout their issues to everyone else, no matter how "justified" they might be.... This whole intarweb thing borders so closely to being completely fictional it isn't funny - please *do* seek to force your beliefs concerning how things *should* be onto the current way things are - only time will tell how successful you were.
Please *don't* consider the over-worked net administrators as enemies: The real enemies are those spam servers who bury any legitimate content coming out of dissenting China more effectively than any locally-applied blocks ever could.
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
I recently travelled to China to fix our remote office's computer systems.
The systems there were bogged down with spyware and viruses alike. Most of them contained backdoors/trojan horses.
The majority of computer terminals I saw in china were unpatched windows machines, usually running the wpa_kill patch to prevent activation. Even if they did update all of these systems, the activation counter would reactivate, knocking out their computers. They have no inclination to pay for Windows, so they just use the computers until they stop working, and reinstall.
These users don't have a clue on how to spam or hack or unleash viruses... their computers are merely zombies.
Go after the zombie masters
and .nz?
Hey, what did we NZers do to you?
You don't happen to be Australian, do you? ;)
Real men don't write sigs