Blocking a Nation's IP Space

SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

My ban list is extensive but I'm a home user only.

[garcia]

What is your opinion of this and what do you propose to help correct this?

Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?

I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.

If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another .0/24 to the firewall list.

Officially insane.

[Dibblah]

They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.

Re:Officially insane.

[hattig]

I agree, it's wrong.

Well, it is wrong because they haven't notified their customers and given them a choice about leaving or staying. It isn't a hard sell ('our servers will be more secure, you'll lose China and Korean readers - but if you want a specific IP we can assist you') but customers deserve to know the state of play.

In fact, I think this should go as far as sending a daily email of blocked spam emails (from and subject lines only, of course).

What big company....

[millahtime]

What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.

Re:What big company....

[Zocalo]

Plenty of big companies, even those with most of their workers outsourced to China, could do this quite easily if they were so inclined. The trick would be to whitelist the IP addresses that they actually need to do business out of the tens of millions of IP addresses assigned to China, and then block the rest. If you wanted to be really slick, then you could even route traffic from the questionable IP blocks through a dedicated firewall to avoid bogging down the rest of your traffic with a huge list of firewall rulesets.

Sure, this approach isn't going to be practical in businesses that deal with large numbers of companies or agencies in China, but if you are just dealing with a handful of companies then you are fine. Plus, the chances are that even if your company is heavily involved with China, then it might not be for some of the other rowdy IP blocks on the Internet and could apply the blocks there instead. Or just concentrate on the large blocks of IPs assigned to home users; with the prevalance of BotNets at the moment, that's where the vast majority of the hostile traffic seems to be coming from anyway.

I agree.

[Fishead]

Chinee Ip Space should TOTALLY be blocked. Those Chinee, they are always up to no good.

Who are the Chinee anyhow?

Looking for open proxies

[SCHecklerX]

Maybe to get around the great firewall of china. Also, the company I work for is global. We have offices in china connected via IPSec. Not smart of us to block china telecom addresses...

No. No. No.

[Puls4r]

Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.

Ya...

[mr_tommy]

Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

This seems a rather murky route to go down, that ultimately, will be in no one's best interests.

Re:Ya...

[RealAlaskan]

Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

Nope. Nothing strange about that.

For you or me to choose not to get email from Chinese addresses, or not to acknowledge packets from Chinese addresses, is to exercise our liberty. We have the right (among others) to ``freedom of association''. That means that we can choose who we associate with ... and who we don't.

This is radically different than a government trying to tell us that we cannot access certian websites (as the Chinese government has been doing with help from Cisco, MS and Google).

Let me try to re-phrase all that in simple terms: If we don't want to play with somebody, that's OK. If the bullies try to stop us from playing with someone, that's not OK.

OK?

I don't want to miss out on any opportunities!

[yorgasor]

I've got a friend that blocks email from Nigeria, but I'd never do that. You never know when someone really does need help moving millions of dollars out of the country and will gladly give me a cut of the proceeds. For that reason alone I'd never block them.

I am chinese

[lappy512]

As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.

Re:I am chinese

[Ambush+Commander]

As a Chinese American, I can say I was considerably annoyed when I found out my personal website was blocked by the firewall.

As a Wikipedian, I can tell you that http://zh.wikipedia.org/ is a great case study of this censorship... it had a huge chilling effect on the project during that time. See http://en.wikipedia.org/wiki/Chinese_Wikipedia

See also: http://en.wikipedia.org/wiki/Internet_censorship_i n_mainland_China

Re:I am chinese

[fliplap]

Whats your IP?

what would cut down spam

would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there, the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware etc etc

hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight

Re:what would cut down spam

[Kelson]

Actually, that's 80% of North America's and Europe's spam. It doesn't provide any stats on how much of China's spam originates in the US.

It's also a list of the people creating the spam, not the location of the machines that are sending it.

And note that North America includes the US, so a lot of that spam is by Americans, for Americans. Just relayed through China, Korea and Brazil.

Re:what would cut down spam

[DNS-and-BIND]

The USA has compelling content online (if you speak English). China has very little information available in English, and can be blocked off with little loss. Unless your idea of compelling content is reading poorly-translated flash-enabled manufacturing company websites, or government-approved news sources.

There are scores of young men who sit around in internet cafes all day and do nothing but scan for vulnerabilities in badly-coded applications, mostly message boards. I know, I've seen them. Yes, it is most unusual for a Chinese fellow in an internet cafe to not be playing Counterstrike, but I assure you it does indeed happen. You can turn on the scanner and let it run in the background while you play Counterstrike, don't forget.

Re:My ban list is extensive but I'm a home user on

[turbothumbz]

Some friends and I discussed this once. The original purpose of the internet was so that no one place could be brought down in case of attack. Hence if you block china's IP space that may prevent some minor inconveniences but they will still be able to bounce through other servers. The only way to block them out would be if everyone else blocked china.

Re:My ban list is extensive but I'm a home user on

[RM6f9]

Cool! As an independent/home user myself, I can definitely empathize - another individual's rights to express themselves end at my eyes/ears - personally, I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...

Re:My ban list is extensive but I'm a home user on

[nacturation]

For email, you can use the countries.nerd.dk RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is cn.countries.nerd.dk.

Re:My ban list is extensive but I'm a home user on

[garcia]

Since we're generalizing here, you wouldn't by any chance be American, would you?

It's fairly apparent where I'm from. I didn't feel the need to state it -- if you'd like more info my post history and personal URL are there.

As far as America being full of hackers. This is true. They don't typically fuck with me from American IPs though. The main problems I see from America are morons running unpatched shit on residential connections.

Anyone else from America that is tryin to exploit me is generally coming from a foreign IP (to try and mask their accountability). It's been going on like that for years. Get over yourself.

Isolationism is alive and well in the homes of America as well as the White House!

Off-topic, but, I wish we were practicing Isolationism in the White House. We wouldn't be fucking shit up in Iraq.

Sure - I block 'em

[ALecs]

I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.

Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.

If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).

Baby with the bathwater?

[Bananatree3]

It would seem that blocking China's IP block might in some cases cause collateral damage when it comes to accessing certain sites. While it is true that blocking the entire China IP block would get rid of a LOT of spam that comes from Chinese bullet-proof ISPs, there is also a side effect. Ordinary people who try to connect to a network from inside China would also be blocked as well, and this cause a lot of collateral damage in terms of the average Chinese web browsing population.

It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.

Re:Baby with the bathwater?

[Kelson]

Exactly. We can't block China where I work (an ISP), because we have customers who are businesses, and there's a lot of economic activity between the US and China. We once had to make an exception for the SBL because someone was on a business trip to China and his only net access was via a spam-infested network that had gotten itself listed on Spamhaus.

I wouldn't consider blocking mail based on geography alone unless I could get input from everyone the policy would affect. You can do that as a home user, and you can do that as a business, but IMO it's not an option for an ISP.

What a coincidence

I was doing my weekly spam analysis report today, and after collecting just 3 months worth of data I started toying with the idea of blocking whole IP ranges. Sure, the spammers were using botnets and the trend reports brought to light some interesting points of intersection, but one thing stood out clear and plain. Blocking email coming from China would cut out over 60% of spam at the 1st firewall, before it even reached the mail filter.

I work for a UK company who deals with multi-nationals, but they all have European channels. I can't see such a block having anything but a positive effect.

Just surprising that the very day I have this thought there is a story on Slashdot.

Re:My ban list is extensive but I'm a home user on

[MetalliQaZ]

If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through. False positives only cause problems for ME, nobody else.

-d

treat your network like a sewer

[Indy1]

and expect others to treat it like a sewer. Chinese (and other apnic networks) isps just dont give a damn how much abuse their users heap on the rest of the net. Between the spam, worms, and other crap they spew, they've gotten a hard earned spot in my firewall. Granted i am not a huge business or isp, but at the rate they're going, it wont be long before big isps and businesses DO firewall all of apnic as a pre-emptive measure.

Do it if you can...

[Vellmont]

"What is your opinion of this and what do you propose to help correct this?"

If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?

I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.

Inappropriate & Heavy-Handed Response

[aldheorte]

Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.

From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.

Re:Inappropriate & Heavy-Handed Response

[aldheorte]

I agree that you do benefit in the sense that you could cut out a fair amount of these simple attacks by blocking the IP range, but that does not seem to me to represent a good way to fix the underlying problem, which stems from, as you formulated itin the US context, the US machines basically not being protected. China does not hold a monopoly on attackers, either humans or viruses, conducting simple attacks. Therefore, who will you block next, and the next after that? The end game has you blocking the entire world and still with a continuing vulnerability to a virus-infected or human operated PC in your own country.

Overall, I do not see a true gain in better security at far too high a price.

Block nothing

[papaia]

I have a corporate network to run, and we are only expanding in China. There is no realistic way to resolve any issues at the IP or DNS/domain level, as same ISPs providing services to spammers and crackers, are also hosts of my customers.

Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balance: if the costs of doing business (of which the human and technical solutions needed to avoid across-the-board denial are mandatorily included) become higher than the return/profit, we will rethink the options. Until then we are happy when others (preferably competitors of ours) apply the knee-jerk solution of blocking country-wide networks ;)

Block the IP space of the USA first...

[Mugros]

... according to http://www.trustedsource.org/ featured today in another ./ article the US is the biggest source of spam.
This is a lot easier if you are outside the US.

Greetings from a blue country.

Firewalled people

[m50d]

Firewalls of any sort are a menace. They're not part of the open internet. Every port of every publicly routable IP should either be open, because it's providing a service accessible from the open internet, or closed, in which case it should respond appropriately when it gets packets there and not just drop them. I don't actively block them, but I try to avoid enabling any options on my services that would help firewalled users.

Blunt force trauma

[groomed]

Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.

Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.

People who advocate blocking /16's and /24's should consider wrapping their CAT5 in tin foil.

Re:Blunt force trauma

[fm2503]

Slight error here - /24 = 256 hosts. Perhaps /8 was what was meant?

Dynamic Block

[Roger+W+Moore]

Reading the original article (always a bad move) it talked about blocking dodgy looking web requests which, I'm guessing, took up a significant fraction of the server's resources. In such a case I'd go ahead and block. You might loose some potential valid users but that is a lot less than loosing everyone if your server clogs up.

However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.

This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.

Re:My ban list is extensive but I'm a home user on

[slashdot.org]

This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.

Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...

Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.

Hypocritics

[marcantonio]

On slashdot we always make a big deal out of censorship particular to the Chinese government. Why then, would it be ok for us to do the same thing to it's people. Many attacks do come from there, but that doesn't make it any less wrong.

If your going to do this at your company then don't whine about Chinese censorship any longer.

For corporate emial I don't see the issue

[klubar]

At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives. If employees need to send/receive email from these countries for personal correspondence they can do it from home. It seems like a relatively no-brainer, not unlike having a receptionist screen calls or visitors.

If our firewall could easily block IP addresses, I'd do that too.

Not neccessarily the average Chinese surfer

[David+Off]

As someone who has suffered a tidal wave of spam and some other hack attempts the problem isn't particuarly with the average Chinese internaut but with US citizens hiding behind lax Chinese ISPs.

Chinanet Henan Province and Chinatelecom are notorious homes to US based spammers. I've written a brief paper on the subject here

http://www.abcseo.com/papers/referrer-spam.htm

Ok I've moved a bit off the topic of hacking attemps - but hacking/spamming are two sides of the same coin. Personally I've refrained from banning the whole of China when the problem seems to be some rogue individuals and ISPs.

The easy way to do it...

[TheLittleJetson]

...just put a bunch of stuff on your website advocating a free and democratic China. They'll block it for you.

I have blocked China two years ago

[mathd]

When I changed some setting to apache to let people from our company access the web via our proxy, I made an error and I also opened the proxy to the outside.

The next days everything was slow and the log showed that I had a lot of request from outside ip address to other outside ip address. The majority of those address came from China.

I change the setting in apache but I still had request by the hundred. I finally called my ISP and we have blocked a lot of range from China and right after the traffic went to normal.

I have talk with my boss and have decided that it was not worth the trouble to enable those ip ranges since we are not doing business with China.

Re:My ban list is extensive but I'm a home user on

[m50d]

Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

I'd suggest just keeping your services secure. Automated attacks are aimed at the lowest common denominator, even basic security steps will stop them. My smb server gets connect attempts at a rate of around 2 per second, and has done for the last six months or so. So far none have got in. I only take action if I'm getting hammered by a single IP, and then I'm more likely to complain to his ISP than block him.

I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account

As well they should. The internet should be a community, not controlled by big corporations like other media.

and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

Ooh, because an attacker is obviously so much less likely to use GMail than hotmail. After all, it's made by the holy Google who say "Do no evil", and everyone knows MS are always evil.

I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people.

If you want to be a part of the internet rather than a passive consumer of it, you should let everyone access what you're serving. Anything less is worse than nothing at all.

If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

Why do you want to block entire countries? Assuming Brazilians are evil because one tried to hack you is pure prejudice and as bad as any other kind.

Re:My ban list is extensive but I'm a home user on

[Alex+P+Keaton+in+da]

The three people it might affect every year isn't a big deal. If anything, I did them, and everyone else, a favor.
Dude, seriously, what are you doing on slashdot? Didn't you know that hot babes from all over the world are trying to email us all day every day?
Honestly, for me, email is like the phone- the list of people that I want to have access to me isn't that long. Not because I am a hot commodity, but because I don't like being disturbed.
It is your computer- you can restrict access however you want. If you only want to accept email from people over 6 feet tall and white, it is up to you. It is your computer! What a concept!
Anyhow- good luck with the wedding. (Or as my mom told me, "you aren't planning for a wedding, you are planning for a marriage..." Big difference...)

Re:some ideas for networking

[MightyMartian]

Can you point to a time when the net was safe for families and businesses. When it was still reasonably safe, I don't recall very many businesses and damn few families even being on it, and it's the sheer stupidity of families and businesses that has been part of the problem with net security.

Re:What is my opinion?!

[taustin]

So you read every single spam? From beginning to end? If you don't, you are censoring those spammers! You, personally, are grinding those hard-working, ethikul bidnezmen under the bootheels of oppression!

Censorship is wrong. Blocking spam isn't censorship. That's your error.

Re:My ban list is extensive but I'm a home user on

[Rooktoven]

Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--

I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.

Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.

Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet.
It allows for very quick processing of ranges or hashes of individual addresses.

If you want info on blocking countries (sorry if I offend anyone) look here:

http://okean.com/asianspamblocks.html

and http://blackholes.us/ (when it's up...)

Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...

Re:My ban list is extensive but I'm a home user on

[Ucklak]

That only works with BGP. Once your hunker down to the local level, taking out a single router can wipe out alot of customers.

Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
Sorry, if your firewall goes out, your office is out.
If your ISP's router feeding your office is out, you're out.
If your ISP's feed has a bad router, they're out and guess what, you're out too.

Hypocritical?

[Rie+Beam]

So wait a minute - weren't we just getting all up-in-arms over the Chinese blocking their people from viewing unsolicited western sites? And now we should go ahead and block the entire country because of the rogue elements? I agree Chinese cr/hackers (take your pick) are a problem, but at the same time, so are any other skilled cr/hackers - just because this one has malicious intent doesn't mean we're doing any good by blocking such a large audience simply because of the possibility. Cracking will still occur, as with worms and trojans. Those who really want to will find alternate means of access (perhaps through countries a bit more generous than the United States). What is there to gain by this?

What's so insane about it?

[drgonzo59]

What is so insane about it? It all depends on your target customer/audience base. If I sell scented candles and ship only to US, why would I want Chinese and Russians looking through my catalog. There is no way they can buy it but there is a high chance that they might hack my web site.

This is just an example, but the idea goes for other kinds of sites too...

Re:What's so insane about it?

[Eunuchswear]

If your website is hackable from China or Russia it's hackable from the US.

If your website is not hackable from the US it's not hackable from China or Russia.

So, why are you blocking China and Russia but not the US?

Re:What's so insane about it?

all but one terrorist attack against americans in the last 20 years has been done by young arabic men.

Just one?

I can think of a few more than that just off the top of my head:

Oklahoma City (Timothy McVeigh - white male)
Atlanta Olympics (Eric Rudolph - white male)
The anthrax-postal scare (still unsolved, but evidence points to the anthrax source being a U.S. military lab).
Various murders committed by the Unabomber would probably be classified as terrorism (Ted Kaczynski - white male)

And that's not even going back a full 20 years. I think, at least for attacks on U.S. soil, the late 20s to early 30s white male disgruntled former soldier fits the profile of a terrorist much more closely than any Arab.

My Little Part. . .

[MikeDawg]

I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses.

But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.

Re:My Little Part. . .

[bani]

japan used to be bad. they got widely blocked and eventually realized there was a problem -- so they largely cleaned up. mainly due to the efforts of gaijin network operators living there who managed to convince japanese operators that they needed to get their shit together.

china, korea, etc. are totally rogue. they become more widely blocked each day. both china and korea are hellbent on becoming LANs. which they will be until they realize there's a problem and start dealing with all their criminal operators.

Not at all

[Mustang+Matt]

We want to censor ourselves, we don't want a government to censor us. If an individual or company decides to block traffic from a country more power to them. It's a choice they have the right to make. If the government wants to do it then that sucks because the people have lost that choice.

Purpose of blocking

[Anders+Andersson]

The point of refusing access from certain IP addresses is not to deny service to any particular individual (or nationality, in case of entire countries being affected), but to protect against likely abuse and encourage individuals to use some other IP address. As long as your boycott is aimed at their network infrastructure (for aiding abuse) rather than at the country itself (for political reasons), individual users routing their traffic via other networks is not a problem; it's what you want them to do. The idea is that the secondary network will sort out the abuse (by making sure they know who their customers are, or by other means). If they fail to do so, they will be blacklisted too.

Therefore I see no point in specifically blacklisting any single country, if not for political reasons. Entire countries are blacklisted because they conveniently map to large portions of IP address space. Some Chinese universities probably received their IP blocks before the commercial operators did, and may therefore have addresses in completely separate ranges. If the universities are a bit better at managing their networks, and the bulk of the abuse therefore comes from the commercial blocks, there is no reason both should be listed merely for being assigned to the same country.

Likewise, a single address block may contain several operators in different countries, causing them all to be blacklisted simply because telling them apart takes too much time. It's all about network abuse history, not about nationality. And, I wouldn't have to rely on everyone else blocking a single abused network either, unless they all were to forward that abuse to me.

I have however considered blocking mail servers indiscriminately "bouncing" virus messages having our domain forged onto them, when they have received those messages from IP addresses (often Chinese ones) already included in public blacklists. They could avoid such action on my part by simply using said blacklists themselves, but exactly how they solve their problem is up to them. If they simply avoid "notifying" innocent people every time they receive junk mail or other abuse, I will not bother them.

Re:My ban list is extensive but I'm a home user on

[NatasRevol]

Then you need to tell the suits the magical word.

Redundancy. To two different ISPs.

If they don't like the cost for it, ask them what the cost is to be without internet access for 2 days.

much simpler solution to blocking chinese IP

[timerider]

would be:

1. put some text about freedom of speech and/or human rights in china on your webserver
2. make sure google finds you

then the chinese government itself would see that chinese IP traffic can't reach you.

Re:My ban list is extensive but I'm a home user on

[pclminion]

I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...

Yeah, the "ultimate democracy." Where despotic regimes harbor cyber miscreants who piss off the inhabitants of "civilized" countries, who block those despotic regimes, therefore denying the innocent inhabitants of those regimes the ability to communicate unfettered with the rest of the free world.

"Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."

But I guess your own convenience is more important that giving those people a conduit to freedom.

As somebody else pointed out, an individual has every right to block or receive whatever traffic they wish. But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.

We did this with our online store

[slappyjack]

We were a small company that sold sex toys. Kiddies from eastern europe and southeast asia LOVED to test credit cards against our store.

This was when we were first getting up and running with minimal staff. One day we looked and saw "JESUS CHRIST! Someone Just bought $678 worth of fake cock! Yeah!"

We then realized these folks were just testing to see if the credit card numbers they stole were still active, and cancelled the order.

I wrote all sorts of checking routines and so on to make it harder to submit that kind of shit, but in the end it was just easier to not even let placecs like Hungary and Pakistan in, becuase really, it was more trouble to week out the fakes than the odd valid order a year from those areas is worth.

Re:We did this with our online store

[base3]

One day we looked and saw "JESUS CHRIST! Someone Just bought $678 worth of fake cock! Yeah!"

<snip> You have been .sigged.

I wish...

[archaic0]

I worked for an ISP for about 5 years... started doing tech support and moved up and on to the NOC and web design. While in the NOC were were fighting spam for our users pretty much non-stop with various black lists / filters. My job was basically to come in each day and clean out the garbage disposal as it were.

Until the glorious day we segragated our mail users. We set up a new beta mail server and split our users into two groups. Those needing international mail, and those not needing it. Over the course of 3 months, we informed users of the change and provided an easy opt-in one-click process to make sure they could send/recieve international mail.

After that grace period, we simply shut off international mail on our main server by blocking any IP space outside the US.

The load on our mail servers (4 dual CPU machines) went from averaging around 50% down to 5% and stayed there.

In our polling of our own customers, we found that 90% or more of them never had any intention or desire to send/recieve international mail. Our spam load went from several thousand spam messages a minute to less than a thousand per day.

The people that needed international mail were put on the new server and left open to all mail.

For the next few months, the staff at our office didn't have to buy lunch or snacks because that corny AOL commercial actually happened. We had customers in all the time taking us out to lunch and dropping off brownies, cupcakes, etc... our satifaction rate was never higher and I would venture to guess that we would not have been that loved had we sent everyone $50 cash.

Why isn't this a more popular choice? Is there really that much of a NEED in the general internet population for international mail? There wasn't at our company.

I think we could make international mail a feature add-on much like web hosts make CGI, PHP, or mySQL a feature add-on. Sure, to me those are just staples, but not everyone needs all that.

Sure, there's still in-country spam sources... but NOTHING like what comes from outside.

Re:I wish...

[patio11]

How much do you trust your customers to adequately describe what their needs are? And how much do you trust that description to not change for the duration they are your customers?

Let me tell you my experience sending email from Japan:

1) I have been the silent party of a conference call between a professor at a major American university and the tech he was "#$%#&$ing out because said professor did not get the five-figure speaking fee we wanted to pay him because our repeated attempts to contact him went unanswered (the techs, to save themselves a little hassle, had blacklisted *.jp)

2) I have been asked "Why don't you ever write?" by a favorite auntie, who is exactly the lady at those tech support humor web sites make fun of. I do write, once a week like clockwork. Her ISP decided on her behalf that it needed to be /dev/null'ed.

3) I have a 99 year old great grandmother who, bless her heart, has started to use the computer. She is doing exceptionally well for 99, but if you ask her four days out of five she'll tell you "No, of course not, don't know anybody living abroad. I haven't been back to Ireland since I came over in 1916 and all my family there is dead". Then if you go on to prod her about her great grandsons she'll take your ears off bragging about those fine young men who went off and got educated and are now living in Korea or China or somesuch place where the folks are very friendly and they drink excellent tea although of course not the sort that they made in County Cork.

4) I get a copy of my local newspaper (for the neighborhood I grew up in) delivered to me once a month by my mother. A favorite teacher of mine from grade school just retired. One Google search later I had his school's office email address and sent them a letter of congratulation to forward on to him. I've gotten no response -- it probably got eaten. Asked yesterday whether he needed to speak to anyone abroad or not, this veteran of the Chicago Public Schools would have said "Nope, can't say that I do".

5) Three companies have lost my business because they can't handle having a customer abroad (seeming inability to handle emails played a part in all three cancellations, not entirely sure it was the only issue though). One (my bank) has gained it for life because they went the extra mile, including having a $10 an hour telephone operator having a three-day long spat with their IT department before I could get whitelisted. (Oddly, the IT department had clearly spent a lot of development resources on making their web forms, etc international-aware... and then /dev/null'ed all email from the customers using the special forms)

Re:I wish...

[realkiwi]

What a load of isolationist crap.

I am in France and 99% of spam I get is from the USA, for US products.

The actual machines being used to transmit ARE NOT in the USA. The problem is at the source - i.e. the companies who are doing the spamming. The secondary problem is that people in China don't know how to secure their machines...

Don't cut China off from our culture and values

[Geof]

I have been to China, my wife is Chinese, and the region where I live (Vancouver) is about 25% ethnic Chinese. China is an important country, and its power is growing - look at recent purchases (and attempts) of major Canadian and American companies. China, its culture, and its policies will increasingly impact our lives. We will be exposed to their culture and values. We can't afford to be silent about ours.

Easy ban lists

[tyler_larson]

Want to know all the subnets a given country (in APNIC) uses? How about 3 lines of perl:

$ctry = shift || 'cn';
$_ = `GET http://www.apnic.net/apnic-bin/ipv4-by-country.pl? country=$ctry`;
print join "\n", /([0-9\.]+\/[0-9]+)/g;

My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.

Re:Easy ban lists

[kjs3]

Nifty!

On my Debian box, I had to change it to the following (undoubtedly because I don't know perl).

#!/usr/bin/perl

use LWP::Simple;

$ctry = shift || 'cn';
$_ = get("http://www.apnic.net/apnic-bin/ipv4-by-countr y.pl?country=$ctry");
print join "\n", /([0-9]+\.[0-9\.]+\/[0-9]+)/g;

Make sure you get rid of any spaces in the URL.

Re:My ban list is extensive but I'm a home user on

[RM6f9]

Alrighty, then, troll feeding time!

          230 years ago, this nation I live in was under a (different) "despotic regime" - some people decided to take some action, and it changed. The assistances they received happened after they started, not because they whined.
          As an individual internet user, I have not ever blocked an email from a political dissident due to its political content. As a website author, I have not blocked anyone from viewing my site.
          As a businessman, I respect and obey the laws governing my use of advertising online, by email (I fully comply with CAN-SPAM) and other means as applicable.
          The above said, anyone who cannot see fit to play by the same rules can go figure out a different game *elsewhere*, instead of trying to play some bait (political freedom of speech) and switch (illegal spam serving) game.
          There is no "divine right" nor requirement to maintain a web presence, to maintain completely open networks, to provide a podium upon which some poor abused oppressed individual can spout their issues to everyone else, no matter how "justified" they might be.... This whole intarweb thing borders so closely to being completely fictional it isn't funny - please *do* seek to force your beliefs concerning how things *should* be onto the current way things are - only time will tell how successful you were.
          Please *don't* consider the over-worked net administrators as enemies: The real enemies are those spam servers who bury any legitimate content coming out of dissenting China more effectively than any locally-applied blocks ever could.

I blocked all of Asia...

[Evro]

When I setup a mail server for one of my previous employers I ended up blocking China, India, Israel and most of the rest of Asia/Middle East IP space. The company didn't ship internationally and the likelihood of receiving a legitimate email was so low that it wasn't worth the hundreds of spam messages we'd been receiving. By blocking Asia we eliminated 90% of incoming spam. Spam Assassin and a couple RBLs got rid of most of the rest.

Re:What is my opinion?!

[Stonehand]

Freedom of speech does not imply the right to force anybody else to listen.

You're free to spew whatever packets you like. I'm free to discard them for whatever reason I choose.

Re:My ban list is extensive but I'm a home user on

[kula.shinoda]

and .nz?

Hey, what did we NZers do to you?

You don't happen to be Australian, do you? ;)

Re:My ban list is extensive but I'm a home user on

[RexRhino]

If you are trying to say that blocking an IP for a country is somehow comparable to say, South African apartied, or segregation in the U.S. South, or not letting women vote in Saudi Arabia, or any of the horrors we normally think about when someone mentions "discrimination", then you are crazy! Absolutly crazy!

I just entered a contest online for Coca Cola. The contest is only open to residents of Canada. Are you calling than discrimination? Coca Cola Canada is running the contest, and they have decided to only open it to people in thier market. I don't see anything unethical about that at all.

If I make a phone call to China, I will pay more money than a phone call to somewhere in Canada. Don't you consider that discrimination against China? NO! China is farther away, and outside the national infrastructure, so it makes perfect sense to charge more for a call to china.

If you are in the U.S., and you visit Canada, you can do so without a passport (you only need a photo ID or birth cirtificate). If you visit Canada from China, you will need a passport. Is that discrimination?

Likewise, if I run a buisness that ships fruitcakes to North America, and if hacking attempts into my server from China are causing problems, then it isn't discrimination to block Chinese IPs. If I am running a blog site for my friends to read, and I don't have any friends living in South Korea, there is nothing wrong with banning those IPs.

What you are calling "discrimination" would make most of the tax, immigration, and social services of nearly every country in the world "discrimination".

Re:some ideas for networking

[General+Wesc]

I can give you the world's "safest" Internet (and also the least useful): Block everything except 127.0.0.1.

That won't protect my children from pornography.

Let China do the work for you!

[JimDot]

Just put a few references to Fulan Gong on the web site. The Great Firewall of China will soon block everyone for you.

Re:My ban list is extensive but I'm a home user on

[shadowmas]

What he said was its okay for an individual to decide who on what country would be allowed to email them. but no other person should decide it for them (ex. the ISP, Goverment, etc.).

Consider someother person who you would like to email (maybe you wanted to talk to him about his very nice opensource product which you just found out about?) if that person has blocked you then there is little you can do since it was his choice. but what if his ISP has blocked you for some pigheaded reason?

blocking ip ranges of anykind should only be an option for the end user. not for anyone else.

Re:My ban list is extensive but I'm a home user on

[1u3hr]

Personally, I have never received a single email that wasn't spam from any source within APNIC or RIPE, nor do I ever expect to.

APNIC includes Australia, New Zealand, Singapore, Hong Kong ... fuck them then.