Slashdot Mirror
Blocking a Nation's IP Space
SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
What is your opinion of this and what do you propose to help correct this?
/8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).
.br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.
.0/24 to the firewall list.
Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.
Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?
I have an extensive ban list on my firewall including tons of
I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.
If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block
After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another
They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.
What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.
Evolution or ID?
Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.
Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?
This seems a rather murky route to go down, that ultimately, will be in no one's best interests.
I've got a friend that blocks email from Nigeria, but I'd never do that. You never know when someone really does need help moving millions of dollars out of the country and will gladly give me a cut of the proceeds. For that reason alone I'd never block them.
Looking for a computer support specialist for your small business? Check out
As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.
Student Research and Development
would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there, the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware etc etc
hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight
For email, you can use the countries.nerd.dk RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is cn.countries.nerd.dk.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.
Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.
If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).
It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.
Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.
From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.
This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.
Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...
Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.
...just put a bunch of stuff on your website advocating a free and democratic China. They'll block it for you.
Can you point to a time when the net was safe for families and businesses. When it was still reasonably safe, I don't recall very many businesses and damn few families even being on it, and it's the sheer stupidity of families and businesses that has been part of the problem with net security.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--
I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.
Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.
Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet.
It allows for very quick processing of ranges or hashes of individual addresses.
If you want info on blocking countries (sorry if I offend anyone) look here:
http://okean.com/asianspamblocks.html
and http://blackholes.us/ (when it's up...)
Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...
Acquiescence leads to obliteration
That only works with BGP. Once your hunker down to the local level, taking out a single router can wipe out alot of customers.
Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
Sorry, if your firewall goes out, your office is out.
If your ISP's router feeding your office is out, you're out.
If your ISP's feed has a bad router, they're out and guess what, you're out too.
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
This is just an example, but the idea goes for other kinds of sites too...
I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses.
But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.
YOU'RE WINNER !
Another lame blog
We want to censor ourselves, we don't want a government to censor us. If an individual or company decides to block traffic from a country more power to them. It's a choice they have the right to make. If the government wants to do it then that sucks because the people have lost that choice.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
The point of refusing access from certain IP addresses is not to deny service to any particular individual (or nationality, in case of entire countries being affected), but to protect against likely abuse and encourage individuals to use some other IP address. As long as your boycott is aimed at their network infrastructure (for aiding abuse) rather than at the country itself (for political reasons), individual users routing their traffic via other networks is not a problem; it's what you want them to do. The idea is that the secondary network will sort out the abuse (by making sure they know who their customers are, or by other means). If they fail to do so, they will be blacklisted too.
Therefore I see no point in specifically blacklisting any single country, if not for political reasons. Entire countries are blacklisted because they conveniently map to large portions of IP address space. Some Chinese universities probably received their IP blocks before the commercial operators did, and may therefore have addresses in completely separate ranges. If the universities are a bit better at managing their networks, and the bulk of the abuse therefore comes from the commercial blocks, there is no reason both should be listed merely for being assigned to the same country.
Likewise, a single address block may contain several operators in different countries, causing them all to be blacklisted simply because telling them apart takes too much time. It's all about network abuse history, not about nationality. And, I wouldn't have to rely on everyone else blocking a single abused network either, unless they all were to forward that abuse to me.
I have however considered blocking mail servers indiscriminately "bouncing" virus messages having our domain forged onto them, when they have received those messages from IP addresses (often Chinese ones) already included in public blacklists. They could avoid such action on my part by simply using said blacklists themselves, but exactly how they solve their problem is up to them. If they simply avoid "notifying" innocent people every time they receive junk mail or other abuse, I will not bother them.
Then you need to tell the suits the magical word.
Redundancy. To two different ISPs.
If they don't like the cost for it, ask them what the cost is to be without internet access for 2 days.
There are two types of people in the world: Those who crave closure
would be:
1. put some text about freedom of speech and/or human rights in china on your webserver
2. make sure google finds you
then the chinese government itself would see that chinese IP traffic can't reach you.
Yeah, the "ultimate democracy." Where despotic regimes harbor cyber miscreants who piss off the inhabitants of "civilized" countries, who block those despotic regimes, therefore denying the innocent inhabitants of those regimes the ability to communicate unfettered with the rest of the free world.
"Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."
But I guess your own convenience is more important that giving those people a conduit to freedom.
As somebody else pointed out, an individual has every right to block or receive whatever traffic they wish. But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.
I worked for an ISP for about 5 years... started doing tech support and moved up and on to the NOC and web design. While in the NOC were were fighting spam for our users pretty much non-stop with various black lists / filters. My job was basically to come in each day and clean out the garbage disposal as it were.
Until the glorious day we segragated our mail users. We set up a new beta mail server and split our users into two groups. Those needing international mail, and those not needing it. Over the course of 3 months, we informed users of the change and provided an easy opt-in one-click process to make sure they could send/recieve international mail.
After that grace period, we simply shut off international mail on our main server by blocking any IP space outside the US.
The load on our mail servers (4 dual CPU machines) went from averaging around 50% down to 5% and stayed there.
In our polling of our own customers, we found that 90% or more of them never had any intention or desire to send/recieve international mail. Our spam load went from several thousand spam messages a minute to less than a thousand per day.
The people that needed international mail were put on the new server and left open to all mail.
For the next few months, the staff at our office didn't have to buy lunch or snacks because that corny AOL commercial actually happened. We had customers in all the time taking us out to lunch and dropping off brownies, cupcakes, etc... our satifaction rate was never higher and I would venture to guess that we would not have been that loved had we sent everyone $50 cash.
Why isn't this a more popular choice? Is there really that much of a NEED in the general internet population for international mail? There wasn't at our company.
I think we could make international mail a feature add-on much like web hosts make CGI, PHP, or mySQL a feature add-on. Sure, to me those are just staples, but not everyone needs all that.
Sure, there's still in-country spam sources... but NOTHING like what comes from outside.
[ http://www.dvigroup.net/self ]
I have been to China, my wife is Chinese, and the region where I live (Vancouver) is about 25% ethnic Chinese. China is an important country, and its power is growing - look at recent purchases (and attempts) of major Canadian and American companies. China, its culture, and its policies will increasingly impact our lives. We will be exposed to their culture and values. We can't afford to be silent about ours.
My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
Alrighty, then, troll feeding time!
230 years ago, this nation I live in was under a (different) "despotic regime" - some people decided to take some action, and it changed. The assistances they received happened after they started, not because they whined.
As an individual internet user, I have not ever blocked an email from a political dissident due to its political content. As a website author, I have not blocked anyone from viewing my site.
As a businessman, I respect and obey the laws governing my use of advertising online, by email (I fully comply with CAN-SPAM) and other means as applicable.
The above said, anyone who cannot see fit to play by the same rules can go figure out a different game *elsewhere*, instead of trying to play some bait (political freedom of speech) and switch (illegal spam serving) game.
There is no "divine right" nor requirement to maintain a web presence, to maintain completely open networks, to provide a podium upon which some poor abused oppressed individual can spout their issues to everyone else, no matter how "justified" they might be.... This whole intarweb thing borders so closely to being completely fictional it isn't funny - please *do* seek to force your beliefs concerning how things *should* be onto the current way things are - only time will tell how successful you were.
Please *don't* consider the over-worked net administrators as enemies: The real enemies are those spam servers who bury any legitimate content coming out of dissenting China more effectively than any locally-applied blocks ever could.
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
That won't protect my children from pornography.