Blocking a Nation's IP Space

SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

Re:My ban list is extensive but I'm a home user on

[nacturation]

For email, you can use the countries.nerd.dk RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is cn.countries.nerd.dk.
 

Block the IP space of the USA first...

[Mugros]

... according to http://www.trustedsource.org/ [trustedsource.org] featured today in another ./ article the US is the biggest source of spam.
This is a lot easier if you are outside the US.

Greetings from a blue country.

Re:what would cut down spam

[DNS-and-BIND]

The USA has compelling content online (if you speak English). China has very little information available in English, and can be blocked off with little loss. Unless your idea of compelling content is reading poorly-translated flash-enabled manufacturing company websites, or government-approved news sources.

There are scores of young men who sit around in internet cafes all day and do nothing but scan for vulnerabilities in badly-coded applications, mostly message boards. I know, I've seen them. Yes, it is most unusual for a Chinese fellow in an internet cafe to not be playing Counterstrike, but I assure you it does indeed happen. You can turn on the scanner and let it run in the background while you play Counterstrike, don't forget.

Re:Blunt force trauma

[fm2503]

Slight error here - /24 = 256 hosts. Perhaps /8 was what was meant?

Re:My ban list is extensive but I'm a home user on

[Rooktoven]

Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--

I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.

Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.

Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet [netfilter.org].
It allows for very quick processing of ranges or hashes of individual addresses.

If you want info on blocking countries (sorry if I offend anyone) look here:

http://okean.com/asianspamblocks.html [okean.com]

and http://blackholes.us/ [blackholes.us] (when it's up...)

Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...

Re:My ban list is extensive but I'm a home user on

[Ucklak]

That only works with BGP. Once your hunker down to the local level, taking out a single router can wipe out alot of customers.

Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
Sorry, if your firewall goes out, your office is out.
If your ISP's router feeding your office is out, you're out.
If your ISP's feed has a bad router, they're out and guess what, you're out too.

My Little Part. . .

[MikeDawg]

I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses [tsg.ne.jp].

But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.

Re:I am chinese

[Ambush Commander]

As a Chinese American, I can say I was considerably annoyed when I found out my personal website was blocked by the firewall.

As a Wikipedian, I can tell you that http://zh.wikipedia.org/ [wikipedia.org] is a great case study of this censorship... it had a huge chilling effect on the project during that time. See http://en.wikipedia.org/wiki/Chinese_Wikipedia [wikipedia.org]

See also: http://en.wikipedia.org/wiki/Internet_censorship_i n_mainland_China [wikipedia.org]

Easy ban lists

[tyler_larson]

Want to know all the subnets a given country (in APNIC) uses? How about 3 lines of perl:

$ctry = shift || 'cn';
$_ = `GET http://www.apnic.net/apnic-bin/ipv4-by-country.pl? country=$ctry`;
print join "\n", /([0-9\.]+\/[0-9]+)/g;

My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.

I blocked all of Asia...

[Evro]

When I setup a mail server for one of my previous employers I ended up blocking China, India, Israel and most of the rest of Asia/Middle East IP space. The company didn't ship internationally and the likelihood of receiving a legitimate email was so low that it wasn't worth the hundreds of spam messages we'd been receiving. By blocking Asia we eliminated 90% of incoming spam. Spam Assassin and a couple RBLs got rid of most of the rest.

Re:Easy ban lists

[kjs3]

Nifty!

On my Debian box, I had to change it to the following (undoubtedly because I don't know perl).

#!/usr/bin/perl

use LWP::Simple;

$ctry = shift || 'cn';
$_ = get("http://www.apnic.net/apnic-bin/ipv4-by-countr y.pl?country=$ctry");
print join "\n", /([0-9]+\.[0-9\.]+\/[0-9]+)/g;

Make sure you get rid of any spaces in the URL.