Blocking a Nation's IP Space 404
SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
Re:My ban list is extensive but I'm a home user on (Score:5, Informative)
Block the IP space of the USA first... (Score:2, Informative)
This is a lot easier if you are outside the US.
Greetings from a blue country.
Re:what would cut down spam (Score:4, Informative)
There are scores of young men who sit around in internet cafes all day and do nothing but scan for vulnerabilities in badly-coded applications, mostly message boards. I know, I've seen them. Yes, it is most unusual for a Chinese fellow in an internet cafe to not be playing Counterstrike, but I assure you it does indeed happen. You can turn on the scanner and let it run in the background while you play Counterstrike, don't forget.
Re:Blunt force trauma (Score:2, Informative)
Re:My ban list is extensive but I'm a home user on (Score:5, Informative)
I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.
Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.
Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet [netfilter.org].
It allows for very quick processing of ranges or hashes of individual addresses.
If you want info on blocking countries (sorry if I offend anyone) look here:
http://okean.com/asianspamblocks.html [okean.com]
and http://blackholes.us/ [blackholes.us] (when it's up...)
Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...
Re:My ban list is extensive but I'm a home user on (Score:5, Informative)
Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
Sorry, if your firewall goes out, your office is out.
If your ISP's router feeding your office is out, you're out.
If your ISP's feed has a bad router, they're out and guess what, you're out too.
My Little Part. . . (Score:5, Informative)
I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses [tsg.ne.jp].
But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.
Re:I am chinese (Score:5, Informative)
As a Wikipedian, I can tell you that http://zh.wikipedia.org/ [wikipedia.org] is a great case study of this censorship... it had a huge chilling effect on the project during that time. See http://en.wikipedia.org/wiki/Chinese_Wikipedia [wikipedia.org]
See also: http://en.wikipedia.org/wiki/Internet_censorship_
Easy ban lists (Score:5, Informative)
My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.
I blocked all of Asia... (Score:2, Informative)
Re:Easy ban lists (Score:3, Informative)
On my Debian box, I had to change it to the following (undoubtedly because I don't know perl).
Make sure you get rid of any spaces in the URL.