Blocking a Nation's IP Space

SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

My ban list is extensive but I'm a home user only.

[garcia]

What is your opinion of this and what do you propose to help correct this?

Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?

I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.

If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another .0/24 to the firewall list.

Officially insane.

[Dibblah]

They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.

What big company....

[millahtime]

What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.

No. No. No.

[Puls4r]

Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.

Ya...

[mr_tommy]

Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

This seems a rather murky route to go down, that ultimately, will be in no one's best interests.

what would cut down spam

[Anonymous Coward]

would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there [spamhaus.org], the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware [internetnews.com] etc etc

hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight

Re:My ban list is extensive but I'm a home user on

[turbothumbz]

Some friends and I discussed this once. The original purpose of the internet was so that no one place could be brought down in case of attack. Hence if you block china's IP space that may prevent some minor inconveniences but they will still be able to bounce through other servers. The only way to block them out would be if everyone else blocked china.

Re:My ban list is extensive but I'm a home user on

[garcia]

Since we're generalizing here, you wouldn't by any chance be American, would you?

It's fairly apparent where I'm from. I didn't feel the need to state it -- if you'd like more info my post history and personal URL are there.

As far as America being full of hackers. This is true. They don't typically fuck with me from American IPs though. The main problems I see from America are morons running unpatched shit on residential connections.

Anyone else from America that is tryin to exploit me is generally coming from a foreign IP (to try and mask their accountability). It's been going on like that for years. Get over yourself.

Isolationism is alive and well in the homes of America as well as the White House!

Off-topic, but, I wish we were practicing Isolationism in the White House. We wouldn't be fucking shit up in Iraq.

Baby with the bathwater?

[Bananatree3]

It would seem that blocking China's IP block might in some cases cause collateral damage when it comes to accessing certain sites. While it is true that blocking the entire China IP block would get rid of a LOT of spam that comes from Chinese bullet-proof ISPs, there is also a side effect. Ordinary people who try to connect to a network from inside China would also be blocked as well, and this cause a lot of collateral damage in terms of the average Chinese web browsing population.

It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.

Re:what would cut down spam

[Kelson]

Actually, that's 80% of North America's and Europe's spam. It doesn't provide any stats on how much of China's spam originates in the US.

It's also a list of the people creating the spam, not the location of the machines that are sending it.

And note that North America includes the US, so a lot of that spam is by Americans, for Americans. Just relayed through China, Korea and Brazil.

treat your network like a sewer

[Indy1]

and expect others to treat it like a sewer. Chinese (and other apnic networks) isps just dont give a damn how much abuse their users heap on the rest of the net. Between the spam, worms, and other crap they spew, they've gotten a hard earned spot in my firewall. Granted i am not a huge business or isp, but at the rate they're going, it wont be long before big isps and businesses DO firewall all of apnic as a pre-emptive measure.

Do it if you can...

[Vellmont]

"What is your opinion of this and what do you propose to help correct this?"

If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?

I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.

Inappropriate & Heavy-Handed Response

[aldheorte]

Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.

From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.

Block nothing

[papaia]

I have a corporate network to run, and we are only expanding in China. There is no realistic way to resolve any issues at the IP or DNS/domain level, as same ISPs providing services to spammers and crackers, are also hosts of my customers.

Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balance: if the costs of doing business (of which the human and technical solutions needed to avoid across-the-board denial are mandatorily included) become higher than the return/profit, we will rethink the options. Until then we are happy when others (preferably competitors of ours) apply the knee-jerk solution of blocking country-wide networks ;)

Blunt force trauma

[groomed]

Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.

Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.

People who advocate blocking /16's and /24's should consider wrapping their CAT5 in tin foil.

Dynamic Block

[Roger W Moore]

Reading the original article (always a bad move) it talked about blocking dodgy looking web requests which, I'm guessing, took up a significant fraction of the server's resources. In such a case I'd go ahead and block. You might loose some potential valid users but that is a lot less than loosing everyone if your server clogs up.

However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.

This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.

Re:My ban list is extensive but I'm a home user on

[slashdot.org]

This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.

Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...

Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.

Hypocritics

[marcantonio]

On slashdot we always make a big deal out of censorship particular to the Chinese government. Why then, would it be ok for us to do the same thing to it's people. Many attacks do come from there, but that doesn't make it any less wrong.

If your going to do this at your company then don't whine about Chinese censorship any longer.

Re:My ban list is extensive but I'm a home user on

[m50d]

Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

I'd suggest just keeping your services secure. Automated attacks are aimed at the lowest common denominator, even basic security steps will stop them. My smb server gets connect attempts at a rate of around 2 per second, and has done for the last six months or so. So far none have got in. I only take action if I'm getting hammered by a single IP, and then I'm more likely to complain to his ISP than block him.

I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account

As well they should. The internet should be a community, not controlled by big corporations like other media.

and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

Ooh, because an attacker is obviously so much less likely to use GMail than hotmail. After all, it's made by the holy Google who say "Do no evil", and everyone knows MS are always evil.

I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people.

If you want to be a part of the internet rather than a passive consumer of it, you should let everyone access what you're serving. Anything less is worse than nothing at all.

If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

Why do you want to block entire countries? Assuming Brazilians are evil because one tried to hack you is pure prejudice and as bad as any other kind.

Re:My ban list is extensive but I'm a home user on

[Alex P Keaton in da]

The three people it might affect every year isn't a big deal. If anything, I did them, and everyone else, a favor.
Dude, seriously, what are you doing on slashdot? Didn't you know that hot babes from all over the world are trying to email us all day every day?
Honestly, for me, email is like the phone- the list of people that I want to have access to me isn't that long. Not because I am a hot commodity, but because I don't like being disturbed.
It is your computer- you can restrict access however you want. If you only want to accept email from people over 6 feet tall and white, it is up to you. It is your computer! What a concept!
Anyhow- good luck with the wedding. (Or as my mom told me, "you aren't planning for a wedding, you are planning for a marriage..." Big difference...)

Re:some ideas for networking

[MightyMartian]

Can you point to a time when the net was safe for families and businesses. When it was still reasonably safe, I don't recall very many businesses and damn few families even being on it, and it's the sheer stupidity of families and businesses that has been part of the problem with net security.

Re:What is my opinion?!

[taustin]

So you read every single spam? From beginning to end? If you don't, you are censoring those spammers! You, personally, are grinding those hard-working, ethikul bidnezmen under the bootheels of oppression!

Censorship is wrong. Blocking spam isn't censorship. That's your error.

Please join the closest Amish Community ASAP!

[Anonymous Coward]

You will be closer to god, won't have to bother with nasty internet worms ever (I can promise !) and will be as far as possible for pornography and kiddy porn as is possible in todays america.

Of course, running water and electricity have to be forfeited, but your family will have the warm feeling of doing the right thing every time they take half an hour to get water for the weekly bath.

Then, if you want to keep some and be protected from the rest, join the closest Mormons, where you will have the possibility of marriying underage teens by the dozen, as long as you find some that are still available....And still be closer to god.

What you are proposing is the ability for microsoft to keep the internet market forever, without having any competitor, and no possibility for you (me) to escape the pigopolist...

"This set of protocols could allow trusted machines to receive properly licensed and authorized content but still filter out other less useful but more dangerous content/extentions like exe's, zips, tar.gz's, bz2, py, and iso's, and additionally any encrypted content, and the major webserver venders would have to outlaw application/octet mime types to regain control of the internet-turned-piracy haven that the thieves like warez groups and gnu have perverted, not to mention all the pornography and child molesting an open internet produces."

There was this sentence from Benjamin Franklin about freedom and what awaits people ready to sacrifice freedom for a little bit more security...look for it, it will be instructive to you....

your data, if really important, can be encrypted, backuped, mirrored, made unreachable to 99.9% of the internet population. you just have to exert some efforts and understanding to make it so...

Well, I'm answering to an anonymous troll, might as well piss in a violin !

Its time to make the slashdot safe again from you for our pleasure and entertainment...

Any chance of you leaving on your own ?

Hypocritical?

[Rie Beam]

So wait a minute - weren't we just getting all up-in-arms over the Chinese blocking their people from viewing unsolicited western sites? And now we should go ahead and block the entire country because of the rogue elements? I agree Chinese cr/hackers (take your pick) are a problem, but at the same time, so are any other skilled cr/hackers - just because this one has malicious intent doesn't mean we're doing any good by blocking such a large audience simply because of the possibility. Cracking will still occur, as with worms and trojans. Those who really want to will find alternate means of access (perhaps through countries a bit more generous than the United States). What is there to gain by this?

Not at all

[Mustang Matt]

We want to censor ourselves, we don't want a government to censor us. If an individual or company decides to block traffic from a country more power to them. It's a choice they have the right to make. If the government wants to do it then that sucks because the people have lost that choice.

much simpler solution to blocking chinese IP

[timerider]

would be:

1. put some text about freedom of speech and/or human rights in china on your webserver
2. make sure google finds you

then the chinese government itself would see that chinese IP traffic can't reach you.

Re:Ya...

[RealAlaskan]

Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

Nope. Nothing strange about that.

For you or me to choose not to get email from Chinese addresses, or not to acknowledge packets from Chinese addresses, is to exercise our liberty. We have the right (among others) to ``freedom of association''. That means that we can choose who we associate with ... and who we don't.

This is radically different than a government trying to tell us that we cannot access certian websites (as the Chinese government has been doing with help from Cisco, MS and Google).

Let me try to re-phrase all that in simple terms: If we don't want to play with somebody, that's OK. If the bullies try to stop us from playing with someone, that's not OK.

OK?

Don't cut China off from our culture and values

[Geof]

I have been to China, my wife is Chinese, and the region where I live (Vancouver) is about 25% ethnic Chinese. China is an important country, and its power is growing - look at recent purchases (and attempts) of major Canadian and American companies. China, its culture, and its policies will increasingly impact our lives. We will be exposed to their culture and values. We can't afford to be silent about ours.

YMMV

[Anonymous Coward]

Not a single server I maintain could use such a broad blocking policy.. Many companies do business with contacts in those countries as it is. It just would not be productive there..Which is the case for the majority of the machines I maintain.

If you're so worried about being hacked, invest in a good layer of defense and pro-active monitoring instead of blindly ignoring traffic. It's pretty amazing what a snort-guru can slap together for network IDS..

Opinion from a Sprint relay operator for the deaf.

[Anonymous Coward]

Nigerians constantly abuse www.sprintrelayonline.com for fraud purposes. All day long I am forced, by FCC law, to call pharmacies and try to order 50 boxes of 100 count "One Touch Basic" glucose test strips. They put filters in to block the connections from Nigerian IP space. That lasted about 12 hours. Then they started using the *INFINITE* array of open web proxy servers to connect to www.sprintrelayonline.com to bypass the IP block. Anyone can change their web browser to use a proxy anywhere in the world. This is completely pointless. If idiots in Lagos Nigeria can configure a browser to use a proxy, ANYONE can.

Re:What is my opinion?!

[Stonehand]

Freedom of speech does not imply the right to force anybody else to listen.

You're free to spew whatever packets you like. I'm free to discard them for whatever reason I choose.

Let China do the work for you!

[JimDot]

Just put a few references to Fulan Gong on the web site. The Great Firewall of China will soon block everyone for you.

Re:I am chinese

[Anonymous Coward]

127.0.0.1

Re:My ban list is extensive but I'm a home user on

[shadowmas]

What he said was its okay for an individual to decide who on what country would be allowed to email them. but no other person should decide it for them (ex. the ISP, Goverment, etc.).

Consider someother person who you would like to email (maybe you wanted to talk to him about his very nice opensource product which you just found out about?) if that person has blocked you then there is little you can do since it was his choice. but what if his ISP has blocked you for some pigheaded reason?

blocking ip ranges of anykind should only be an option for the end user. not for anyone else.

Re:I wish...

[patio11]

How much do you trust your customers to adequately describe what their needs are? And how much do you trust that description to not change for the duration they are your customers?

Let me tell you my experience sending email from Japan:

1) I have been the silent party of a conference call between a professor at a major American university and the tech he was "#$%#&$ing out because said professor did not get the five-figure speaking fee we wanted to pay him because our repeated attempts to contact him went unanswered (the techs, to save themselves a little hassle, had blacklisted *.jp)

2) I have been asked "Why don't you ever write?" by a favorite auntie, who is exactly the lady at those tech support humor web sites make fun of. I do write, once a week like clockwork. Her ISP decided on her behalf that it needed to be /dev/null'ed.

3) I have a 99 year old great grandmother who, bless her heart, has started to use the computer. She is doing exceptionally well for 99, but if you ask her four days out of five she'll tell you "No, of course not, don't know anybody living abroad. I haven't been back to Ireland since I came over in 1916 and all my family there is dead". Then if you go on to prod her about her great grandsons she'll take your ears off bragging about those fine young men who went off and got educated and are now living in Korea or China or somesuch place where the folks are very friendly and they drink excellent tea although of course not the sort that they made in County Cork.

4) I get a copy of my local newspaper (for the neighborhood I grew up in) delivered to me once a month by my mother. A favorite teacher of mine from grade school just retired. One Google search later I had his school's office email address and sent them a letter of congratulation to forward on to him. I've gotten no response -- it probably got eaten. Asked yesterday whether he needed to speak to anyone abroad or not, this veteran of the Chicago Public Schools would have said "Nope, can't say that I do".

5) Three companies have lost my business because they can't handle having a customer abroad (seeming inability to handle emails played a part in all three cancellations, not entirely sure it was the only issue though). One (my bank) has gained it for life because they went the extra mile, including having a $10 an hour telephone operator having a three-day long spat with their IT department before I could get whitelisted. (Oddly, the IT department had clearly spent a lot of development resources on making their web forms, etc international-aware... and then /dev/null'ed all email from the customers using the special forms)