Blocking a Nation's IP Space 404
SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
My ban list is extensive but I'm a home user only. (Score:4, Insightful)
Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.
Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?
I have an extensive ban list on my firewall including tons of
I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.
If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block
After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another
Officially insane. (Score:5, Insightful)
What big company.... (Score:5, Insightful)
No. No. No. (Score:5, Insightful)
Ya... (Score:5, Insightful)
This seems a rather murky route to go down, that ultimately, will be in no one's best interests.
what would cut down spam (Score:5, Insightful)
would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there [spamhaus.org], the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware [internetnews.com] etc etc
hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight
Re:My ban list is extensive but I'm a home user on (Score:2, Insightful)
Re:My ban list is extensive but I'm a home user on (Score:3, Insightful)
It's fairly apparent where I'm from. I didn't feel the need to state it -- if you'd like more info my post history and personal URL are there.
As far as America being full of hackers. This is true. They don't typically fuck with me from American IPs though. The main problems I see from America are morons running unpatched shit on residential connections.
Anyone else from America that is tryin to exploit me is generally coming from a foreign IP (to try and mask their accountability). It's been going on like that for years. Get over yourself.
Isolationism is alive and well in the homes of America as well as the White House!
Off-topic, but, I wish we were practicing Isolationism in the White House. We wouldn't be fucking shit up in Iraq.
Baby with the bathwater? (Score:4, Insightful)
It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.
Re:what would cut down spam (Score:5, Insightful)
It's also a list of the people creating the spam, not the location of the machines that are sending it.
And note that North America includes the US, so a lot of that spam is by Americans, for Americans. Just relayed through China, Korea and Brazil.
treat your network like a sewer (Score:3, Insightful)
Do it if you can... (Score:3, Insightful)
"What is your opinion of this and what do you propose to help correct this?"
If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?
I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.
Inappropriate & Heavy-Handed Response (Score:5, Insightful)
From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.
Block nothing (Score:2, Insightful)
Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balance: if the costs of doing business (of which the human and technical solutions needed to avoid across-the-board denial are mandatorily included) become higher than the return/profit, we will rethink the options. Until then we are happy when others (preferably competitors of ours) apply the knee-jerk solution of blocking country-wide networks
Blunt force trauma (Score:3, Insightful)
Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.
People who advocate blocking
Dynamic Block (Score:3, Insightful)
However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.
This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.
Re:My ban list is extensive but I'm a home user on (Score:5, Insightful)
Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...
Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.
Hypocritics (Score:2, Insightful)
If your going to do this at your company then don't whine about Chinese censorship any longer.
Re:My ban list is extensive but I'm a home user on (Score:3, Insightful)
I'd suggest just keeping your services secure. Automated attacks are aimed at the lowest common denominator, even basic security steps will stop them. My smb server gets connect attempts at a rate of around 2 per second, and has done for the last six months or so. So far none have got in. I only take action if I'm getting hammered by a single IP, and then I'm more likely to complain to his ISP than block him.
I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account
As well they should. The internet should be a community, not controlled by big corporations like other media.
and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).
Ooh, because an attacker is obviously so much less likely to use GMail than hotmail. After all, it's made by the holy Google who say "Do no evil", and everyone knows MS are always evil.
I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people.
If you want to be a part of the internet rather than a passive consumer of it, you should let everyone access what you're serving. Anything less is worse than nothing at all.
If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.
Why do you want to block entire countries? Assuming Brazilians are evil because one tried to hack you is pure prejudice and as bad as any other kind.
Re:My ban list is extensive but I'm a home user on (Score:3, Insightful)
Dude, seriously, what are you doing on slashdot? Didn't you know that hot babes from all over the world are trying to email us all day every day?
Honestly, for me, email is like the phone- the list of people that I want to have access to me isn't that long. Not because I am a hot commodity, but because I don't like being disturbed.
It is your computer- you can restrict access however you want. If you only want to accept email from people over 6 feet tall and white, it is up to you. It is your computer! What a concept!
Anyhow- good luck with the wedding. (Or as my mom told me, "you aren't planning for a wedding, you are planning for a marriage..." Big difference...)
Re:some ideas for networking (Score:5, Insightful)
Re:What is my opinion?! (Score:3, Insightful)
Censorship is wrong. Blocking spam isn't censorship. That's your error.
Please join the closest Amish Community ASAP! (Score:1, Insightful)
Of course, running water and electricity have to be forfeited, but your family will have the warm feeling of doing the right thing every time they take half an hour to get water for the weekly bath.
Then, if you want to keep some and be protected from the rest, join the closest Mormons, where you will have the possibility of marriying underage teens by the dozen, as long as you find some that are still available....And still be closer to god.
What you are proposing is the ability for microsoft to keep the internet market forever, without having any competitor, and no possibility for you (me) to escape the pigopolist...
"This set of protocols could allow trusted machines to receive properly licensed and authorized content but still filter out other less useful but more dangerous content/extentions like exe's, zips, tar.gz's, bz2, py, and iso's, and additionally any encrypted content, and the major webserver venders would have to outlaw application/octet mime types to regain control of the internet-turned-piracy haven that the thieves like warez groups and gnu have perverted, not to mention all the pornography and child molesting an open internet produces."
There was this sentence from Benjamin Franklin about freedom and what awaits people ready to sacrifice freedom for a little bit more security...look for it, it will be instructive to you....
your data, if really important, can be encrypted, backuped, mirrored, made unreachable to 99.9% of the internet population. you just have to exert some efforts and understanding to make it so...
Well, I'm answering to an anonymous troll, might as well piss in a violin !
Its time to make the slashdot safe again from you for our pleasure and entertainment...
Any chance of you leaving on your own ?
Hypocritical? (Score:3, Insightful)
Not at all (Score:5, Insightful)
much simpler solution to blocking chinese IP (Score:4, Insightful)
1. put some text about freedom of speech and/or human rights in china on your webserver
2. make sure google finds you
then the chinese government itself would see that chinese IP traffic can't reach you.
Re:Ya... (Score:5, Insightful)
Nope. Nothing strange about that.
For you or me to choose not to get email from Chinese addresses, or not to acknowledge packets from Chinese addresses, is to exercise our liberty. We have the right (among others) to ``freedom of association''. That means that we can choose who we associate with ... and who we don't.
This is radically different than a government trying to tell us that we cannot access certian websites (as the Chinese government has been doing with help from Cisco, MS and Google).
Let me try to re-phrase all that in simple terms: If we don't want to play with somebody, that's OK. If the bullies try to stop us from playing with someone, that's not OK.
OK?
Don't cut China off from our culture and values (Score:3, Insightful)
I have been to China, my wife is Chinese, and the region where I live (Vancouver) is about 25% ethnic Chinese. China is an important country, and its power is growing - look at recent purchases (and attempts) of major Canadian and American companies. China, its culture, and its policies will increasingly impact our lives. We will be exposed to their culture and values. We can't afford to be silent about ours.
YMMV (Score:1, Insightful)
If you're so worried about being hacked, invest in a good layer of defense and pro-active monitoring instead of blindly ignoring traffic. It's pretty amazing what a snort-guru can slap together for network IDS..
Opinion from a Sprint relay operator for the deaf. (Score:1, Insightful)
Re:What is my opinion?! (Score:2, Insightful)
You're free to spew whatever packets you like. I'm free to discard them for whatever reason I choose.
Let China do the work for you! (Score:2, Insightful)
Re:I am chinese (Score:1, Insightful)
Re:My ban list is extensive but I'm a home user on (Score:2, Insightful)
Consider someother person who you would like to email (maybe you wanted to talk to him about his very nice opensource product which you just found out about?) if that person has blocked you then there is little you can do since it was his choice. but what if his ISP has blocked you for some pigheaded reason?
blocking ip ranges of anykind should only be an option for the end user. not for anyone else.
Re:I wish... (Score:5, Insightful)
Let me tell you my experience sending email from Japan:
1) I have been the silent party of a conference call between a professor at a major American university and the tech he was "#$%#&$ing out because said professor did not get the five-figure speaking fee we wanted to pay him because our repeated attempts to contact him went unanswered (the techs, to save themselves a little hassle, had blacklisted *.jp)
2) I have been asked "Why don't you ever write?" by a favorite auntie, who is exactly the lady at those tech support humor web sites make fun of. I do write, once a week like clockwork. Her ISP decided on her behalf that it needed to be /dev/null'ed.
3) I have a 99 year old great grandmother who, bless her heart, has started to use the computer. She is doing exceptionally well for 99, but if you ask her four days out of five she'll tell you "No, of course not, don't know anybody living abroad. I haven't been back to Ireland since I came over in 1916 and all my family there is dead". Then if you go on to prod her about her great grandsons she'll take your ears off bragging about those fine young men who went off and got educated and are now living in Korea or China or somesuch place where the folks are very friendly and they drink excellent tea although of course not the sort that they made in County Cork.
4) I get a copy of my local newspaper (for the neighborhood I grew up in) delivered to me once a month by my mother. A favorite teacher of mine from grade school just retired. One Google search later I had his school's office email address and sent them a letter of congratulation to forward on to him. I've gotten no response -- it probably got eaten. Asked yesterday whether he needed to speak to anyone abroad or not, this veteran of the Chicago Public Schools would have said "Nope, can't say that I do".
5) Three companies have lost my business because they can't handle having a customer abroad (seeming inability to handle emails played a part in all three cancellations, not entirely sure it was the only issue though). One (my bank) has gained it for life because they went the extra mile, including having a $10 an hour telephone operator having a three-day long spat with their IT department before I could get whitelisted. (Oddly, the IT department had clearly spent a lot of development resources on making their web forms, etc international-aware... and then /dev/null'ed all email from the customers using the special forms)