Become a fan of Slashdot on Facebook


Forgot your password?
Security IT

Blocking a Nation's IP Space 404

SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?
This discussion has been archived. No new comments can be posted.

Blocking a Nation's IP Space

Comments Filter:
  • by garcia ( 6573 ) * on Wednesday August 31, 2005 @04:02PM (#13448396)
    What is your opinion of this and what do you propose to help correct this?

    Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

    Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?

    I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

    I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.

    If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

    After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another .0/24 to the firewall list.
    • Some friends and I discussed this once. The original purpose of the internet was so that no one place could be brought down in case of attack. Hence if you block china's IP space that may prevent some minor inconveniences but they will still be able to bounce through other servers. The only way to block them out would be if everyone else blocked china.
      • by Ucklak ( 755284 ) on Wednesday August 31, 2005 @04:45PM (#13448762)
        That only works with BGP. Once your hunker down to the local level, taking out a single router can wipe out alot of customers.

        Many a discussion have been had when your business-class internet goes out, all the suits quote the same "I thought the internet meant that it doesn't go out".
        Sorry, if your firewall goes out, your office is out.
        If your ISP's router feeding your office is out, you're out.
        If your ISP's feed has a bad router, they're out and guess what, you're out too.
      • Purpose of blocking (Score:5, Interesting)

        by Anders Andersson ( 863 ) on Wednesday August 31, 2005 @05:02PM (#13448884) Homepage

        The point of refusing access from certain IP addresses is not to deny service to any particular individual (or nationality, in case of entire countries being affected), but to protect against likely abuse and encourage individuals to use some other IP address. As long as your boycott is aimed at their network infrastructure (for aiding abuse) rather than at the country itself (for political reasons), individual users routing their traffic via other networks is not a problem; it's what you want them to do. The idea is that the secondary network will sort out the abuse (by making sure they know who their customers are, or by other means). If they fail to do so, they will be blacklisted too.

        Therefore I see no point in specifically blacklisting any single country, if not for political reasons. Entire countries are blacklisted because they conveniently map to large portions of IP address space. Some Chinese universities probably received their IP blocks before the commercial operators did, and may therefore have addresses in completely separate ranges. If the universities are a bit better at managing their networks, and the bulk of the abuse therefore comes from the commercial blocks, there is no reason both should be listed merely for being assigned to the same country.

        Likewise, a single address block may contain several operators in different countries, causing them all to be blacklisted simply because telling them apart takes too much time. It's all about network abuse history, not about nationality. And, I wouldn't have to rely on everyone else blocking a single abused network either, unless they all were to forward that abuse to me.

        I have however considered blocking mail servers indiscriminately "bouncing" virus messages having our domain forged onto them, when they have received those messages from IP addresses (often Chinese ones) already included in public blacklists. They could avoid such action on my part by simply using said blacklists themselves, but exactly how they solve their problem is up to them. If they simply avoid "notifying" innocent people every time they receive junk mail or other abuse, I will not bother them.

    • Cool! As an independent/home user myself, I can definitely empathize - another individual's rights to express themselves end at my eyes/ears - personally, I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...
      • by pclminion ( 145572 ) on Wednesday August 31, 2005 @05:18PM (#13449053)
        I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...

        Yeah, the "ultimate democracy." Where despotic regimes harbor cyber miscreants who piss off the inhabitants of "civilized" countries, who block those despotic regimes, therefore denying the innocent inhabitants of those regimes the ability to communicate unfettered with the rest of the free world.

        "Hey, there seem to be all these hackers in China. Let's block the entire nation of China from the rest of the Internet. That will really help the Chinese Internet censorship situation."

        But I guess your own convenience is more important that giving those people a conduit to freedom.

        As somebody else pointed out, an individual has every right to block or receive whatever traffic they wish. But if you're a network administrator at an ISP or government who thinks he's doing some good by closing off these segments of the Internet, you're nothing but low life scum who cares more about his temporary comfort that other people's lives.

        • by RM6f9 ( 825298 ) <> on Wednesday August 31, 2005 @05:42PM (#13449236) Homepage Journal
          Alrighty, then, troll feeding time!

                    230 years ago, this nation I live in was under a (different) "despotic regime" - some people decided to take some action, and it changed. The assistances they received happened after they started, not because they whined.
                    As an individual internet user, I have not ever blocked an email from a political dissident due to its political content. As a website author, I have not blocked anyone from viewing my site.
                    As a businessman, I respect and obey the laws governing my use of advertising online, by email (I fully comply with CAN-SPAM) and other means as applicable.
                    The above said, anyone who cannot see fit to play by the same rules can go figure out a different game *elsewhere*, instead of trying to play some bait (political freedom of speech) and switch (illegal spam serving) game.
                    There is no "divine right" nor requirement to maintain a web presence, to maintain completely open networks, to provide a podium upon which some poor abused oppressed individual can spout their issues to everyone else, no matter how "justified" they might be.... This whole intarweb thing borders so closely to being completely fictional it isn't funny - please *do* seek to force your beliefs concerning how things *should* be onto the current way things are - only time will tell how successful you were.
                    Please *don't* consider the over-worked net administrators as enemies: The real enemies are those spam servers who bury any legitimate content coming out of dissenting China more effectively than any locally-applied blocks ever could.

    • For email, you can use the RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is
      • What I'd like to know is whether most of the Asian ISPs are doing like the ones here in the States. Every broadband connection I've had until recently had a dynamic IP. Even so, the shortest time I ever had an IP was 12 months. That's with Charter cable, Sprint DSL, and a regional telecom outfit Ntelos. If the Asian ISPs are setting super high TTLs on the IPs like they do in the States, then just block the individual problem IPs as needed. IMO that would be a much safer route to take than blocking entire co

      • Easy ban lists (Score:5, Informative)

        by tyler_larson ( 558763 ) on Wednesday August 31, 2005 @05:33PM (#13449166) Homepage
        Want to know all the subnets a given country (in APNIC) uses? How about 3 lines of perl:

        $ctry = shift || 'cn';
        $_ = `GET country=$ctry`;
        print join "\n", /([0-9\.]+\/[0-9]+)/g;

        My philosophy is that you should get to decide who you want to talk to. If you don't want to talk to anyone in China (or Australia, or whatever), then no one says you have to.

    • If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

      You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through t

    • Awesome, I like your style, and I find myself doing the same things, having to block out entire countries and portions of the world from getting to my stuff. I hope a lot of PC weenies try to argue with you, because they have no footing to stand on.

    • by ( 321932 ) on Wednesday August 31, 2005 @04:30PM (#13448624) Homepage Journal
      This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.

      Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...

      Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.
      • If you are trying to say that blocking an IP for a country is somehow comparable to say, South African apartied, or segregation in the U.S. South, or not letting women vote in Saudi Arabia, or any of the horrors we normally think about when someone mentions "discrimination", then you are crazy! Absolutly crazy!

        I just entered a contest online for Coca Cola. The contest is only open to residents of Canada. Are you calling than discrimination? Coca Cola Canada is running the contest, and they have decided to
    • Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

      I'd suggest just keeping your services secure. Automated attacks are aimed at the lowest common denominator, even basic security steps will stop them. My smb server gets connect attempts at a rate of around 2 per second, and has done for the last six months or so. So far none have got in. I only take action if I'm getting hammered by a single IP, a

    • by Rooktoven ( 263454 ) on Wednesday August 31, 2005 @04:42PM (#13448735) Homepage
      Actually, there are a few pages that wil gelp you find blocks from rogue countries. But first on to the ethical questions--

      I'm the admin for a company with around 70 employees, we maintain our own website, and mail systems. We had been getting pounded with spam and a lot of ssh attempts.

      Before taking any action, we found that China (predominately) and Korea were the source of most of our break-in attempts and spam sources. Given that we do _some_ international business, but not there, that was an easy call. Other countries soon followed. Our criteria has been that if there is any chance that someone will travel to a particular country or if the country has useful information to be had via someone with email, we don't block. I know it sounds judgmental, but it has cut our spam/scams down by about 75%. I would prefer to block all cable access to mail, but that would potentially hurt our road warriors with SMTP-AUTH. The slippery slope comes in when you say "Screw anyone on Wannadoo or BTI or Time Warner, etc. running a mail server." I know I quit running a mail server at home just because my stuff was blocked. Our compromise is that spam sources are individually blocked (rather than by range) in places where we travel or may do business.

      Further if you have a good firewall scheme you don't have to block web access. You can block the ports that give you trouble and still allow http access if you need the Chinese comsumer market to see your site. I have found that an invaluable tool to use in conjuntion with iptables is IPSet [].
      It allows for very quick processing of ranges or hashes of individual addresses.

      If you want info on blocking countries (sorry if I offend anyone) look here: []

      and [] (when it's up...)

      Personally, I find blocking unwanted guests akin to allowing only people on your chat list to talk to you...
  • Officially insane. (Score:5, Insightful)

    by Dibblah ( 645750 ) on Wednesday August 31, 2005 @04:03PM (#13448402)
    They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.
    • by hattig ( 47930 )
      I agree, it's wrong.

      Well, it is wrong because they haven't notified their customers and given them a choice about leaving or staying. It isn't a hard sell ('our servers will be more secure, you'll lose China and Korean readers - but if you want a specific IP we can assist you') but customers deserve to know the state of play.

      In fact, I think this should go as far as sending a daily email of blocked spam emails (from and subject lines only, of course).
    • by drgonzo59 ( 747139 ) on Wednesday August 31, 2005 @04:47PM (#13448780)
      What is so insane about it? It all depends on your target customer/audience base. If I sell scented candles and ship only to US, why would I want Chinese and Russians looking through my catalog. There is no way they can buy it but there is a high chance that they might hack my web site.

      This is just an example, but the idea goes for other kinds of sites too...

  • by millahtime ( 710421 ) on Wednesday August 31, 2005 @04:03PM (#13448403) Homepage Journal
    What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.
    • by Zocalo ( 252965 )
      Plenty of big companies, even those with most of their workers outsourced to China, could do this quite easily if they were so inclined. The trick would be to whitelist the IP addresses that they actually need to do business out of the tens of millions of IP addresses assigned to China, and then block the rest. If you wanted to be really slick, then you could even route traffic from the questionable IP blocks through a dedicated firewall to avoid bogging down the rest of your traffic with a huge list of f
  • I agree. (Score:2, Funny)

    by Fishead ( 658061 )
    Chinee Ip Space should TOTALLY be blocked. Those Chinee, they are always up to no good.

    Who are the Chinee anyhow?
    • Who are the Chinee anyhow?

      Actually, it's who is the Chinee. Chinee is the singular of Chinese. Fortunately that means that not all that much is going to be blocked.

  • by SCHecklerX ( 229973 ) <> on Wednesday August 31, 2005 @04:04PM (#13448423) Homepage
    Maybe to get around the great firewall of china. Also, the company I work for is global. We have offices in china connected via IPSec. Not smart of us to block china telecom addresses...
  • For most businesses (at least those that operate globally), that isn't an option. However, for my home network and home mail server it drastically cut both spam and probes against my network.
  • No. No. No. (Score:5, Insightful)

    by Puls4r ( 724907 ) on Wednesday August 31, 2005 @04:05PM (#13448425)
    Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.
  • Ya... (Score:5, Insightful)

    by mr_tommy ( 619972 ) * <tgraham@gma[ ]com ['il.' in gap]> on Wednesday August 31, 2005 @04:05PM (#13448427) Journal
    Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

    This seems a rather murky route to go down, that ultimately, will be in no one's best interests.
    • If you don't do business in China, why not?

      The Chinese government does little or nothing to stop hackers who originate in their country, so I think it is justifiable to block the country, if you feel that you can afford to.

    • It's simply the difference between choosing to do something and having it forced on you.

      (Note: I don't personally block any country's IPs, but have no problem with others doing so on their own computers, just as long as they don't try to restrict what I can access on mine.)
    • Not at all (Score:5, Insightful)

      by Mustang Matt ( 133426 ) on Wednesday August 31, 2005 @04:49PM (#13448804)
      We want to censor ourselves, we don't want a government to censor us. If an individual or company decides to block traffic from a country more power to them. It's a choice they have the right to make. If the government wants to do it then that sucks because the people have lost that choice.
    • Re:Ya... (Score:5, Insightful)

      by RealAlaskan ( 576404 ) on Wednesday August 31, 2005 @05:28PM (#13449121) Homepage Journal
      Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

      Nope. Nothing strange about that.

      For you or me to choose not to get email from Chinese addresses, or not to acknowledge packets from Chinese addresses, is to exercise our liberty. We have the right (among others) to ``freedom of association''. That means that we can choose who we associate with ... and who we don't.

      This is radically different than a government trying to tell us that we cannot access certian websites (as the Chinese government has been doing with help from Cisco, MS and Google).

      Let me try to re-phrase all that in simple terms: If we don't want to play with somebody, that's OK. If the bullies try to stop us from playing with someone, that's not OK.


  • I've got a friend that blocks email from Nigeria, but I'd never do that. You never know when someone really does need help moving millions of dollars out of the country and will gladly give me a cut of the proceeds. For that reason alone I'd never block them.
  • I am chinese (Score:5, Interesting)

    by lappy512 ( 853357 ) on Wednesday August 31, 2005 @04:06PM (#13448440) Homepage
    As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.
  • by Anonymous Coward on Wednesday August 31, 2005 @04:07PM (#13448445)

    would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there [], the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware [] etc etc

    hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight

    • by Kelson ( 129150 ) * on Wednesday August 31, 2005 @04:14PM (#13448507) Homepage Journal
      Actually, that's 80% of North America's and Europe's spam. It doesn't provide any stats on how much of China's spam originates in the US.

      It's also a list of the people creating the spam, not the location of the machines that are sending it.

      And note that North America includes the US, so a lot of that spam is by Americans, for Americans. Just relayed through China, Korea and Brazil.
    • by DNS-and-BIND ( 461968 ) on Wednesday August 31, 2005 @04:25PM (#13448581) Homepage
      The USA has compelling content online (if you speak English). China has very little information available in English, and can be blocked off with little loss. Unless your idea of compelling content is reading poorly-translated flash-enabled manufacturing company websites, or government-approved news sources.

      There are scores of young men who sit around in internet cafes all day and do nothing but scan for vulnerabilities in badly-coded applications, mostly message boards. I know, I've seen them. Yes, it is most unusual for a Chinese fellow in an internet cafe to not be playing Counterstrike, but I assure you it does indeed happen. You can turn on the scanner and let it run in the background while you play Counterstrike, don't forget.

    • did you mean Romania by any chance :) ?
  • Sure - I block 'em (Score:4, Interesting)

    by ALecs ( 118703 ) on Wednesday August 31, 2005 @04:12PM (#13448483) Homepage
    I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.

    Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.

    If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).
  • by Bananatree3 ( 872975 ) * on Wednesday August 31, 2005 @04:13PM (#13448498)
    It would seem that blocking China's IP block might in some cases cause collateral damage when it comes to accessing certain sites. While it is true that blocking the entire China IP block would get rid of a LOT of spam that comes from Chinese bullet-proof ISPs, there is also a side effect. Ordinary people who try to connect to a network from inside China would also be blocked as well, and this cause a lot of collateral damage in terms of the average Chinese web browsing population.

    It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.

    • Exactly. We can't block China where I work (an ISP), because we have customers who are businesses, and there's a lot of economic activity between the US and China. We once had to make an exception for the SBL because someone was on a business trip to China and his only net access was via a spam-infested network that had gotten itself listed on Spamhaus.

      I wouldn't consider blocking mail based on geography alone unless I could get input from everyone the policy would affect. You can do that as a home user,
    • How many people in China actually connect to your legitimate services? Unless you're providing Chinese-language content in the simplified character set, I doubt that you have many users. And if you are providing content in the appropriate language, and you say something the Chinese government doesn't like, you will be blocked by the Great Firewall in short order.

      And the standard way around the Great Firewall is a proxy or VPN, both of which will make your traffic look like it's coming from somewhere els

  • What a coincidence (Score:2, Interesting)

    by Anonymous Coward
    I was doing my weekly spam analysis report today, and after collecting just 3 months worth of data I started toying with the idea of blocking whole IP ranges. Sure, the spammers were using botnets and the trend reports brought to light some interesting points of intersection, but one thing stood out clear and plain. Blocking email coming from China would cut out over 60% of spam at the 1st firewall, before it even reached the mail filter.

    I work for a UK company who deals with multi-nationals, but they all

  • by Indy1 ( 99447 ) <> on Wednesday August 31, 2005 @04:18PM (#13448536) Homepage
    and expect others to treat it like a sewer. Chinese (and other apnic networks) isps just dont give a damn how much abuse their users heap on the rest of the net. Between the spam, worms, and other crap they spew, they've gotten a hard earned spot in my firewall. Granted i am not a huge business or isp, but at the rate they're going, it wont be long before big isps and businesses DO firewall all of apnic as a pre-emptive measure.
  • by Vellmont ( 569020 ) on Wednesday August 31, 2005 @04:19PM (#13448543) Homepage

    "What is your opinion of this and what do you propose to help correct this?"

    If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?

    I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.
  • by aldheorte ( 162967 ) on Wednesday August 31, 2005 @04:20PM (#13448549)
    Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.

    From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.
  • Block nothing (Score:2, Insightful)

    by papaia ( 652949 )
    I have a corporate network to run, and we are only expanding in China. There is no realistic way to resolve any issues at the IP or DNS/domain level, as same ISPs providing services to spammers and crackers, are also hosts of my customers.

    Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balan
  • I hope that that's a typo and not a revisitation of an old derogatory term. (See, "The Heathen Chinee []" by Bret Harte. Opening stanza:

    Which I wish to remark,

    And my language is plain,
    That for ways that are dark
    And for tricks that are vain,
    The heathen Chinee is peculiar,
    Which the same I would rise to explain.

  • ... according to [] featured today in another ./ article the US is the biggest source of spam.
    This is a lot easier if you are outside the US.

    Greetings from a blue country.
  • They block your IP address space!
  • Firewalled people (Score:3, Interesting)

    by m50d ( 797211 ) on Wednesday August 31, 2005 @04:27PM (#13448592) Homepage Journal
    Firewalls of any sort are a menace. They're not part of the open internet. Every port of every publicly routable IP should either be open, because it's providing a service accessible from the open internet, or closed, in which case it should respond appropriately when it gets packets there and not just drop them. I don't actively block them, but I try to avoid enabling any options on my services that would help firewalled users.
  • At the end of the article, the author talks about how he thinks the Chinese government doesn't know about this activity.

    Actually, they probably condone it. The more web servers that are blocked from the Chinese people, the more likely they'll be isolated behind the Great Firewall of China.
  • Blunt force trauma (Score:3, Insightful)

    by groomed ( 202061 ) on Wednesday August 31, 2005 @04:28PM (#13448603)
    Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.

    Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.

    People who advocate blocking /16's and /24's should consider wrapping their CAT5 in tin foil.
  • Blacklists are temporary solutions. The larger the blacklist, the more temporary. It's like censorship in this regard.

    Blacklisting is a balancing act between the nature of the Internet and what you want out of it. It only "works" to a degree, but it never solves the problem. I'm not saying give up or stop blocking IP's, but people need to come to grips about the real world. The Internet is a two-way street, so let's start looking at it that way, eh? Blocking whole countries is extreme. Some people re
  • For my own use, to block spam email, I use procmail to filter foreign language encodings in languages that I can't read. Of course there are problems, many spammers don't properly tag their encodings, assuming the target audience has their mailreader set to that language as a default. And it won't filter UTF-8 foreign language encoded mail (you have to leave that one unblocked). And of course it doesn't filter non-email attacks against my domain.
    But it's a good start, and a totally benign one. Email in a la
  • Dynamic Block (Score:3, Insightful)

    by Roger W Moore ( 538166 ) on Wednesday August 31, 2005 @04:29PM (#13448614) Journal
    Reading the original article (always a bad move) it talked about blocking dodgy looking web requests which, I'm guessing, took up a significant fraction of the server's resources. In such a case I'd go ahead and block. You might loose some potential valid users but that is a lot less than loosing everyone if your server clogs up.

    However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.

    This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.
  • I was using for awhile to help construct my ACL's. Now that it's MIA, anyone got an alternative?
  • The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

    At least the author didn't "beg the question."

    Because, someone would have to finally lose their editorial rights. But ScuttleMonkey can live to edit another day, as long as he can fix the grammar in that sentence.
  • Hypocritics (Score:2, Insightful)

    by marcantonio ( 895721 )
    On slashdot we always make a big deal out of censorship particular to the Chinese government. Why then, would it be ok for us to do the same thing to it's people. Many attacks do come from there, but that doesn't make it any less wrong.

    If your going to do this at your company then don't whine about Chinese censorship any longer.
  • by klubar ( 591384 ) on Wednesday August 31, 2005 @04:30PM (#13448631) Homepage
    At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives. If employees need to send/receive email from these countries for personal correspondence they can do it from home. It seems like a relatively no-brainer, not unlike having a receptionist screen calls or visitors.

    If our firewall could easily block IP addresses, I'd do that too.
    • At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives.

      Really? I do quite a bit of purchasing for my US based company. But I'm not originally from the US, so it happens frequently that I use my foreign email address because it's shorter/easier, and it's what I've used for many years.

      Sounds to me like a false positive is definitely possible. I'm not the only person that has moved to the US and someti
  • It's not just China (in fact, the bloke from SecurityFocus says this towards the end). I tend to see logs containing a lot of stuff from China, Taiwan and Korea, but also Argentina, Italy, France, Canada and the US. If you blacklisted every country which turned up unannounced in your logs you'd soon run out of countries to ban.

    However, the question should be asked - who, exactly, do you expect to legitimately want to access your server? If it's a group of friends accessing some common stuff on one machin
  • As someone who has suffered a tidal wave of spam and some other hack attempts the problem isn't particuarly with the average Chinese internaut but with US citizens hiding behind lax Chinese ISPs.

    Chinanet Henan Province and Chinatelecom are notorious homes to US based spammers. I've written a brief paper on the subject here []

    Ok I've moved a bit off the topic of hacking attemps - but hacking/spamming are two sides of the same coin. Personally I've refrained from ban
  • My company has been blocking foreign IP space for years. We are a retail outfit and we don't do business with China, Southeast Asia, South America, the Persian Gulf, Africa, or former Eastern Bloc nations. So, consequently, our mail servers block these guys. I use lists from the now-deceased site, plus other netblocks that I have culled on my own. Since is no longer operational, you can download my archive of these lists from me: []
  • Somehow my email address recently wound up on quite a number of spam lists. I have no idea what they were trying to sell since all of it was from japan and was written in japanese. As if ads for "v1&gra" weren't hard enough to read. Hell, at least three quarters of the characters weren't even in my unicode font and couldn't be displayed. After weeks of adding filters to block each new address, It finally occurred to me that I know no one from Japan and that chances are that I will never be in communi
  • by TheLittleJetson ( 669035 ) on Wednesday August 31, 2005 @04:37PM (#13448684)
    ...just put a bunch of stuff on your website advocating a free and democratic China. They'll block it for you.
  • When I changed some setting to apache to let people from our company access the web via our proxy, I made an error and I also opened the proxy to the outside.

    The next days everything was slow and the log showed that I had a lot of request from outside ip address to other outside ip address. The majority of those address came from China.

    I change the setting in apache but I still had request by the hundred. I finally called my ISP and we have blocked a lot of range from China and right after the traffic
  • I don't care if this is yhe USA censoring China or vice versa []. Censorship is always wrong no matter what. Always. Our grandmothers and grandfathers have literally died for our freedom of speech and they are spinning in their graves right now.
    • So you read every single spam? From beginning to end? If you don't, you are censoring those spammers! You, personally, are grinding those hard-working, ethikul bidnezmen under the bootheels of oppression!

      Censorship is wrong. Blocking spam isn't censorship. That's your error.
  • The author mentions that his friends in question here are running a hosting service, and they didn't tell their customers about the blocking.

    That's what I see as the biggest issue. Personally, I'm appalled by the idea of blocking an entire country. It feels like some sort of jingoism or racism on a gut level, and on a practical level it interfers with potential business or academic interests who have lots of reasons for reading all kinds of thigns. The internet is one of the coolest tools we have for mo
  • I block several countries at my business: Korea, China, Brazil, Russia and Japan.

    However, I do have an automated response that tells the sender they've been blocked by my blacklisting service and that they should contact me (by phone) to resolve the issue. My company has no reason to be in contact with those countries so it is a relatively safe practice. I also use I have only had 2 or 3 incidents in the 8 months of usage.

    After blocking those countries and using Spamhaus, my spam went down
  • Hypocritical? (Score:3, Insightful)

    by Rie Beam ( 632299 ) on Wednesday August 31, 2005 @04:46PM (#13448777) Journal
    So wait a minute - weren't we just getting all up-in-arms over the Chinese blocking their people from viewing unsolicited western sites? And now we should go ahead and block the entire country because of the rogue elements? I agree Chinese cr/hackers (take your pick) are a problem, but at the same time, so are any other skilled cr/hackers - just because this one has malicious intent doesn't mean we're doing any good by blocking such a large audience simply because of the possibility. Cracking will still occur, as with worms and trojans. Those who really want to will find alternate means of access (perhaps through countries a bit more generous than the United States). What is there to gain by this?
  • My Little Part. . . (Score:5, Informative)

    by MikeDawg ( 721537 ) on Wednesday August 31, 2005 @04:48PM (#13448788) Homepage Journal

    I like to think that I'm doing my little part by blocking all incoming connections from China, Taiwan, and some of Japan. I throw a big ass list of IPs to block into iptables (and give it time to parse all the IPs and such), and call it good. There are some good lists to block some of those Asian countries that do a reasonably good job: Some IP addresses [].

    But in all seriousness, the reason I do this, is because of the numerous attempts to brute force sshd, or to send email via my SMTP server, the vast majority of IP addresses come from China, Hong Kong, Taiwan, and Japan.

    • by bani ( 467531 )
      japan used to be bad. they got widely blocked and eventually realized there was a problem -- so they largely cleaned up. mainly due to the efforts of gaijin network operators living there who managed to convince japanese operators that they needed to get their shit together.

      china, korea, etc. are totally rogue. they become more widely blocked each day. both china and korea are hellbent on becoming LANs. which they will be until they realize there's a problem and start dealing with all their criminal operato
  • Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space

    Ok, if the `problem' is that you see wierd entries in your logs, that obviously somebody is trying to crack into box, and they're not using up a signifigant portion of your bandwidth, filling up your disk with logs or actually getting into your box, there is no problem. The sooner you realize this, the sooner you can get on with your life.

    So what do you do? You keep your machine secure. You ke

  • would be:

    1. put some text about freedom of speech and/or human rights in china on your webserver
    2. make sure google finds you

    then the chinese government itself would see that chinese IP traffic can't reach you.
  • by slappyjack ( 196918 ) <> on Wednesday August 31, 2005 @05:28PM (#13449118) Homepage Journal
    We were a small company that sold sex toys. Kiddies from eastern europe and southeast asia LOVED to test credit cards against our store.

    This was when we were first getting up and running with minimal staff. One day we looked and saw "JESUS CHRIST! Someone Just bought $678 worth of fake cock! Yeah!"

    We then realized these folks were just testing to see if the credit card numbers they stole were still active, and cancelled the order.

    I wrote all sorts of checking routines and so on to make it harder to submit that kind of shit, but in the end it was just easier to not even let placecs like Hungary and Pakistan in, becuase really, it was more trouble to week out the fakes than the odd valid order a year from those areas is worth.

  • I wish... (Score:5, Interesting)

    by archaic0 ( 412379 ) on Wednesday August 31, 2005 @05:28PM (#13449124) Homepage
    I worked for an ISP for about 5 years... started doing tech support and moved up and on to the NOC and web design. While in the NOC were were fighting spam for our users pretty much non-stop with various black lists / filters. My job was basically to come in each day and clean out the garbage disposal as it were.

    Until the glorious day we segragated our mail users. We set up a new beta mail server and split our users into two groups. Those needing international mail, and those not needing it. Over the course of 3 months, we informed users of the change and provided an easy opt-in one-click process to make sure they could send/recieve international mail.

    After that grace period, we simply shut off international mail on our main server by blocking any IP space outside the US.

    The load on our mail servers (4 dual CPU machines) went from averaging around 50% down to 5% and stayed there.

    In our polling of our own customers, we found that 90% or more of them never had any intention or desire to send/recieve international mail. Our spam load went from several thousand spam messages a minute to less than a thousand per day.

    The people that needed international mail were put on the new server and left open to all mail.

    For the next few months, the staff at our office didn't have to buy lunch or snacks because that corny AOL commercial actually happened. We had customers in all the time taking us out to lunch and dropping off brownies, cupcakes, etc... our satifaction rate was never higher and I would venture to guess that we would not have been that loved had we sent everyone $50 cash.

    Why isn't this a more popular choice? Is there really that much of a NEED in the general internet population for international mail? There wasn't at our company.

    I think we could make international mail a feature add-on much like web hosts make CGI, PHP, or mySQL a feature add-on. Sure, to me those are just staples, but not everyone needs all that.

    Sure, there's still in-country spam sources... but NOTHING like what comes from outside.
    • Re:I wish... (Score:5, Insightful)

      by patio11 ( 857072 ) on Wednesday August 31, 2005 @11:16PM (#13451300)
      How much do you trust your customers to adequately describe what their needs are? And how much do you trust that description to not change for the duration they are your customers?

      Let me tell you my experience sending email from Japan:

      1) I have been the silent party of a conference call between a professor at a major American university and the tech he was "#$%#&$ing out because said professor did not get the five-figure speaking fee we wanted to pay him because our repeated attempts to contact him went unanswered (the techs, to save themselves a little hassle, had blacklisted *.jp)

      2) I have been asked "Why don't you ever write?" by a favorite auntie, who is exactly the lady at those tech support humor web sites make fun of. I do write, once a week like clockwork. Her ISP decided on her behalf that it needed to be /dev/null'ed.

      3) I have a 99 year old great grandmother who, bless her heart, has started to use the computer. She is doing exceptionally well for 99, but if you ask her four days out of five she'll tell you "No, of course not, don't know anybody living abroad. I haven't been back to Ireland since I came over in 1916 and all my family there is dead". Then if you go on to prod her about her great grandsons she'll take your ears off bragging about those fine young men who went off and got educated and are now living in Korea or China or somesuch place where the folks are very friendly and they drink excellent tea although of course not the sort that they made in County Cork.

      4) I get a copy of my local newspaper (for the neighborhood I grew up in) delivered to me once a month by my mother. A favorite teacher of mine from grade school just retired. One Google search later I had his school's office email address and sent them a letter of congratulation to forward on to him. I've gotten no response -- it probably got eaten. Asked yesterday whether he needed to speak to anyone abroad or not, this veteran of the Chicago Public Schools would have said "Nope, can't say that I do".

      5) Three companies have lost my business because they can't handle having a customer abroad (seeming inability to handle emails played a part in all three cancellations, not entirely sure it was the only issue though). One (my bank) has gained it for life because they went the extra mile, including having a $10 an hour telephone operator having a three-day long spat with their IT department before I could get whitelisted. (Oddly, the IT department had clearly spent a lot of development resources on making their web forms, etc international-aware... and then /dev/null'ed all email from the customers using the special forms)

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.