Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blocking a Nation's IP Space

ScuttleMonkey posted more than 9 years ago | from the haul-out-the-civil-disobedience dept.

Security 404

SComps writes "The Register has a good commentary about blocking Chinese IP space and some of the pros and cons surrounding that action. The question I post to Slashdot: "What is your opinion of this and what do you propose to help correct this?" Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?" The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

Sorry! There are no comments related to the filter you selected.

My ban list is extensive but I'm a home user only. (4, Insightful)

garcia (6573) | more than 9 years ago | (#13448396)

What is your opinion of this and what do you propose to help correct this?

Correct what? The fact that other countries are full of hackers that constantly attack you and you have little recourse to stop it? I suggest blocking them. Duh.

Additionally, what sort of actions do other Slashdot users take to protect themselves from rogue IP space, be it national borders or even retail broadband/dialup providers such as wannadoo or comcast, roadrunner, etc?

I have an extensive ban list on my firewall including tons of /8 and /16's but mostly /24's. If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

I am an individual. I don't run a corporate network and I am not required to put up w/a bunch of shit from other people. Don't like it? Oh well, I'm unconcerned. This particular Ask Slashdot might be pertaining to something else but the blurb wasn't really clear.

If it were up to me, I would want entire countries in their own easy to block IP address space. Want to block .br? Here's the single block that does it. Want to block .kr, .cn, and .nz? Go for it. Right now it's entirely too difficult and it requires some real work to do what you need to do.

After moving off of Comcast for residential DSL through a respectable provider I find that I don't have worms constantly hitting my machine. I don't have as many attack attempts and I certainly am not blocking quite as much spam. I long for the day when I don't have to add another .0/24 to the firewall list.

Re:My ban list is extensive but I'm a home user on (-1, Flamebait)

mike.newton (67123) | more than 9 years ago | (#13448453)

other countries are full of hackers

Since we're generalizing here, you wouldn't by any chance be American, would you? Isolationism is alive and well in the homes of America as well as the White House!

Re:My ban list is extensive but I'm a home user on (2, Insightful)

garcia (6573) | more than 9 years ago | (#13448482)

Since we're generalizing here, you wouldn't by any chance be American, would you?

It's fairly apparent where I'm from. I didn't feel the need to state it -- if you'd like more info my post history and personal URL are there.

As far as America being full of hackers. This is true. They don't typically fuck with me from American IPs though. The main problems I see from America are morons running unpatched shit on residential connections.

Anyone else from America that is tryin to exploit me is generally coming from a foreign IP (to try and mask their accountability). It's been going on like that for years. Get over yourself.

Isolationism is alive and well in the homes of America as well as the White House!

Off-topic, but, I wish we were practicing Isolationism in the White House. We wouldn't be fucking shit up in Iraq.

some ideas for networking (-1)

Anonymous Coward | more than 9 years ago | (#13448526)

I've said this many times but I'll repeat once again, this general purpose net connection stack tcp/ip has to go. In its place a large defined set of protocols can allow broadcast style networking for the internet savvy consumer, and if Microsoft had the lead in engineering this, you can be sure that most computers would be compatible, and Microsoft could also sell "Microsoft Gateway" products to let Apple participate.

This set of protocols could allow trusted machines to receive properly licensed and authorized content but still filter out other less useful but more dangerous content/extentions like exe's, zips, tar.gz's, bz2, py, and iso's, and additionally any encrypted content, and the major webserver venders would have to outlaw application/octet mime types to regain control of the internet-turned-piracy haven that the thieves like warez groups and gnu have perverted, not to mention all the pornography and child molesting an open internet produces.

Its time to make the net safe again for our families and businesses.

Re:My ban list is extensive but I'm a home user on (2, Insightful)

turbothumbz (907352) | more than 9 years ago | (#13448458)

Some friends and I discussed this once. The original purpose of the internet was so that no one place could be brought down in case of attack. Hence if you block china's IP space that may prevent some minor inconveniences but they will still be able to bounce through other servers. The only way to block them out would be if everyone else blocked china.

Re:My ban list is extensive but I'm a home user on (2, Interesting)

RM6f9 (825298) | more than 9 years ago | (#13448467)

Cool! As an independent/home user myself, I can definitely empathize - another individual's rights to express themselves end at my eyes/ears - personally, I'm considering publishing a list of the IPs I block, and my reasons for doing so: as others weigh in (agreeing or dissenting), it could become the ultimate democracy...

Re:My ban list is extensive but I'm a home user on (5, Informative)

nacturation (646836) | more than 9 years ago | (#13448469)

For email, you can use the countries.nerd.dk RBL. Just add the two-letter country code as a prefix. So if you wish to block China from sending email, the RBL server is cn.countries.nerd.dk.
 

Re:My ban list is extensive but I'm a home user on (1)

Sir_Eptishous (873977) | more than 9 years ago | (#13448485)

Yea, I'm more and more blocking entire nets. It seems like besides comcast, most of the annoyance probes are coming from any ip's in APNIC.

Re:My ban list is extensive but I'm a home user on (2, Interesting)

MetalliQaZ (539913) | more than 9 years ago | (#13448508)

If someone cannot e-mail me it's because they are likely using a residential cable/DSL account and I suggest to them to either use AIM or a viable webmail service like GMail (hotmail and yahoo are banned).

You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through. False positives only cause problems for ME, nobody else.

-d

Re:My ban list is extensive but I'm a home user on (0)

Anonymous Coward | more than 9 years ago | (#13448588)

what is your point?

he made a decision that those people will not be dealt with, why do you care.

go about doing what you want.

Re:My ban list is extensive but I'm a home user on (0, Flamebait)

garcia (6573) | more than 9 years ago | (#13448595)

You are free to block any addresses you want. However, I must ask what makes you so important that people must use the mail service you dictate in order to contact you? I think that doing what you have done would cause more inconvenience to myself than anything else. If people couldnt get through to me, they wouldn't switch providers, they would just stop emailing my pompous ass. The point is to block the bad, while letting the good stuff through.

Pompous? No, I'm just not concerned w/mail getting through. NOTHING is important enough for me to deal with spam, viruses, trojan, and spyware.

It's like anything else. If you want to contact me you do it my way, otherwise, I don't care. Believe me... The three people it might affect every year isn't a big deal. If anything, I did them, and everyone else, a favor.

Re:My ban list is extensive but I'm a home user on (0, Troll)

aklix (801048) | more than 9 years ago | (#13448532)

Well I hated to do it, but after my website was replaced with this:

  (anyone know what it means? I'm still trying to figure it out, hence why it's saved in a text file on my computer)

I blocked china and haven't gotten hacked since.

Re:My ban list is extensive but I'm a home user on (1)

Enigma_Man (756516) | more than 9 years ago | (#13448587)

Awesome, I like your style, and I find myself doing the same things, having to block out entire countries and portions of the world from getting to my stuff. I hope a lot of PC weenies try to argue with you, because they have no footing to stand on.

-Jesse

Re:My ban list is extensive but I'm a home user on (0)

Anonymous Coward | more than 9 years ago | (#13448606)

Blocking ip blocks is silly and stupid. You will end up blocking
the whole world eventually. What you need is signature based
detection at your firewall level. This way you can construct
rulesets to effectively mitigate probes and attacks.

--skyhigh

Re:My ban list is extensive but I'm a home user on (4, Insightful)

slashdot.org (321932) | more than 9 years ago | (#13448624)

This is all fine and dandy. Until _you_ end up being blocked from a whole bunch of stuff because of some asshole in the same IP space.

Blocking based on IP range and or country is pure and simple discrimination. A lot of people don't seem to grasp why discrimination is bad until they end up on the receiving end...

Having said that; if you want to block half the world, I believe that's your right. Just don't block it for me please, I'd like to make that decision myself.

Hmm. (-1, Offtopic)

yurivish (902527) | more than 9 years ago | (#13448398)

Nothing for you to see here. Please move along.

Officially insane. (5, Insightful)

Dibblah (645750) | more than 9 years ago | (#13448402)

They're a web hosting provider. And they're blocking entire netblocks from viewing *their customer's* content.

Re:Officially insane. (1)

GigsVT (208848) | more than 9 years ago | (#13448451)

Yeah, that's almost as bad as an ISP using something like SPEWS. If I ever got an ISP that used SPEWS, they'd get a nice lawsuit.

Re:Officially insane. (1)

MisterMurphy (899535) | more than 9 years ago | (#13448534)

A lawsuit on what grounds, exactly? I ask only for knowledge.

Re:Officially insane. (1)

ShieldW0lf (601553) | more than 9 years ago | (#13448598)

False advertising and breach of contract perhaps?

What big company.... (5, Insightful)

millahtime (710421) | more than 9 years ago | (#13448403)

What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.

Re:What big company.... (1)

pablomarx (860587) | more than 9 years ago | (#13448538)

What big company is going to block China? That's where most of their workers are. Can't cut your communications lines to them.

Allow your office(s) in China to talk to your office(s) elsewhere in the world, and block all Chinese IP-blocks that don't belong to your company. Or, block all of China from everything except your VPN server, and let them VPN in. etc.

Re:What big company.... (2, Interesting)

Zocalo (252965) | more than 9 years ago | (#13448626)

Plenty of big companies, even those with most of their workers outsourced to China, could do this quite easily if they were so inclined. The trick would be to whitelist the IP addresses that they actually need to do business out of the tens of millions of IP addresses assigned to China, and then block the rest. If you wanted to be really slick, then you could even route traffic from the questionable IP blocks through a dedicated firewall to avoid bogging down the rest of your traffic with a huge list of firewall rulesets.

Sure, this approach isn't going to be practical in businesses that deal with large numbers of companies or agencies in China, but if you are just dealing with a handful of companies then you are fine. Plus, the chances are that even if your company is heavily involved with China, then it might not be for some of the other rowdy IP blocks on the Internet and could apply the blocks there instead. Or just concentrate on the large blocks of IPs assigned to home users; with the prevalance of BotNets at the moment, that's where the vast majority of the hostile traffic seems to be coming from anyway.

I agree. (2, Funny)

Fishead (658061) | more than 9 years ago | (#13448404)

Chinee Ip Space should TOTALLY be blocked. Those Chinee, they are always up to no good.

Who are the Chinee anyhow?

Re:I agree. (1, Funny)

Anonymous Coward | more than 9 years ago | (#13448463)

Whoever marked this as Offtopic is trolling.

Do I need to read idiotic "opinion" from morons who don't even bother to spell the subject he is discussing clearly?

Mod the partent up

chinee foo (0)

Anonymous Coward | more than 9 years ago | (#13448579)

You order chinee foo?

hmmm (0)

Anonymous Coward | more than 9 years ago | (#13448617)

I think it is slang for Chin-less (as in no chin) Native Apache Indians (Chinee). There was one on the Phil Donahue show a number of years ago I think ;)

T. Herman Zweibel is back? (-1, Offtopic)

themightythor (673485) | more than 9 years ago | (#13448405)

Since when do we call denizens of China "Chinee"?

Re:T. Herman Zweibel is back? (0)

Anonymous Coward | more than 9 years ago | (#13448433)

Them damn commies don't deserve the letter "S". That's for us capitalists. Along with the number 4.

Re:T. Herman Zweibel is back? (0)

Anonymous Coward | more than 9 years ago | (#13448434)

Isn't that "heathen chinee"?

Dust off (-1)

Anonymous Coward | more than 9 years ago | (#13448407)

I say we dust off . . . . .

Depends (1)

ebsf1 (689864) | more than 9 years ago | (#13448409)

Depends...do you want to do business or communicate with China or not?

Re:Depends (1)

rovingeyes (575063) | more than 9 years ago | (#13448618)

Actually the way I see it, the Chinese govt. will be more than happy with this actually happening. They don't have to put up all kinds of firewalls to stop their citizens. Most of these sites and networks that the Chinese visit are in America any way. As I see it, the more countries ban Chinese IP, the more happier their govt. is.

GNAA (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13448411)

GNAA pwns you!

Exagerated (1)

Beuno (740018) | more than 9 years ago | (#13448421)

I think blocking an entire country is a bit much, and a bit to mucho discrimination for the globalized world that we live in right now...

Looking for open proxies (2, Interesting)

SCHecklerX (229973) | more than 9 years ago | (#13448423)

Maybe to get around the great firewall of china. Also, the company I work for is global. We have offices in china connected via IPSec. Not smart of us to block china telecom addresses...

For home use, I blackhole much of Asia... (1)

Ritz_Just_Ritz (883997) | more than 9 years ago | (#13448424)

For most businesses (at least those that operate globally), that isn't an option. However, for my home network and home mail server it drastically cut both spam and probes against my network.

No. No. No. (4, Insightful)

Puls4r (724907) | more than 9 years ago | (#13448425)

Simply blocking the IP doesn't fix the problem, and is on the same level as them blocking searches engines and sensoring US web sites. Bot engines etc etc, if you stop it one place it will simply spring up in another. Filtering ala google PRIOR to it hitting the consumer is the real key. That and corporate involvement - when it really begins to cost them money we'll see an improvement.

Ya... (5, Insightful)

mr_tommy (619972) | more than 9 years ago | (#13448427)

Does it not seem somewhat strange that we are more than happy to rally against measures by certain governments to restrict our internet liberties, yet there is no problem with us blocking whole nations access to western sites because of rogue elements in their borders?

This seems a rather murky route to go down, that ultimately, will be in no one's best interests.

Hypocrisy is the greatest luxury (0)

Anonymous Coward | more than 9 years ago | (#13448510)

Hypocrisy is the greatest luxury.

Re:Ya... (1)

duffbeer703 (177751) | more than 9 years ago | (#13448586)

If you don't do business in China, why not?

The Chinese government does little or nothing to stop hackers who originate in their country, so I think it is justifiable to block the country, if you feel that you can afford to.

I don't want to miss out on any opportunities! (4, Funny)

yorgasor (109984) | more than 9 years ago | (#13448432)

I've got a friend that blocks email from Nigeria, but I'd never do that. You never know when someone really does need help moving millions of dollars out of the country and will gladly give me a cut of the proceeds. For that reason alone I'd never block them.

Re:I don't want to miss out on any opportunities! (1)

cmdrTacyo (899875) | more than 9 years ago | (#13448489)

Boy yo frenz a racist
His views are baseless discriminatin peeps based on dey faces
I'll take off my shoes choke you with my laces
Crush ya skills with a few full beer cases
I'm the blackest white boy on this site
I'm the slashdot version of Suge Knight
You don't post unless I get a cut of the karma
Or else I'll eat you up like a beef Swharma

I am chinese (5, Interesting)

lappy512 (853357) | more than 9 years ago | (#13448440)

As a chinese American, I feel that these tensions between the USA and China are unnecessary, many things about China are sometimes overstated. For example, last summer I visited China, expecting to see many US sites blocked by the Great firewall, but instead do not see things like that. I did not encounter any websites that seemed to be blocked. Also, many Chinese can read English, so I also feel it's unfair to block Chinese users from some websites.

SSHBlock and DAVblock (onehit wonder) (1)

aphaenogaster (884935) | more than 9 years ago | (#13448443)

Why even bother. I just use these to block people from all access (not just the port they were pissing me off on). Very effective, yet only knocks out those up to no good.

Course I dont run windows on my servers.

what would cut down spam (5, Insightful)

Anonymous Coward | more than 9 years ago | (#13448445)


would be if China blocked inbound USA connections seeing as 80% of the worlds spam originates from there [spamhaus.org] , the numbers are no different for all the other scams either ie Phishing, Malware, Adware , Spyware [internetnews.com] etc etc

hmmm perhaps the rest-of-the-world should just cut off USA it would probably stop 80% of internet related crime overnight

Re:what would cut down spam (5, Insightful)

Kelson (129150) | more than 9 years ago | (#13448507)

Actually, that's 80% of North America's and Europe's spam. It doesn't provide any stats on how much of China's spam originates in the US.

It's also a list of the people creating the spam, not the location of the machines that are sending it.

And note that North America includes the US, so a lot of that spam is by Americans, for Americans. Just relayed through China, Korea and Brazil.

Re:what would cut down spam (0)

Anonymous Coward | more than 9 years ago | (#13448520)

We've blocked China from our mail servers for nearly 2 years now. The results have been nothing but positive.

Re:what would cut down spam (1, Funny)

Anonymous Coward | more than 9 years ago | (#13448563)

we blocked any mail that contains a dollar ($) sign and it cut down our spam by 90+ percent (we dont have any customers or correspondance or business with any country that uses dollars as currency) and so far the results have been very successful with minimal false positives

So in a sense we have cut off USA from our business operations and its amazing how useful email has become again

Re:what would cut down spam (3, Informative)

DNS-and-BIND (461968) | more than 9 years ago | (#13448581)

The USA has compelling content online (if you speak English). China has very little information available in English, and can be blocked off with little loss. Unless your idea of compelling content is reading poorly-translated flash-enabled manufacturing company websites, or government-approved news sources.

There are scores of young men who sit around in internet cafes all day and do nothing but scan for vulnerabilities in badly-coded applications, mostly message boards. I know, I've seen them. Yes, it is most unusual for a Chinese fellow in an internet cafe to not be playing Counterstrike, but I assure you it does indeed happen. You can turn on the scanner and let it run in the background while you play Counterstrike, don't forget.

CITY ISP how may i be of Service (0)

Anonymous Coward | more than 9 years ago | (#13448447)

OH NO MONGORIAN break down Great Wall of China

Stop the inflammatory editorializing (0, Offtopic)

Gothmolly (148874) | more than 9 years ago | (#13448459)

Scuttlemonkey & Co. Please edit, don't opine.

I will determine an article's relevance to me, whether or not the article is any good, what questions it poses, and whether the answer to those is either yea or nay.

Adding a trollish question to the end is NOT "discussion inspiring", its more like Roland Piquipaille's "give me money for more info" taglines.

What is this Chinee you speak of? (-1, Offtopic)

WillAffleckUW (858324) | more than 9 years ago | (#13448468)

do you perhaps mean China?

Re:What is this Chinee you speak of? (0)

Anonymous Coward | more than 9 years ago | (#13448486)

Ahh... This must be the "chinee foo" some guy keeps trying to deliver to my door!

Re:What is this Chinee you speak of? (1)

WillAffleckUW (858324) | more than 9 years ago | (#13448544)

well, I can't see the scientific world doing wholesale blocking of China, for example, in that many of the recent papers I've been reading in Biochemistry are from that country, including ones in the areas I've been working on - malaria.

But for the local newspaper in Tukwila, WA - this might not be a bad idea.

Mind you, when I travel - so far to France, Italy, the Caribbean, Canada, Mexico, Australia, New Zealand but not yet China or Japan - I do like to read the local newspaper back home online, so I can see this not being a good solution especially on the West Coast.

blocking rouge IPs (0)

Anonymous Coward | more than 9 years ago | (#13448480)

Why block the IPs when you can blackhole them via BGP? Just kill their peering at all the major NAP's and route their IP's to null0, problem solved. They definately don't have enough bandwith to get around it. It's just alike a USENET Death Sentence, only we'll call it the BGP Death Sentence. In case many of you /.ers don't remember or weren't aware of it, Finland suffered a similiar fate many years ago because of the hacking problems. CapVideo is my GOD.

Sure - I block 'em (3, Interesting)

ALecs (118703) | more than 9 years ago | (#13448483)

I've got about 20 lines in my hosts.deny file - mostly /8 and /16 nets. This is on a server that hosts some services for showing off our products and it was seeing huge amounts of SSH dictionary attacks and web shell code, etc.

Basically - if we know we want a prospect in China, Korea, etc. to use our site, we'll open something for them - otherwise they should just go the heck away.

If enough people -j DROP China, etc., maybe somethign will get done about. (I know - wishful thinking).

Re:Sure - I block 'em (1)

Thrymm (662097) | more than 9 years ago | (#13448542)

Would you be willing to post your deny file? Im interested in adding one myself and dont know where to begin!

Spam them? (1)

t_allardyce (48447) | more than 9 years ago | (#13448490)

I think we should spam China with lots of politically sensitive things - basically give their firewall a run for its money and shake things up a bit. But not in a nasty way, make sure all the spam is interesting at least.

Chinee? I hope that's just a typo (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13448493)

Things from China are Chinese, not Chinee.

I block only one class A (0)

Anonymous Coward | more than 9 years ago | (#13448497)

10.0.0.0 /8 is blocked and I'm sure that all the bad guys are behind that one.
In fact, I don't even need to keep my XP firewall on anymore now that I've blocked that subnet at my router

Baby with the bathwater? (3, Insightful)

Bananatree3 (872975) | more than 9 years ago | (#13448498)

It would seem that blocking China's IP block might in some cases cause collateral damage when it comes to accessing certain sites. While it is true that blocking the entire China IP block would get rid of a LOT of spam that comes from Chinese bullet-proof ISPs, there is also a side effect. Ordinary people who try to connect to a network from inside China would also be blocked as well, and this cause a lot of collateral damage in terms of the average Chinese web browsing population.

It would though depend on the size and usage of the network you would be blocking Chineses traffic from. If you're a small buisness with absolutely no connection to China whatsoever, you might be ok blocking the entire IP block to protect your network from spammers. But, even an average size network might have some sort of Chinese connection, either from the outside in or vis versa. Lots of companies and people inside China that try to access that network would effected, not just the spammers.

Re:Baby with the bathwater? (2, Interesting)

Kelson (129150) | more than 9 years ago | (#13448564)

Exactly. We can't block China where I work (an ISP), because we have customers who are businesses, and there's a lot of economic activity between the US and China. We once had to make an exception for the SBL because someone was on a business trip to China and his only net access was via a spam-infested network that had gotten itself listed on Spamhaus.

I wouldn't consider blocking mail based on geography alone unless I could get input from everyone the policy would affect. You can do that as a home user, and you can do that as a business, but IMO it's not an option for an ISP.

Re:Baby with the bathwater? (1)

DNS-and-BIND (461968) | more than 9 years ago | (#13448625)

How many people in China actually connect to your legitimate services? Unless you're providing Chinese-language content in the simplified character set, I doubt that you have many users. And if you are providing content in the appropriate language, and you say something the Chinese government doesn't like, you will be blocked by the Great Firewall in short order.

And the standard way around the Great Firewall is a proxy or VPN, both of which will make your traffic look like it's coming from somewhere else.

What a coincidence (2, Interesting)

Anonymous Coward | more than 9 years ago | (#13448500)

I was doing my weekly spam analysis report today, and after collecting just 3 months worth of data I started toying with the idea of blocking whole IP ranges. Sure, the spammers were using botnets and the trend reports brought to light some interesting points of intersection, but one thing stood out clear and plain. Blocking email coming from China would cut out over 60% of spam at the 1st firewall, before it even reached the mail filter.

I work for a UK company who deals with multi-nationals, but they all have European channels. I can't see such a block having anything but a positive effect.

Just surprising that the very day I have this thought there is a story on Slashdot.

blocking mail (0)

Anonymous Coward | more than 9 years ago | (#13448503)

access-list 1000 deny tcp 218.0.0.0 0.31.255.255 any eq 25 log

We got tired of the many, many attempts to relay and break mail. Maybe time to add port 80?

Darn tootin (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13448506)

Take that Chineeman.

Re:Darn tootin (1)

fanfriggintastic (751454) | more than 9 years ago | (#13448547)

This Chineeman is not the issue! I'm talking about drawing a line in the sand, Dude. Across this line you do not, uh--and also, Dude, Chineeman is not the preferred, uh... Asian-American. Please.

Topic (0)

Anonymous Coward | more than 9 years ago | (#13448519)

I'm curious on why this wouldn't be filed under "Your Rights Online". It seems to me, that this is a huge concern and if this was happening to anyone else the article would be filed as such.

Loonie! (0, Offtopic)

CrazyWingman (683127) | more than 9 years ago | (#13448522)

blocking Chinee IP space

Speaking Lunar [amazon.com] now, I see.

Tell you what... (0)

Anonymous Coward | more than 9 years ago | (#13448523)

instead of blocking China for being a rouge IP space, why dont they ban America for being a clueless IP space. You would remove 90% of the easy targets on the internet.

what do you propose to help correct this? (1)

xlr82xs (5383) | more than 9 years ago | (#13448525)

What is your opinion of this and what do you propose to help correct this?"

well, if these are people blocking large ip ranges from accessing their home/residential machines: sure whatever..go ahead guys do what you want..try blocking EVERY ip and just whitelisting countries you like if thats what floats your boat

if these are serveradmins blocking large ip ranges from accessing either their own buisness or their clients buisness website: enjoy being fired and/or your company loosing out on large blocks of contracts for hosting when knowledge of your practice of doing this becomes available to customers.

Depends on service (1, Interesting)

Anonymous Coward | more than 9 years ago | (#13448535)

But yes, I long since blocked access to most services for most of Asia, and large parts of Brazil and Mexico. Started with this very useful list of Chinese and Korean ip-blocks: http://www.okean.com/thegoods.html [okean.com] and grew from there (mostly to include Taiwan). (Note: I've found the list to be 99% accurate, but some small /24 or smaller blocks in Australia got included erroneously. Use with caution)

treat your network like a sewer (2, Insightful)

Indy1 (99447) | more than 9 years ago | (#13448536)

and expect others to treat it like a sewer. Chinese (and other apnic networks) isps just dont give a damn how much abuse their users heap on the rest of the net. Between the spam, worms, and other crap they spew, they've gotten a hard earned spot in my firewall. Granted i am not a huge business or isp, but at the rate they're going, it wont be long before big isps and businesses DO firewall all of apnic as a pre-emptive measure.

I've done it (1)

prpghandi (770424) | more than 9 years ago | (#13448539)

I worked for an ISP and we did alot of IP blocking, whole countries, entire classes of addresses. Whatever it took to stop the onslaught of spam to our mail servers and our users. It dosen't make sense to add more mail servers, just to combat spam, when you can block a set of addresses and cut the load on the servers in half.

Do it if you can... (2, Insightful)

Vellmont (569020) | more than 9 years ago | (#13448543)


"What is your opinion of this and what do you propose to help correct this?"

If you can get away with blocking out large IP spaces of an entire country, do it. If you can't, don't. I don't receive any legitimate mail from chinese IP addresses and never will. I don't block anything at the moment, but if it solved much of the scanning and spam I see I'd probbably consider it. Unless you have a global market, why not do it if it solves more problems than it creates?

I think when a US company starts targeting large ISPs in the US, or are an ISP yourself you're going to run into trouble though. I know an ISP that discards all mail coming from roadrunner addresses as spam. That's a terrible practice for the ISPs customers who aren't getting legitimate email.

Inappropriate & Heavy-Handed Response (5, Insightful)

aldheorte (162967) | more than 9 years ago | (#13448549)

Even if *you* block a range of IP addresses, someone operating a computer on one of those IP addresses could still connect with your server simply by going through a proxy not blocking them, but which you have not also blocked. Given that blocking a national range of IP addresses provides no real security from a marginally determined and capable attacker and that it promotes a balkanization of the Internet, decreasing the network affect and therefore overall utility of the network by blocking many potentially legitimate connections, this seems like a very inappropriate and heavy-handed technical response to unwanted requests from a particular country. It also saves no bandwidth since the filtering happens at the receiving server after the packets have travelled through the network.

From a political science and ideological perspective, industrialized and democratic companies benefit little form blocking the access of citizens of 'pariah' nations to non-classified information. Any opportunity to make available memes that offer alternatives to the totalitarian state line further create the opportunity for the expansion of democracy and free access and speech in those countries. Blocking national IP ranges in this manner would also decrease this opportunity.

Block nothing (2, Insightful)

papaia (652949) | more than 9 years ago | (#13448551)

I have a corporate network to run, and we are only expanding in China. There is no realistic way to resolve any issues at the IP or DNS/domain level, as same ISPs providing services to spammers and crackers, are also hosts of my customers.

Short answer? Clever design, application layer solutions (e.g. multi-level filters and signatures based protection for application traffic), which implies more resources, and some administrative headache to put up with, when things go wrong. Always need to keep the balance: if the costs of doing business (of which the human and technical solutions needed to avoid across-the-board denial are mandatorily included) become higher than the return/profit, we will rethink the options. Until then we are happy when others (preferably competitors of ours) apply the knee-jerk solution of blocking country-wide networks ;)

Re:Block nothing [at the country network level] (1)

papaia (652949) | more than 9 years ago | (#13448611)

Following up on my own post - title is misleading by omission: what I meant to say was "Block nothing at the original posts' suggested level" (i.e. country-wide network(s))

"Chinee"? (1)

John Jorsett (171560) | more than 9 years ago | (#13448558)

I hope that that's a typo and not a revisitation of an old derogatory term. (See, "The Heathen Chinee [virginia.edu] " by Bret Harte. Opening stanza:
Which I wish to remark,

        And my language is plain,
That for ways that are dark
        And for tricks that are vain,
The heathen Chinee is peculiar,
        Which the same I would rise to explain.

I used to block (1, Interesting)

Anonymous Coward | more than 9 years ago | (#13448560)

.. all of .il with an iptables script a mile long.

Got the info from http://www.completewhois.com/statistics/data/ips-b ycountry/rirstats/ [completewhois.com] and with a little bash magic, I had a bunch of
iptables -A INPUT -s x.x.x.x/x -j DROP
in one big script.

Why? I used to serve large files in an IRC channel with a fat EDU connection, but a handful of tools from .il ruined it for everyone else over there by hammering too much.

I'm sure (hoping?) it was accidental... (0, Offtopic)

cswiii (11061) | more than 9 years ago | (#13448565)

But " Chinee [philaprintshop.com] "?

Makes me think of the Wild West, railroads and laundry service more than modern-day questions of internet protocols and global politik.

Block the IP space of the USA first... (2, Informative)

Mugros (811343) | more than 9 years ago | (#13448569)

... according to http://www.trustedsource.org/ [trustedsource.org] featured today in another ./ article the US is the biggest source of spam.
This is a lot easier if you are outside the US.

Greetings from a blue country.

This was eventual (1)

GWBasic (900357) | more than 9 years ago | (#13448577)

This was eventual, no surprise here.

in china! (1)

SQLz (564901) | more than 9 years ago | (#13448585)

They block your IP address space!

iptables -A -p tcp -s ALLOFASIA -j DROP (0)

Anonymous Coward | more than 9 years ago | (#13448589)

DROP the bastards

Firewalled people (2, Interesting)

m50d (797211) | more than 9 years ago | (#13448592)

Firewalls of any sort are a menace. They're not part of the open internet. Every port of every publicly routable IP should either be open, because it's providing a service accessible from the open internet, or closed, in which case it should respond appropriately when it gets packets there and not just drop them. I don't actively block them, but I try to avoid enabling any options on my services that would help firewalled users.

Chinese gov't would like IP blocking (1)

nysus (162232) | more than 9 years ago | (#13448601)

At the end of the article, the author talks about how he thinks the Chinese government doesn't know about this activity.

Actually, they probably condone it. The more web servers that are blocked from the Chinese people, the more likely they'll be isolated behind the Great Firewall of China.

Blunt force trauma (2, Insightful)

groomed (202061) | more than 9 years ago | (#13448603)

Blocking a /16 means blocking some ~65000 IP addresses. Blocking a /24 means blocking around 16 million IP addresses.

Over the past 6 months I've identified and recorded all SSH dictionary attacks on my machine. I've recorded exactly 211 IP addresses so far.

People who advocate blocking /16's and /24's should consider wrapping their CAT5 in tin foil.

Extensive Ban List, but more Russian than anything (2, Funny)

ilselu1 (877032) | more than 9 years ago | (#13448607)

I've banned 80% more IPs from RU than everywhere else combined. Noone wants Hot Russian Blonde Escorts when you can have Hot Asian Escorts.. :P

This is what a public network is... (1)

globalar (669767) | more than 9 years ago | (#13448610)

Blacklists are temporary solutions. The larger the blacklist, the more temporary. It's like censorship in this regard.

Blacklisting is a balancing act between the nature of the Internet and what you want out of it. It only "works" to a degree, but it never solves the problem. I'm not saying give up or stop blocking IP's, but people need to come to grips about the real world. The Internet is a two-way street, so let's start looking at it that way, eh? Blocking whole countries is extreme. Some people really seem to like being extreme though.

Besides, some smart rulesets and decent filtering can drop the vast majority of troublesome content.

Users don't understand when their email is blocked (1)

notdanielp (244035) | more than 9 years ago | (#13448612)

The problem with blocking IP space, especially in the case of email, is that most valid email traffic is not between sysadmins. When you have Joe user from FizzCo sending a business document from home to Jane User at BangCo, neither of them is going to understand any rejection notices they get, nor will they understand it if a message just disappears.

I've seen small businesses that contracted out their IT help have serious trouble when their ISP suddenly changed their spam filter rules without telling them. Suddenly your lawyer's emails aren't getting through and no one knows why. In this particular instance it fell on me to diagnose the problem and get it fixed simply because I was the only person at either of the two organizations who had any clue how mail servers worked.

Filter mail by text encodings (1)

sakusha (441986) | more than 9 years ago | (#13448613)

For my own use, to block spam email, I use procmail to filter foreign language encodings in languages that I can't read. Of course there are problems, many spammers don't properly tag their encodings, assuming the target audience has their mailreader set to that language as a default. And it won't filter UTF-8 foreign language encoded mail (you have to leave that one unblocked). And of course it doesn't filter non-email attacks against my domain.
But it's a good start, and a totally benign one. Email in a language I can't read is always spam.

Dynamic Block (2, Insightful)

Roger W Moore (538166) | more than 9 years ago | (#13448614)

Reading the original article (always a bad move) it talked about blocking dodgy looking web requests which, I'm guessing, took up a significant fraction of the server's resources. In such a case I'd go ahead and block. You might loose some potential valid users but that is a lot less than loosing everyone if your server clogs up.

However I'd suggest a dynamic blocking as the best means to do i.e. a machine generated list. Have a server outside the firewall examine incoming requests and block IP ranges where significant numbers of dubious requests are coming from. If the number of dubious requests falls below a certain rate then the IP range is unblocked.

This is a lot better than a permanent ban because you can't be accused of implementing a political agenda of your own and it rewards ISPs/Companies/Countries that eventually clean up their network space. Of course it does mean that you have to be able to define in terms a computer will understand what a "dodgy" request is.

wake up and smell the coffee ! (0)

Anonymous Coward | more than 9 years ago | (#13448615)

Its about time people realize that the internet is a worldwide network and there are issues that come with that !
Why are Chinese IP addresses more dangerous than other IP addresses is what I don't understand ! Unless of course you watch a lot of Lou Dobbs and are fond of calling China "Communist China".
Chinese computers are infected with hacker tools and worms because of American companies like M$ that produce crap shit OSes ! Not because "Communist China" is producing crap shit OSes !!
I say you should block machines running windows if that's your concern whether they are in China or on the moon...

Blackhole lists (1)

Scutter (18425) | more than 9 years ago | (#13448620)

I was using www.blackholes.us for awhile to help construct my ACL's. Now that it's MIA, anyone got an alternative?

Thank the various gods! (1)

ScentCone (795499) | more than 9 years ago | (#13448623)

The author of the article raises an interesting point, will this 'slippery slope' prove too difficult to walk?

At least the author didn't "beg the question."

Because, someone would have to finally lose their editorial rights. But ScuttleMonkey can live to edit another day, as long as he can fix the grammar in that sentence.

Hypocritics (2, Insightful)

marcantonio (895721) | more than 9 years ago | (#13448627)

On slashdot we always make a big deal out of censorship particular to the Chinese government. Why then, would it be ok for us to do the same thing to it's people. Many attacks do come from there, but that doesn't make it any less wrong.

If your going to do this at your company then don't whine about Chinese censorship any longer.

For corporate emial I don't see the issue (2, Interesting)

klubar (591384) | more than 9 years ago | (#13448631)

At my company we block email based on country blacklists for countries that we don't do business with. It certainly cuts down on spam ... and has no false positives. If employees need to send/receive email from these countries for personal correspondence they can do it from home. It seems like a relatively no-brainer, not unlike having a receptionist screen calls or visitors.

If our firewall could easily block IP addresses, I'd do that too.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?