[Off Topic]: IP Listings based on Country?
I have talked with engineers in the past that like to block all IP addresses from countries such as China for example in an effort to quall spam and other malicious activities. Where can these listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us. We have been seeing an increase of malicious activity lately and about 90% of it comes directly from China and the other 10% likely originates there as well. Most of it has been low-level script-kiddy stuff, probing for open relays, trying default user accounts, and other amateur stuff but can't be to cautious. thx, rhugga
Sun, 23 Jan 2005, by rhugga@yahoo.com:
I have talked with engineers in the past that like to block all IP addresses from countries such as China for example in an effort to quall spam and other malicious activities. Where can these listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us.
Your network, your rules, but how do you know that none of your regular customers has some sort of network connectivity in one of the countries you'd like to block, a webhost, dns or whatever? If everyone choses to follow Verizon's example then I think it's safe to predict the return of Telex- and telegram services for enterprises pretty soon.
We have been seeing an increase of malicious activity lately and about 90% of it comes directly from China and the other 10% likely originates there as well. Most of it has been low-level script-kiddy stuff, probing for open relays, trying default user accounts, and other amateur stuff but can't be to cautious.
You do know that 75% of break-ins and "hacks" come from the inside do you? Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
--- "Theo v. Werkhoven" <twe-suse.e@ferrets4me.xs4all.nl> wrote:
Sun, 23 Jan 2005, by rhugga@yahoo.com:
I have talked with engineers in the past that like to block all IP addresses from countries
as China for example in an effort to quall spam and other malicious activities. Where can
such these
listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us.
Your network, your rules, but how do you know that none of your regular customers has some sort of network connectivity in one of the countries you'd like to block, a webhost, dns or whatever?
If everyone choses to follow Verizon's example then I think it's safe to predict the return of Telex- and telegram services for enterprises pretty soon.
We have been seeing an increase of malicious activity lately and about 90% of it comes directly from China and the other 10% likely originates there as well. Most of it has been low-level script-kiddy stuff, probing for open relays, trying default user accounts, and other amateur stuff but can't be to cautious.
You do know that 75% of break-ins and "hacks" come from the inside do you?
What are you basing this on? In my 15 years of doing this I have not seen single instance originating from inside but loads originating external.
Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Mon, 24 Jan 2005, by rhugga@yahoo.com:
--- "Theo v. Werkhoven" <twe-suse.e@ferrets4me.xs4all.nl> wrote:
You do know that 75% of break-ins and "hacks" come from the inside do you?
What are you basing this on? In my 15 years of doing this I have not seen single instance originating from inside but loads originating external.
It's an average figure I picked up from books on Firewalls and other stuff on network security I read. It doesn't neccessary mean that /every/ network has 75% of the problems coming from the inside. Although, if you count in the problems arising from leaky Windows boxes inside an average network, I wouldn't be surprises if that figure was even bigger. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Tuesday 2005-01-25 at 00:11 +0100, Theo v. Werkhoven wrote:
It's an average figure I picked up from books on Firewalls and other stuff on network security I read. It doesn't neccessary mean that /every/ network has 75% of the problems coming from the inside.
Although, if you count in the problems arising from leaky Windows boxes inside an average network, I wouldn't be surprises if that figure was even bigger.
I was told an anecdote yesterday. Imagine a Call Center for a telephone and internet provider (name censored). The chaps answering the phone (usually underpaid) are given a post with a windows nt machine of some kind, quite limited, with security in mind. But nights are long and boring... so, one of them gets a password retriever program. Hey, presto, he gets the admin passwords of his machine, and as a bonus, of the main servers - I don't know the details of how he did it. Of course, being an honest chap, he only used it to give himself a few more privileges, like using messenger or something :-p One day, the administrator was boasting of the security of his setup over a coffee. You can imagine the face he put when the chap on the next seat, a lowly clerk, tells him what _his_ administrator password was on the room main server :-p Needless to say, they just covered it up silently. Nobody was interested in it being known ;-) -- Cheers, Carlos Robinson
Theo wrote regarding 'Re: [SLE] [Off Topic]: IP Listings based on Country?' on Sun, Jan 23 at 09:47:
Sun, 23 Jan 2005, by rhugga@yahoo.com:
I have talked with engineers in the past that like to block all IP addresses from countries such as China for example in an effort to quall spam and other malicious activities. Where can these listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us.
Your network, your rules, but how do you know that none of your regular customers has some sort of network connectivity in one of the countries you'd like to block, a webhost, dns or whatever?
Ask them. If you don't ask, they'll eventually let you know. In either case, you then make an exception, if needed. Any blacklist policy should allow for explicit exceptions. I've blocked korea for years, and no one here has noticed anything but less spam - including our employees in Japan. --Danny, hoping he's educated most of the users well enough to avoid most "social engineering" hacks
Hi Rhugga, On Sun, 23 Jan 2005 07:30:37 -0800 (PST) UTC (1/23/2005, 9:30 AM -0600 UTC my time), Rhugga wrote: R> I have talked with engineers in the past that like to block all IP addresses from countries such R> as China for example in an effort to quall spam and other malicious activities. Where can these R> listings be found? I would like to block entire networks at our border router for countries we R> don't do any business with or have a need for them contacting us. I use http://blackholes.us/ as it lists all countries individually with complete IP blocks... each one of these is in itself a RBL list, e.g. I use korea.blackholes.us for example from this website as a complete RBL... it works very well. The 99.8% of my spam is blocked at SMTP via this method. -- Gary
Yea, exactly what I was looking for, I totally forgot about that site. Much thanks. CC --- Gary <not-valid@mygirlfriday.info> wrote:
Hi Rhugga,
On Sun, 23 Jan 2005 07:30:37 -0800 (PST) UTC (1/23/2005, 9:30 AM -0600 UTC my time), Rhugga wrote:
R> I have talked with engineers in the past that like to block all IP addresses from countries such R> as China for example in an effort to quall spam and other malicious activities. Where can these R> listings be found? I would like to block entire networks at our border router for countries we R> don't do any business with or have a need for them contacting us.
I use http://blackholes.us/ as it lists all countries individually with complete IP blocks... each one of these is in itself a RBL list, e.g. I use korea.blackholes.us for example from this website as a complete RBL... it works very well. The 99.8% of my spam is blocked at SMTP via this method.
-- Gary
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
At 02:30 AM 24/01/2005, Rhugga wrote:
I have talked with engineers in the past that like to block all IP addresses from countries such as China for example in an effort to quall spam and other malicious activities. Where can these listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us.
sorry, but there is no such thing, how did you prove they were coming from china? Neither the .countryid or .ip in relality relate to a country, their just convenient tags for the internet to use.
We have been seeing an increase of malicious activity lately and about 90% of it comes directly from China and the other 10% likely originates there as well. Most of it has been low-level script-kiddy stuff, probing for open relays, trying default user accounts, and other amateur stuff but can't be to cautious.
I don't know about your country but in australia we have a china trade mission / embasy, they have a person/group who will try to trace any china spam's down, but haven't had much success with the internet side as most are using china's codes as "a convenience name" and are apparently coming from elsewhere. You may check if your country has similar, but you also need the anti-spam / malicious laws so they are required to follow it up. scsijon
--- scsijon <scsijon@net2000.com.au> wrote:
At 02:30 AM 24/01/2005, Rhugga wrote:
I have talked with engineers in the past that like to block all IP addresses from countries such as China for example in an effort to quall spam and other malicious activities. Where can these listings be found? I would like to block entire networks at our border router for countries we don't do any business with or have a need for them contacting us.
sorry, but there is no such thing, how did you prove they were coming from china? Neither the .countryid or .ip in relality relate to a country, their just convenient tags for the internet to use.
We have been seeing an increase of malicious activity lately and about 90% of it comes directly from China and the other 10% likely originates there as well. Most of it has been low-level script-kiddy stuff, probing for open relays, trying default user accounts, and other amateur stuff but can't be to cautious.
I don't know about your country but in australia we have a china trade mission / embasy, they have a person/group who will try to trace any china spam's down, but haven't had much success with the internet side as most are using china's codes as "a convenience name" and are apparently coming from elsewhere. You may check if your country has similar, but you also need the anti-spam / malicious laws so they are required to follow it up.
scsijon
Yea, tracing the source down is a waste of time. My buddy runs a spam filtering service and they gave up trying polical approaches to this. (and now implore much shadier methods) The only solution is to block China and the others completely. Always report the IP's to spamcop though, they seem to be the most successfull in the battle agaist spam/malicious activities. -cc
participants (6)
-
Carlos E. R. -
Danny Sauer -
Gary -
Rhugga -
scsijon -
Theo v. Werkhoven