|
Posted by on June 11, 2008, 2:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> reader@newsguy.com writes:
>>> Go to the source, www.iana.org.
>
>>Thanks... I guess you've seen some sort of chart like I described
>>there somewhere....
>
> http://www.iana.org/assignments/ipv4-address-space
>
>
>>> But, why stop at just blocking foreign countries to wherever you are?
>>> (I'm assuming the US).
>>>
>>> Percentage of hacked botnetwork machines ranks the US as #2 or #3 in
>>> the world for hack attempts.
>>>
>>> Don't let any connection in that you aren't ready to vet for yourself.
>
>>Can you run this by me again. This phraseology went right over my
>>head.
>
>>What are you saying there?
>
> If you are blocking IP addresses that are in other countries as
> hackers, you are only blocking a small part of the problem. Out of #
> of hack attempts recorded, US based IP addresses account #2 or #3 for
> all attacks on measured honeynets.
>
> If you don't want any hack attempts, block all IPs besides your own.
Doug if this is a suggestion about white listing... My little pea
brain was not able to process it.
Sorry about the rude remarks in reply to your post.
A fellow poster named Harrie has clued me in and I'm taking this
opportunity to apologize for wasting your time (and the groups')
|
|
Posted by Chris Mattern on June 27, 2008, 3:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> reader@newsguy.com writes:
>>>ibuprofin@painkiller.example.tld (Moe Trin) writes:
>>
>>>> If you don't want people from country $FOO attempting to connect to your
>>>> system, WHY ARE YOU ALLOWING CONNECTIONS FROM THAT BLOCK OF ADDRESSES?
>>>> Do you someday plan on visiting Jilin province (the Chinese "state"
>>>> just North of Korea), and will need to connect to your system from
>>>> there? Until you do, block 222.168.0.0/15. . . . . . .
>>
>>>[...]
>>
>>>Sorry to butt in here...
>>
>>>Moes' advice is good and I've been meaning to do something like that
>>>but I wondered if anyone in this thread has a URL for a site that
>>>shows what address blocks go to what country.
>>
>>
>> Go to the source, www.iana.org.
>
> Thanks... I guess you've seen some sort of chart like I described
> there somewhere....
>
> After digging around there (admittedly somewhat blindly) I'm not
> finding such a chart.
>
>> But, why stop at just blocking foreign countries to wherever you are?
>> (I'm assuming the US).
>>
>> Percentage of hacked botnetwork machines ranks the US as #2 or #3 in
>> the world for hack attempts.
>>
>> Don't let any connection in that you aren't ready to vet for yourself.
>
> Can you run this by me again. This phraseology went right over my
> head.
>
> What are you saying there?
He's saying, don't just block the IPs you know (or suspect) are bad. Block
*all* IPs except for the ones you know are *good*.
--
Christopher Mattern
NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities
|
|
Posted by Moe Trin on June 16, 2008, 11:05 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>ibuprofin@painkiller.example.tld (Moe Trin) writes:
>> If you don't want people from country $FOO attempting to connect to your
>> system, WHY ARE YOU ALLOWING CONNECTIONS FROM THAT BLOCK OF ADDRESSES?
>> Do you someday plan on visiting Jilin province (the Chinese "state"
>> just North of Korea), and will need to connect to your system from
>> there? Until you do, block 222.168.0.0/15. . . . . . .
>Sorry to butt in here...
That's OK - this is Usenet! And I was on vacation anyway.
>Moes' advice is good and I've been meaning to do something like that
>but I wondered if anyone in this thread has a URL for a site that
>shows what address blocks go to what country.
Oh, Fsck! What you are asking for is enormous. What I'm using
is the delegated blocks from the five Regional Internet Registries
(AFRINIC, APNIC, ARIN, LACNIC, RIPE), and the data source is quite large.
This month, there were 86818 IPv4 allocations/assignments from /29s (8
hosts) to /8s (16777216 hosts) totalling 2,660,804,976 addresses (never
mind the 2552 IPv6 allocations/assignments totalling some mind-boggling
number like ~5.73e33 addresses). Let's see what's in the logs...
-rw-r--r-- 1 ftp1 ftp1 85679 Jun 15 06:00 delegated-afrinic-20080615
-rw-r--r-- 1 ftp1 ftp1 894326 Jun 15 11:17 delegated-apnic-20080615
-rw-r--r-- 1 ftp1 ftp1 2640786 Jun 15 04:01 delegated-arin-20080615
-rw-r--r-- 1 ftp1 ftp1 165528 Jun 16 03:30 delegated-lacnic-20080615
-rw-r--r-- 1 ftp1 ftp1 2244084 Jun 15 11:00 delegated-ripencc-20080615
(I grab these files ~04:00 UTC on the 16th of each month, which is
plenty often enough.) What's that, 6030403 bytes? 'wc' says that's a
total of 128062 lines of text. Each file (this is the delegated-afrinic
file) has a four line summary, then ASN lines in the form
afrinic|ZA|asn|1228|1|19910301|allocated
which is probably meaningless to you (which is OK - it's beyond most
people), then the IPv4 and IPv6 blocks in the form
afrinic|ZA|ipv4|41.0.0.0|2097152|20071126|allocated
and
afrinic|ZA|ipv6|2001:4200::|32|20051021|allocated
where the first field is the RIR, the second is the ISO-3166 country code
and the third is the type of record. For IPv4, the fourth field is the
_starting_ IP address, the fifth field is the number of addresses in the
block, the sixth is the date of the record, and the last field is either
'allocated' (assigned to an entity that will sub-assign the addresses) or
'assigned' (assigned to an entity that is an end user). The IPv6 data is
nearly identical, except that the fifth field is the width of the network
mask (here a /32 meaning 'ffff:ffff:0000:0000:0000:0000:0000:0000' which
allows for 79,228,162,514,264,337,593,543,950,336 hosts).
Very truthfully, unless you are experienced or knowledgeable in this type
of information, it's _very_ difficult to use. I've got a roughly 320 line
shell script that converts these files into something I can use, but it's
not very likely to be useful to others. I did see something recently, at
http://ibiblio.org/pub/linux/apps/www/misc/ip_to_country-0.2.tgz but as
you note this is a single IP lookup tool, and isn't much more useful (and
is less accurate) than a simple whois query.
[compton ~]$ whatis whois
whois (1) - client for the whois directory service
[compton ~]$
>Googling with things like:
>
> ip address by country chart -lookup
>
>Even nixing `lookup' I still get dozens of hits that are really
>nothing more than single IP lookup tools.
Yeah, that's reasonable. And the results are less than perfect. As
an example, my 'work' address is registered in New York state, but if
you were able to traceroute to it, the last address you'd see before
hitting the black hole of the firewall would be a backbone stub a few
miles South of San Francisco - yet I'm really located near Phoenix
Arizona, and the adjacent subnets are in France and Japan (we're a
large company) - but the toy tools for users might report anything.
Visual Traceroute (and several others) say all of these addresses are
in the Boston metro area for some reason. Most network geo-location
programs are absolute bull-droppings, and are totally useless.
>I know I've seen large charts showing large blocks of IP addresses
>assigned to various countries somewhere on line.
If you did, it would be horribly inaccurate, or nearly useless. Let's
look at something like China - people are always complaining about
them. China has 1448 allocations/assignments in IPv4-land and 32 more
in IPv6. I'm purposely ignoring the autonomous districts of Hong Kong
and Macau, and what many consider a separate country (Taiwan). Now just
looking at the first octet of the address, let's see where China is:
[compton ~]$ zgrep CN APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort -n
| uniq -c | column
43 58 36 118 40 125 1 168 41 211
34 59 70 119 1 134 1 169 64 218
38 60 27 120 1 159 4 192 41 219
86 61 43 121 1 161 1 198 16 220
18 114 25 122 1 162 321 202 63 221
49 116 44 123 1 166 95 203 64 222
34 117 68 124 1 167 75 210
[compton ~]$ zgrep CN APNIC.gz | cut -d' ' -f3 | sort | uniq -c | column
4 255.192.0.0 208 255.254.0.0 168 255.255.240.0
4 255.224.0.0 241 255.255.0.0 98 255.255.248.0
14 255.240.0.0 144 255.255.128.0 34 255.255.252.0
56 255.248.0.0 126 255.255.192.0 20 255.255.254.0
129 255.252.0.0 159 255.255.224.0 43 255.255.255.0
[compton ~]$
So, China has address ranges all over the lot, from 58.14.0.0 to
222.249.255.255, and 1446 other blocks, ranging in size from /24s up to
4 /11s and 4 /10s. But before you get out your shotgun and start
blazing away at /8s, let's look at that first /8 (58.x.x.x) and see who
else is there:
[compton ~]$ zgrep ' 58\.' APNIC.gz | cut -d' ' -f1 | sort | uniq -c |
column
1 AF 4 HK 15 KR 5 PK 1 VN
24 AU 3 ID 4 MY 6 SG
5 BD 3 IN 2 NZ 8 TH
43 CN 30 JP 2 PH 4 TW
[compton ~]$
Do you know your ISO-3166 country codes? ;-) There are 124 /8s with
multiple countries - anywhere from 2 countries (currently 11 /8s) to
over 60 countries (5 /8s mainly serving Europe). There are only 50 /8s
allocated or assigned to single countries, and few of those are all
physically located in that given country.
Going to try to block hosts where the domain name is (for example) .cn?
Several problems there - first, there are 23 non-ISO-3166 domains, such
as .com, or .net and so on, and these may be registered/used in ANY
country (so all hosts in .cn may not have a .cn hostname). There are
several two-letter codes that are _not_ ISO-3166 country codes - such as
.ap (Asia-Pacific region) and .eu (European Union region). Second, as
noted above, this merely indicates where the domain is registered. It
says absolutely nothing about where it is physically. Third, all your
systems know about is the IP address, and you need to do a DNS lookup to
find the hostname. It may be of no surprise to learn that the network
administrators at many domains are to freakin' st00pid to know how to
set up the IP to hostname tables (even though it is required by various
RFCs). This is especially true in domains where a lot of abuse comes
from. A simple spam blocking technique used by mail servers is to
simply not accept mail from any host without a IP to hostname record in
the DNS.
Block _ALL_ addresses that you don't want connecting, not just those
from AD (Andorra) to ZW (Zimbabwe). You do this by 'white-listing'
approved addresses or address ranges. As I said, I allow connections
from just three ranges totalling 1530 addresses. It's a heck of a lot
less work maintaining those firewall rules.
Old guy
|
|
Posted by on June 22, 2008, 10:43 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
> Oh, Fsck! What you are asking for is enormous. What I'm using
Egad... all I can think to say is `UNCLE'.
Thanks for the detailed information.
It appears I'm in way over my head.
|
|
Posted by Moe Trin on June 22, 2008, 4:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>ibuprofin@painkiller.example.tld (Moe Trin) writes:
>
>> Oh, Fsck! What you are asking for is enormous. What I'm using
>
>Egad... all I can think to say is `UNCLE'.
;-) The problem is that IP address assignments were never lain out in
a convenient way for filtering. If you look at the top of the IPv4 pile
(http://www.iana.org/assignments/ipv4-address-space), the range from
58.0.0.0 to 126.255.255.255 has a faint hint of some kind of order on
a regional basis, and if you look much harder you can even see traces of
a hint of some order in the 193.0.0.0 - 222.255.255.255 area, but that's
about it. RFC2050 "Internet Registry IP Allocation Guidelines" really
doesn't touch on the matter. Initially, address ranges were handed out
like it was going out of style, with little thought or planning - hence
the use of entire /8s for trivial use (your loopback interface accepts
127.0.0.0 through 127.255.255.255 as all meaning "me"). Now, it's
finally dawning on people that we're running out of IPv4 addresses
(as of last week, 71.79% of available addresses are allocated or
assigned), and new chunks are being handed out in much smaller sizes.
But it's still being handed out - between May 16th and June 15th,
China picked up 12 blocks, and overall the number of addresses used
went from 71.44% to 71.79% (up from 69.25% on 1/1/2008, and 60.6% only
three years ago).
>Thanks for the detailed information.
>It appears I'm in way over my head.
Nah, come on in - the water's fine. Just be aware that there is a lot
of it, and keep watching for those dorsal fins ;-)
Glad to be able to help!
Old guy
|
| Similar Threads | Posted | | Use How to use the SAME Key for another eMail address ? | September 22, 2005, 7:31 am |
| ARP requests for IP address 0.0.0.0 | January 19, 2007, 3:27 pm |
| Packaging for MAC address ? | April 9, 2007, 10:00 am |
| IP address on my volume control | November 13, 2004, 9:56 pm |
| How reliable is locking MAC address for Wi-Fi router? | December 2, 2004, 1:00 pm |
| google groups shows everyone your ip address? | January 6, 2006, 6:53 pm |
| SMAC 2.0 is released! MAC Address Spoofer | May 18, 2006, 9:42 pm |
|
XML site map