I've used Tim's block sets for awhile in my own FOAD rule, but I ended up having to adjust the policy because of the toolsets I provide to the folks that are trying to do a good day's work in those same locations.
Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this. How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable. Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer. Jim -----Original Message----- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Friday, January 15, 2010 10:05 AM To: Gadi Evron Cc: bugtraq@securityfocus.com Subject: RE: All China, All The Time Inline: > Subject: Re: All China, All The Time > The solution of blocking China, however, is one which harms both people > outside of China, as well as those inside of China. Therefore, it > translates into an attack on them. > > Looking it this operationally: > > 1. Functionality > > Do you have clients who need to interconnect with China's > networks, or expect people to connect to you from China? > > If so, the cost of security by blocking may be unjustifiable. Absolutely - If possible, please read the article at: http://www.securityfocus.com/infocus/1900/1 It's dated, but the concepts hold true. The entire implementation is based on research and analysis, and of course, business applicability. To be sure, I receive significant US-based attack traffic, but I can't block that for business reasons. Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective." This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, protocol-by-protocol based access policy. It's the same thing we do now from a protocol standpoint, but this simply allows one to aggregate data by geographic location. I have no business need for traffic to/from China and many other countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is valid to disallow traffic from sources that are not needed. > > 2. Urgency > > If a lot of IP sources attack you from China RIGHT NOW, and you > need immediate mitigation, blocking China short-term may work, > but obviously not as a permanent solution. Of course. You can apply the sets without blocking. In fact, I recommend that FIRST in the article. That way you can report on and analyze traffic from sources to make your own decisions on an ongoing basis. When the time comes, you can change your policy as needed. I currently block traffic from Russia, but I might start allowing in SMTP since this Anastasia chick I get emails from on my other address seems pretty hot. :) > > As to "getting rid" or "refusing to connect with" networks with > extremely bad reputation, that may be quite acceptable on an individual > bases, but not on the Internet-scale, as things stand right now. Totally agreed. Sorry if I said something that inferred any scale above individual/corporate. > > When I facilitated making Atrivo (and others) no longer welcome on the > Internet, it was a brand new move, and it helped change the social > belief of "don't be the Internet's firewall" to "some bad actors > shouldn't be here, but generally don't be the Internet's firewall." > > Such social change to encourage new technological and operational > solutions happenes every 2-5 years or so, and I don't expect anything > large enough such as an AS-based reputation system to happen anytime > soon. And, of course, there's nothing to say this will have any effect on attacks from "evil" people in the countries I block when they can easily source the attacks from networks I allow. It just provides security-in-depth. > > Also, you should consider that such actions also have direct political > and diplomatic ramifications neither of us understands. > > > So, for now, I'd say that each of us should make such decisions by our > own risk analysis with the trade-off between costs and benefits in > mind, > and only for our own networks. You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are). > > Aside to that, I know some people in China who work very hard on > security, and do a better job than we do at it. But that does not mean > the situation as it stands now is acceptable. Agreed, and noted above. T > > > IOW, I really don't think the tag had that much to do with it now... > > People are just picking on you because they can. I can only share how I > see such Internet discussions. > > Cost of doing business, just consider your responses on a level of > (time > == money) && what your response would gain for you or the community. If > the answer is nothing, then examine whether you still believe it is > worth it. If yes, just do it. If not, move along. > > That is my basic guideline after years of trial by fire. > > Also, you will always be misunderstood, be careful in your language, > but > not so much that tl;dr. State your case with the obvious exceptions, > and > discuss misunderstandings later. As trying to anticipate everything as > an opposite example to just saying what you think would mean people > will > just nitpick on one lower-hanging fruit item, or ignore. > > Gadi. > > > > > T > > > > > > > >> -----Original Message----- > >> From: Gadi Evron [mailto:g...@linuxbox.org] > >> Sent: Thursday, January 14, 2010 6:27 PM > >> To: Thor (Hammer of God) > >> Cc: bugtraq@securityfocus.com > >> Subject: Re: All China, All The Time > >> > >> On 1/14/10 8:09 AM, Thor (Hammer of God) wrote: > >>> So, apparently my "witty" tag via Google Translate means something > I > >> didn't quite mean. Surprise, surprise. Luckily it wasn't something > >> vulgar, (that's what I get for trusting Google Translate and trying > to > >> be funny) but what I meant it to say was "If you can read this, > don't > >> bother replying because my servers won't get it." However, it seems > to > >> mean something like "don't reply because you are not welcome here" > or > >> similar. That wasn't my intention, as it seems to infer I actually > >> have something against the Chinese people and not their networks, > which > >> I take issue with. > >>> > >>> Sorry for the poorly translated reference. > >> > >> People always try and send me Hebrew using Google Translate... it's > >> usually word for word which means it breaks sentence structure. Then > it > >> misses context, translating words with different meanings. Then it > >> completely mistranslates by using the root of the word, or similar, > >> anything it doesn't know. > >> > >> All in all, while it can't be confused with real Hebrew, it is quite > >> clear. > >> > >> Chinese seems a bit (understatement) more complicated, though. > Hebrew, > >> while hard to learn at first, is a very easy language when > considering > >> most parameters. > >> > >> Gadi. > >> > >> > >> -- > >> Gadi Evron, > >> g...@linuxbox.org. > >> > >> Blog: http://gevron.livejournal.com/ > > > > > -- > Gadi Evron, > g...@linuxbox.org. > > Blog: http://gevron.livejournal.com/
