PDA

View Full Version : PSA: Blocking China


Garcia Bronco
10-17-2012, 02:55 PM
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

Rabb
10-17-2012, 02:57 PM
1. Get David Bruton on it
2. ???
3. profit

gyldenlove
10-17-2012, 03:01 PM
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

Garcia Bronco
10-17-2012, 03:01 PM
1. Get David Bruton on it
2. ???
3. profit

David Bruton collects underwear?

Block it at your firewall.

Bronco Yoda
10-17-2012, 03:05 PM
Sounds like good advice. This just isn't idiot proof enough for me. Maybe my 11 year old can help me out. She did set my last phone up for me. LOL

Rohirrim
10-17-2012, 03:06 PM
I thought Garcia was starting a thread about setting the table.

Garcia Bronco
10-17-2012, 03:14 PM
If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

True. All true. But it clears out the suckers in the least.

cutthemdown
10-17-2012, 03:55 PM
True. All true. But it clears out the suckers in the least.

In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

Rascal
10-17-2012, 04:41 PM
how do you do that?

extralife
10-17-2012, 04:58 PM
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

all of the billion chinese are out to get your computer

Garcia Bronco
10-17-2012, 04:59 PM
how do you do that?

You would block them at your firewall. You can do that on your PC if it has one, or you can at your wireless router depending upon it's configuration-options.

I can't tell every home user how to do this due to the all the different configuration options

But a simple design from the outside-in would be

---->Internet Connection ----->router/firewall------->internal home network. You would block them from an IP address perspective at the router/firewall. The router/firewall can be two separate devices. Shop around. Ask questions at your local store. Do some google searches. Then tell people you're a security guru.

Garcia Bronco
10-17-2012, 05:01 PM
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

Well no...you can't just proxy a non-routed network. their Government could, but some dude living up the street most likely cannot. IPv6 opens-up a different can of worms, but still block-able.

cmhargrove
10-17-2012, 05:23 PM
Well, where the hell do you want me to buy my fake jerseys from? Sheesh.

DenverBroncosJM
10-17-2012, 05:46 PM
Today is a great day for me..

I just won the Nigerian lottery, a BMW and a superhot Model from Russia is wery interstdn metting ne.

Bad news? I apparently need viagra and cialis...a lot of it too by the amount of emails.

Ahh I love checking my AOL

ShutDownPoster
10-17-2012, 05:58 PM
<iframe width="560" height="315" src="http://www.youtube.com/embed/3ema7lfEAMk" frameborder="0" allowfullscreen></iframe>

Broncos4tw
10-17-2012, 06:43 PM
Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.

v2micca
10-17-2012, 08:59 PM
Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.


And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

HAT
10-17-2012, 09:11 PM
Or.....

:garcia:

Broncos4tw
10-17-2012, 10:44 PM
Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

Garcia Bronco
10-17-2012, 10:49 PM
And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

If you have to do business with people in those countries then you really have no choice.

Garcia Bronco
10-17-2012, 10:54 PM
Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.

Broncos4tw
10-17-2012, 11:03 PM
Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

I agree about businesses and AV - but you need multiple products to actually protect. I am building a new SSEP server at the moment, but we have two other AV packages as well in our infrastructure, along with our Sonicwall and our spam blockers of course. At home, one is fine.. if that. I haven't had an AV live protection product in probably 10 years on my home PC. Most live protection is of little use to be honest. Some is pathetic (Forefront, etc.) I do a ton of stuff on the Internet, I've never been hit or infected. Because it's other protection that's more important.

Consider the points of entry onto your computer, be it ports, programs, javascript, activex, email attachments, browsers, etc. - if you have proper protection on those points, then it doesn't matter what IPs you block.

You do NOT "have" to limit IP ranges. That's ludicrous.

chadta
10-18-2012, 04:08 AM
I still maintain that 99% of all computer problems are between the keyboard and the chair. Teach people to be semi smart about how they use them and you should be ok. My kids are now 9 and 11, they have had their own computers since they were 2 or 3, nothing more than MSE and common sense, they have yet to do any real damage. Dont open or click anything you didnt ask for goes along way.

v2micca
10-18-2012, 05:04 AM
Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.


You block a country because of lack of international regulation and extradition treaty. The hackers know which countries are going to let them get away with crap. So, those are the countries where they set up their remote proxies and servers. Certain ranges are just notorious and its not worth the risk to allow them.

HILife
10-18-2012, 05:14 AM
My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.

Defense-in-depth. Also switch from windows to Linux or Mac. I use both Windows and Linux laptops. Linux is my daily driver and Windows is for the things I can't do with Linux.

Drek
10-18-2012, 05:48 AM
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

Valid warning.

I've reported three different IPs myself to the FBI from China, trying to hack my home PC (all failed attempts).

The average person needs to have Peerblock installed with a nice selection of I-Blocklist IP lists to refuse. It will save you a TON of hassle down the road and is the ultimate screening tool to prevent contact with the shadier elements of the internet.

maher_tyler
10-18-2012, 06:11 AM
1. How does a person go about blocking these IP addresses? I've never heard of doing this or how to do it.

2. How do you know if someone is trying to access your computer? Aren't Spy sweepers and Anti-Virus enough?

Chris
10-18-2012, 08:36 AM
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

Seeing as I grew up in HK and my dad lives in China, this will be tough. Generally speaking I'd agree though.

Garcia Bronco
10-18-2012, 12:14 PM
Seeing as I grew up in HK and my dad lives in China, this will be tough. Generally speaking I'd agree though.

Yeah...it's not going to fit everyone's needs, but .....

Chris
10-18-2012, 02:23 PM
Yeah...it's not going to fit everyone's needs, but .....

Also is there a way i can still connect to russianbrides.ru while still blocking out this guy?

http://24.media.tumblr.com/tumblr_lgddrkQmPC1qzw1e8o1_500.gif

LongDongJohnson
10-18-2012, 02:53 PM
Internet Porn is all I care about.

Screw China. As long as they dont fill my PC with poop porn im good.

Willynowei
10-18-2012, 03:43 PM
A country of 1.6 billion whose people are routinely shut off from full access of the world wide web; whose youth almost unanimously hates this and have installed socks proxies on every device including their freaking IPAD to play videogames that are banned in the country....

yeah, you're doing a lot by blocking out requests from that country.

Good luck.

In other news, today, I installed a 3feet high wooden fence around my backyard to prevent my child from being kidnapped.

Garcia Bronco
10-19-2012, 09:04 AM
A country of 1.6 billion whose people are routinely shut off from full access of the world wide web; whose youth almost unanimously hates this and have installed socks proxies on every device including their freaking IPAD to play videogames that are banned in the country....

yeah, you're doing a lot by blocking out requests from that country.

Good luck.

In other news, today, I installed a 3feet high wooden fence around my backyard to prevent my child from being kidnapped.

They can't proxy an IP that's not a rout on their country's network the same way someone in my network can't just use any IP to do anything.