The Orange Mane -  a Denver Broncos Fan Community

The Orange Mane - a Denver Broncos Fan Community (http://www.orangemane.com/BB/index.php)
-   Orange Mane Central Discussion (http://www.orangemane.com/BB/forumdisplay.php?f=6)
-   -   PSA: Blocking China (http://www.orangemane.com/BB/showthread.php?t=108075)

Garcia Bronco 10-17-2012 02:55 PM

PSA: Blocking China
 
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

Rabb 10-17-2012 02:57 PM

1. Get David Bruton on it
2. ???
3. profit

gyldenlove 10-17-2012 03:01 PM

Quote:

Originally Posted by Garcia Bronco (Post 3701018)
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

Garcia Bronco 10-17-2012 03:01 PM

Quote:

Originally Posted by Rabb (Post 3701020)
1. Get David Bruton on it
2. ???
3. profit

David Bruton collects underwear?

Block it at your firewall.

Bronco Yoda 10-17-2012 03:05 PM

Sounds like good advice. This just isn't idiot proof enough for me. Maybe my 11 year old can help me out. She did set my last phone up for me. LOL

Rohirrim 10-17-2012 03:06 PM

I thought Garcia was starting a thread about setting the table.

Garcia Bronco 10-17-2012 03:14 PM

Quote:

Originally Posted by gyldenlove (Post 3701026)
If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

True. All true. But it clears out the suckers in the least.

cutthemdown 10-17-2012 03:55 PM

Quote:

Originally Posted by Garcia Bronco (Post 3701044)
True. All true. But it clears out the suckers in the least.

In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

Rascal 10-17-2012 04:41 PM

how do you do that?

extralife 10-17-2012 04:58 PM

Quote:

Originally Posted by cutthemdown (Post 3701083)
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

all of the billion chinese are out to get your computer

Garcia Bronco 10-17-2012 04:59 PM

Quote:

Originally Posted by Rascal (Post 3701119)
how do you do that?

You would block them at your firewall. You can do that on your PC if it has one, or you can at your wireless router depending upon it's configuration-options.

I can't tell every home user how to do this due to the all the different configuration options

But a simple design from the outside-in would be

---->Internet Connection ----->router/firewall------->internal home network. You would block them from an IP address perspective at the router/firewall. The router/firewall can be two separate devices. Shop around. Ask questions at your local store. Do some google searches. Then tell people you're a security guru.

Garcia Bronco 10-17-2012 05:01 PM

Quote:

Originally Posted by cutthemdown (Post 3701083)
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

Well no...you can't just proxy a non-routed network. their Government could, but some dude living up the street most likely cannot. IPv6 opens-up a different can of worms, but still block-able.

cmhargrove 10-17-2012 05:23 PM

Well, where the hell do you want me to buy my fake jerseys from? Sheesh.

DenverBroncosJM 10-17-2012 05:46 PM

Today is a great day for me..

I just won the Nigerian lottery, a BMW and a superhot Model from Russia is wery interstdn metting ne.

Bad news? I apparently need viagra and cialis...a lot of it too by the amount of emails.

Ahh I love checking my AOL

ShutDownPoster 10-17-2012 05:58 PM

<iframe width="560" height="315" src="http://www.youtube.com/embed/3ema7lfEAMk" frameborder="0" allowfullscreen></iframe>

Broncos4tw 10-17-2012 06:43 PM

Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.

v2micca 10-17-2012 08:59 PM

Quote:

Originally Posted by Broncos4tw (Post 3701213)
Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.


And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

HAT 10-17-2012 09:11 PM

Or.....

:garcia:

Broncos4tw 10-17-2012 10:44 PM

Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

Garcia Bronco 10-17-2012 10:49 PM

Quote:

Originally Posted by v2micca (Post 3701278)
And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

If you have to do business with people in those countries then you really have no choice.

Garcia Bronco 10-17-2012 10:54 PM

Quote:

Originally Posted by Broncos4tw (Post 3701319)
Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.

Broncos4tw 10-17-2012 11:03 PM

Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

I agree about businesses and AV - but you need multiple products to actually protect. I am building a new SSEP server at the moment, but we have two other AV packages as well in our infrastructure, along with our Sonicwall and our spam blockers of course. At home, one is fine.. if that. I haven't had an AV live protection product in probably 10 years on my home PC. Most live protection is of little use to be honest. Some is pathetic (Forefront, etc.) I do a ton of stuff on the Internet, I've never been hit or infected. Because it's other protection that's more important.

Consider the points of entry onto your computer, be it ports, programs, javascript, activex, email attachments, browsers, etc. - if you have proper protection on those points, then it doesn't matter what IPs you block.

You do NOT "have" to limit IP ranges. That's ludicrous.

chadta 10-18-2012 04:08 AM

I still maintain that 99% of all computer problems are between the keyboard and the chair. Teach people to be semi smart about how they use them and you should be ok. My kids are now 9 and 11, they have had their own computers since they were 2 or 3, nothing more than MSE and common sense, they have yet to do any real damage. Dont open or click anything you didnt ask for goes along way.

v2micca 10-18-2012 05:04 AM

Quote:

Originally Posted by Broncos4tw (Post 3701327)
Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

You block a country because of lack of international regulation and extradition treaty. The hackers know which countries are going to let them get away with crap. So, those are the countries where they set up their remote proxies and servers. Certain ranges are just notorious and its not worth the risk to allow them.

HILife 10-18-2012 05:14 AM

Quote:

Originally Posted by Garcia Bronco (Post 3701325)
My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.

Defense-in-depth. Also switch from windows to Linux or Mac. I use both Windows and Linux laptops. Linux is my daily driver and Windows is for the things I can't do with Linux.


All times are GMT -7. The time now is 01:59 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.