PSA: Blocking China

[Garcia Bronco]

For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

[Rabb]

1. Get David Bruton on it
2.
3. profit

[Garcia Bronco]

Quote:

Originally Posted by Rabb

1. Get David Bruton on it
2.
3. profit

David Bruton collects underwear?

Block it at your firewall.

[gyldenlove]

Quote:

Originally Posted by Garcia Bronco

For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

[Garcia Bronco]

Quote:

Originally Posted by gyldenlove

If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.

True. All true. But it clears out the suckers in the least.

[cutthemdown]

Quote:

Originally Posted by Garcia Bronco

True. All true. But it clears out the suckers in the least.

In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

[extralife]

Quote:

Originally Posted by cutthemdown

In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

all of the billion chinese are out to get your computer

[Garcia Bronco]

Quote:

Originally Posted by cutthemdown

In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.

Well no...you can't just proxy a non-routed network. their Government could, but some dude living up the street most likely cannot. IPv6 opens-up a different can of worms, but still block-able.

[cmhargrove]

Well, where the hell do you want me to buy my fake jerseys from? Sheesh.

[Bronco Yoda]

Sounds like good advice. This just isn't idiot proof enough for me. Maybe my 11 year old can help me out. She did set my last phone up for me.

[Rohirrim]

I thought Garcia was starting a thread about setting the table.

[Rascal]

how do you do that?

[Garcia Bronco]

Quote:

Originally Posted by Rascal

how do you do that?

You would block them at your firewall. You can do that on your PC if it has one, or you can at your wireless router depending upon it's configuration-options.

I can't tell every home user how to do this due to the all the different configuration options

But a simple design from the outside-in would be

---->Internet Connection ----->router/firewall------->internal home network. You would block them from an IP address perspective at the router/firewall. The router/firewall can be two separate devices. Shop around. Ask questions at your local store. Do some google searches. Then tell people you're a security guru.

[DenverBroncosJM]

Today is a great day for me..

I just won the Nigerian lottery, a BMW and a superhot Model from Russia is wery interstdn metting ne.

Bad news? I apparently need viagra and cialis...a lot of it too by the amount of emails.

Ahh I love checking my AOL

[ShutDownPoster]

[Broncos4tw]

Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.

[v2micca]

Quote:

Originally Posted by Broncos4tw

Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.

And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

[HAT]

Or.....

[Broncos4tw]

Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

[Garcia Bronco]

Quote:

Originally Posted by Broncos4tw

Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.

My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.

[Garcia Bronco]

Quote:

Originally Posted by v2micca

And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.

If you have to do business with people in those countries then you really have no choice.

[Broncos4tw]

Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

I agree about businesses and AV - but you need multiple products to actually protect. I am building a new SSEP server at the moment, but we have two other AV packages as well in our infrastructure, along with our Sonicwall and our spam blockers of course. At home, one is fine.. if that. I haven't had an AV live protection product in probably 10 years on my home PC. Most live protection is of little use to be honest. Some is pathetic (Forefront, etc.) I do a ton of stuff on the Internet, I've never been hit or infected. Because it's other protection that's more important.

Consider the points of entry onto your computer, be it ports, programs, javascript, activex, email attachments, browsers, etc. - if you have proper protection on those points, then it doesn't matter what IPs you block.

You do NOT "have" to limit IP ranges. That's ludicrous.

[v2micca]

Quote:

Originally Posted by Broncos4tw

Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

You block a country because of lack of international regulation and extradition treaty. The hackers know which countries are going to let them get away with crap. So, those are the countries where they set up their remote proxies and servers. Certain ranges are just notorious and its not worth the risk to allow them.

[chadta]

I still maintain that 99% of all computer problems are between the keyboard and the chair. Teach people to be semi smart about how they use them and you should be ok. My kids are now 9 and 11, they have had their own computers since they were 2 or 3, nothing more than MSE and common sense, they have yet to do any real damage. Dont open or click anything you didnt ask for goes along way.

[Drek]

Quote:

Originally Posted by Garcia Bronco

For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off

Valid warning.

I've reported three different IPs myself to the FBI from China, trying to hack my home PC (all failed attempts).

The average person needs to have Peerblock installed with a nice selection of I-Blocklist IP lists to refuse. It will save you a TON of hassle down the road and is the ultimate screening tool to prevent contact with the shadier elements of the internet.