The Orange Mane -  a Denver Broncos Fan Community  

Go Back   The Orange Mane - a Denver Broncos Fan Community > Orange Mane Discussion > Orange Mane Central Discussion
Register FAQ Members List Calendar Chat Room Mark Forums Read



Reply
 
Thread Tools Display Modes
Old 10-17-2012, 02:55 PM   #1
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default PSA: Blocking China

For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off
Garcia Bronco is offline   Reply With Quote
Sponsored Links
Old 10-17-2012, 02:57 PM   #2
Rabb
No Luca, No!
 
Rabb's Avatar
 

Join Date: May 2005
Posts: 7,542

Adopt-a-Bronco:
Dynamite Monkey
Default

1. Get David Bruton on it
2.
3. profit
Rabb is offline   Reply With Quote
Old 10-17-2012, 03:01 PM   #3
gyldenlove
Ring of Famer
 
gyldenlove's Avatar
 

Join Date: Mar 2006
Location: Nęstved, DK
Posts: 11,086

Adopt-a-Bronco:
Spencer Larsen
Default

Quote:
Originally Posted by Garcia Bronco View Post
For years, when a company hires me for IT consulting, the first thing I do it block China, India, Nigeria, and Russia's IP ranges. These countries have a number of people that either are crooks or paid government employees trying to rob you of information and anything. It's not something people think about, but you should block them at your home. You can easily Google their IP ranges and do it.

Anywho....enjoy the week off
If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.
gyldenlove is offline   Reply With Quote
Old 10-17-2012, 03:01 PM   #4
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by Rabb View Post
1. Get David Bruton on it
2.
3. profit
David Bruton collects underwear?

Block it at your firewall.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 03:05 PM   #5
Bronco Yoda
.
 
Bronco Yoda's Avatar
 

Join Date: Aug 2001
Posts: 8,845
Default

Sounds like good advice. This just isn't idiot proof enough for me. Maybe my 11 year old can help me out. She did set my last phone up for me.
Bronco Yoda is offline   Reply With Quote
Old 10-17-2012, 03:06 PM   #6
Rohirrim
Partisan
 
Rohirrim's Avatar
 
All hail Hercules!

Join Date: Jan 2003
Location: Twixt Hell & Highwater
Posts: 54,945

Adopt-a-Bronco:
Malik Jackson
Default

I thought Garcia was starting a thread about setting the table.
Rohirrim is offline   Reply With Quote
Old 10-17-2012, 03:14 PM   #7
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by gyldenlove View Post
If they are dangerous enough to worry about they will know how to run everything through a proxy in a non-threatening country.
True. All true. But it clears out the suckers in the least.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 03:55 PM   #8
cutthemdown
A verbis ad verbera
 
cutthemdown's Avatar
 
Zimm to HOF

Join Date: Mar 2006
Location: Long Beach
Posts: 36,841
Default

Quote:
Originally Posted by Garcia Bronco View Post
True. All true. But it clears out the suckers in the least.
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.
cutthemdown is offline   Reply With Quote
Old 10-17-2012, 04:41 PM   #9
Rascal
RIP
 

Join Date: Mar 2004
Posts: 17,150

Adopt-a-Bronco:
Turf
Default

how do you do that?
Rascal is offline   Reply With Quote
Old 10-17-2012, 04:58 PM   #10
extralife
Ring of Famer
 

Join Date: Mar 2006
Posts: 5,016
Default

Quote:
Originally Posted by cutthemdown View Post
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.
all of the billion chinese are out to get your computer
extralife is offline   Reply With Quote
Old 10-17-2012, 04:59 PM   #11
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by Rascal View Post
how do you do that?
You would block them at your firewall. You can do that on your PC if it has one, or you can at your wireless router depending upon it's configuration-options.

I can't tell every home user how to do this due to the all the different configuration options

But a simple design from the outside-in would be

---->Internet Connection ----->router/firewall------->internal home network. You would block them from an IP address perspective at the router/firewall. The router/firewall can be two separate devices. Shop around. Ask questions at your local store. Do some google searches. Then tell people you're a security guru.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 05:01 PM   #12
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by cutthemdown View Post
In a country of billions Im sure not all of them sophisticated enough to use proxy servers. Good advice.
Well no...you can't just proxy a non-routed network. their Government could, but some dude living up the street most likely cannot. IPv6 opens-up a different can of worms, but still block-able.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 05:23 PM   #13
cmhargrove
Is this thing on???
 
cmhargrove's Avatar
 
Travis Henry's love child...

Join Date: Aug 2006
Location: Tulsa, OK
Posts: 6,723

Adopt-a-Bronco:
Peyton Hillis
Default

Well, where the hell do you want me to buy my fake jerseys from? Sheesh.
cmhargrove is offline   Reply With Quote
Old 10-17-2012, 05:46 PM   #14
DenverBroncosJM
Post here Vine
 

Join Date: Jan 2006
Location: California
Posts: 1,126
Default

Today is a great day for me..

I just won the Nigerian lottery, a BMW and a superhot Model from Russia is wery interstdn metting ne.

Bad news? I apparently need viagra and cialis...a lot of it too by the amount of emails.

Ahh I love checking my AOL
DenverBroncosJM is offline   Reply With Quote
Old 10-17-2012, 05:58 PM   #15
ShutDownPoster
raging lurker
 
ShutDownPoster's Avatar
 
JUSTICE is served!!

Join Date: Apr 2004
Posts: 833
Default

ShutDownPoster is offline   Reply With Quote
Old 10-17-2012, 06:43 PM   #16
Broncos4tw
Ring of Famer
 

Join Date: Sep 2005
Posts: 1,445
Default

Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.
Broncos4tw is offline   Reply With Quote
Old 10-17-2012, 08:59 PM   #17
v2micca
Ring of Famer
 
v2micca's Avatar
 

Join Date: Sep 2004
Location: Austin, TX
Posts: 1,054
Default

Quote:
Originally Posted by Broncos4tw View Post
Meh, not really worth it imo. It's time better spent to simply properly protect your computer / servers / website / whatever you are doing. If properly protected, those IP ranges really won't matter.

And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.
v2micca is offline   Reply With Quote
Old 10-17-2012, 09:11 PM   #18
HAT
I think, therefore I ham.
 
HAT's Avatar
 

Join Date: Dec 2002
Posts: 5,782

Adopt-a-Bronco:
Adam Weber
Default

Or.....

HAT is offline   Reply With Quote
Old 10-17-2012, 10:44 PM   #19
Broncos4tw
Ring of Famer
 

Join Date: Sep 2005
Posts: 1,445
Default

Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.
Broncos4tw is offline   Reply With Quote
Old 10-17-2012, 10:49 PM   #20
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by v2micca View Post
And part of properly protecting your network is limiting IP ranges. At my job, I can't legally block countries out of hand. But you can be damn sure the only traffic I'm allowing from them is port 80 and 443.
If you have to do business with people in those countries then you really have no choice.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 10:54 PM   #21
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,919

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by Broncos4tw View Post
Except that the chance of a direct attack from one of those countries is just about nil, unless you nab yourself a trojan or click on a phishing link. Blocking these ranges does what for you? It won't stop emails from these countries. You need different software for that. Almost all attacks hit hundreds of thousands or millions of IP addresses, and takes advantage of those machines that are not protected.

The truth of the matter is you have more to worry about from your own government than some random phishing scheme curtsey of CZ or some other European country. Most of the attacks I see are not from Russia, China, or Nigeria. They are typically from Czechoslovakia, Germany, etc. Or.. from somewhere in the good ol' U.S. And any attack worth a damn is going to not going to be hosted via those countries, as you must know. So again, blocking them does you nothing.

If you are THAT concerned about your privacy, I imagine you use Tor? No? Have you turned off Javascript in Adobe, as well as not allowing non-PDF files attachments to open?

I've been doing computer related work for over 25 years - the only times I've had any direct attacks they were always within the U.S. (perhaps originating in another country). When I do security checks on computers, the # of poor practices, lack of updates, lack of browser security, etc. are much MUCH more pressing concerns.

Just saying.. I think blocking IP ranges does almost nothing at all. And it's funny someone might be wasting their time doing that, while happily downloading from torrentz sites, and not securing the many holes in their basic computer security. Btw.. if you must download, don't use torrentz.. use irc.
My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.
Garcia Bronco is offline   Reply With Quote
Old 10-17-2012, 11:03 PM   #22
Broncos4tw
Ring of Famer
 

Join Date: Sep 2005
Posts: 1,445
Default

Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.

I agree about businesses and AV - but you need multiple products to actually protect. I am building a new SSEP server at the moment, but we have two other AV packages as well in our infrastructure, along with our Sonicwall and our spam blockers of course. At home, one is fine.. if that. I haven't had an AV live protection product in probably 10 years on my home PC. Most live protection is of little use to be honest. Some is pathetic (Forefront, etc.) I do a ton of stuff on the Internet, I've never been hit or infected. Because it's other protection that's more important.

Consider the points of entry onto your computer, be it ports, programs, javascript, activex, email attachments, browsers, etc. - if you have proper protection on those points, then it doesn't matter what IPs you block.

You do NOT "have" to limit IP ranges. That's ludicrous.
Broncos4tw is offline   Reply With Quote
Old 10-18-2012, 04:08 AM   #23
chadta
Atomic Meatball Keeper
 
chadta's Avatar
 

Join Date: Aug 2004
Location: Hamilton, Ontario
Posts: 2,935

Adopt-a-Bronco:
The Mc Rib
Default

I still maintain that 99% of all computer problems are between the keyboard and the chair. Teach people to be semi smart about how they use them and you should be ok. My kids are now 9 and 11, they have had their own computers since they were 2 or 3, nothing more than MSE and common sense, they have yet to do any real damage. Dont open or click anything you didnt ask for goes along way.
chadta is offline   Reply With Quote
Old 10-18-2012, 05:04 AM   #24
v2micca
Ring of Famer
 
v2micca's Avatar
 

Join Date: Sep 2004
Location: Austin, TX
Posts: 1,054
Default

Quote:
Originally Posted by Broncos4tw View Post
Well, I don't know why any business would block a country, that's nuts. The last two companies I've worked for did quite a bit of business with China (one had an office there). Sort of difficult if you block them.
You block a country because of lack of international regulation and extradition treaty. The hackers know which countries are going to let them get away with crap. So, those are the countries where they set up their remote proxies and servers. Certain ranges are just notorious and its not worth the risk to allow them.
v2micca is offline   Reply With Quote
Old 10-18-2012, 05:14 AM   #25
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,509
Default

Quote:
Originally Posted by Garcia Bronco View Post
My current company gets poked by China alone a million times a week. We block it all sorts of ways. Regardless of whether its your business or your home, decent security needs a multipath approach. Not only do you have to protect your network by limiting IP ranges, but you should AV protect your machines. You should also educate your household on social engineering. Including emails, phone calls, and visitors to the house.
Defense-in-depth. Also switch from windows to Linux or Mac. I use both Windows and Linux laptops. Linux is my daily driver and Windows is for the things I can't do with Linux.
HILife is offline   Reply With Quote
Reply

Thread Tools
Display Modes



Forum Jump


All times are GMT -7. The time now is 01:42 PM.


Denver Broncos