
Blocking China IP Address Blocks - mergy
http://mergy.org/2013/02/blocking-china-ip-address-blocks/
======
Negitivefrags
We were very seriously considering if we should block China from our game
servers recently. The reason is massive account compromises of our users.

There are 300,000 IPs from China that are just trying public leaked email /
password databases against our servers. With so many IPs, any kind of normal
per IP limiting just doesn't work. Each IP is only trying 10 or so accounts
per day.

Blocking China was potentially a very real solution because I just don't think
that they would have access to other bot nets of that sheer size outside of
China.

The trouble is that the users don't understand that they are pre-compromised
before they even arrive.

Anyway, we have now implemented a system whereby accounts get locked if
someone attempts to log in from a different country than last time and they
have to type in a verification code sent to their email.

All the "My account got hacked" support requests have been replaced by an
equivalent number of "Why does my account keep getting locked" support
requests. But there you go.

~~~
mrb
You should implement automatic unlocking of the account if the auth attempt is
successful and comes from the "usual" country (or from the same "usual" IP).

~~~
Negitivefrags
We talked about this for a while and decided that, at least at first, we want
to lock out the original owner.

The reasoning behind this was that their actual password _is_ compromised. We
want to make sure that the user understands this fact and changes their
password. Not only on our service, but on all the others that they may be
using the same password for as well.

The email does say that someone else has your password, but if you can just
ignore the email then most will not actually get it or assume it's some kind
of phishing email.

------
mrb
If you resort to blocking IP ranges to prevent attacks, you are missing the
point of how to properly respond to an attack. Blocking ranges might by an
extra layer of security (philosophy of defense in depth), but in addition to
that you should analyze how this email user account was compromised.

Weak password was bruteforced? Start enforcing strong passwords.

Email server vulnerability exploited? Patch your server.

Etc.

~~~
eksith
Password length and complexity aren't all that critical if it's salted and
hashed. Locking out a user after a number of incorrect attempts and then
requiring a different password during the reset than the one already used is a
better alternative.

Reusing passwords on different sites is a much bigger problem IMO since a lot
of places still don't store passwords correctly or don't lock out users after
failed attempts.

~~~
cantankerous
_Password length and complexity aren't all that critical if it's salted and
hashed._

Unless your users' passwords are something like "password" or their user
names. Password length and complexity are important, if overplayed.

~~~
eksith
Ah yes, well... if they're using 'password' for the password, they've got
bigger problems ;)

Passwords that can be guessed in 1-3 tries should be excluded, naturally:
password, 12345, 11111 etc... But mixed case, special character stuff is a bit
redundant.

~~~
mergy
Pretty sure the issue I had to deal with was related to the Java OSX exploit.
That being said, it is a total trade-off vs. security or ease of use for the
end-users.

------
cleverjake
For my personal servers, that only host private information, I have no reason
for them to be accessed from China - though login attempts were extremely
common.

I created this iptables script and update it when I notice any new patterns of
abuse

<https://gist.github.com/anonymous/1b6f1b08273b92cca890>

------
djengineerllc
I'm using fail2ban on one of our linux servers. I have a bunch of fail2ban
reports that I can run that lists all ips being blocked, how they were
blocked, etc. A lot of times if we get multiple ips being blocked from china
(and elsewhere) on the same subnet, I'll just block the entire subnet.

~~~
ams6110
Yeah I think an approach like fail2ban is generally better than wholesale
banning of IP blocks by country. Block the people who show bad behavior, not
everyone.

Of course if you KNOW you have no users in e.g. China, no harm in blocking
them, but any skilled attacker in China is not going to _appear_ to be in
China, from your vantage point.

------
16s
Many of us have users (actual valid users) who live in and visit China and
other countries in the world. So we don't block a IP because we _think_ it is
in China.

Use rate limiting and block bad IPs that are brute-forcing services (don't
lock accounts) then you'll be able to serve your users while keeping the bad
guys out.

~~~
mergy
Absolutely. Gladly, that is not an issue in my case.

------
fencepost
The ability to do this (and not just for China) is one of the primary reasons
I'm looking at new VPN router possibilities to replace the venerable-but-
stable RV042s that we've been using for years at clients.

I just haven't found anything yet with a good combination of price,
capabilities and hardware VPN support - doubling the price we're currently
paying would be feasible, quadrupling it when replacing functioning equipment
is harder to justify to non-technical users.

A worthwhile resource for folks with Windows (and with some useful links for
others): [http://www.sans.org/windows-security/2011/10/25/windows-
fire...](http://www.sans.org/windows-security/2011/10/25/windows-firewall-
script-block-addresses-network-ranges)

~~~
semenko
I was also looking to switch out some RV042 (tried the newer RV180 series --
terrible mistake). Finally settled on RouterBoard / MikroTik RB2011L-IN.

The feature base is incredible: <http://routerboard.com/RB2011L-IN>

------
grandpa
Perhaps this will one day be so widely implemented that the great firewall of
China will become obsolete, and the censors' dream will be realized.

------
Udo
The Chinese can use a foreign botnet just like anyone else. The fact that so
many attacks originate (traceably) from China is probably just down to
laziness but that doesn't mean you'll be protected if you block the country
outright. Ultimately, individual IP addresses should be blocked for a certain
time after your service recognizes anomalies in client behavior (such as
multiple login fishing attempts).

That said, it's pretty easy to block countries from accessing web apps at
least if you use Cloudflare. The CF proxy passes a special field down to your
server containing the country of origin. Works quite well actually.

------
ChuckMcM
Interesting, most of the cranky search stuff seems to come from the Ukraine or
Russia. I've seen some Chinese activity but perhaps because we're a search
engine [1] the Chinese government blocks us for their citizens.

Its probably not sustainable to just block the entire country long term
though. You have to figure out a different way of figuring out folks who are
real from folks who aren't otherwise you end up with really irritated users.

[1] blekko.com

------
qschneier
There was a massive password leakage happened in the end of 2011 and early
2012. Probably more than 100 millions of passwords from more than ten popular
websites including some popular social network websites, were made available
on the internet (BT or eDonkey). The size of the password files added up to
10GB after compressed. Some significant amount of the passwords were in plain
text when obtained so that with such a huge dictionary rainbow table can be
used to decrypt the a large portion of rest.

So the reality is really nasty. Many of the netizen in China are somehow
running naked: you can simply query the password after you get the email.

------
joshuagross
This would backfire. The goal, I suppose, is that the Chinese government go
after hackers in China more; but even if this happened on a mass scale, the
Chinese government would /love/ for more services to be run domestically. They
don't need Google or Facebook, what makes you think they won't survive well
without any of our sites?

~~~
mergy
True. I am a total "small fish" and China could give a damn, but I think I am
just sick of even dishing any bandwidth to known bad address blocks.

------
sounds
I looked at the links in the article and its comments, but this one seemed
much more "immediately useful" for me: (and not China-specific either, you can
pick any ISO country code to add to your iptables)

[http://www.cyberciti.biz/faq/block-entier-country-using-
ipta...](http://www.cyberciti.biz/faq/block-entier-country-using-iptables/)

If you have a linux-based router, this can be a 5 minute job.

In fact, I'll save you some time. I modified the script slightly to better
suit my needs. Enjoy:

#!/bin/bash

    
    
      # License: any/both of the following: public domain or MIT
      #
      ### Block all traffic from AFGHANISTAN (af) - ISO code ###
      #
      # you will need to do the following setup steps manually:
      #
      # iptables -N drop-by-country
      #
      # for a in INPUT FORWARD OUTPUT
      # do iptables -I $a 1 -j drop-by-country
      # done
      #
    
      ISO="af"
    
      IPT=iptables
      WGET=wget
    
      SPAMLIST="drop-by-country"
      DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
    
      for c in $ISO; do
      	tDB=$c.zone
      	#rm -f $tDB
      	[ -f $tDB ] || $WGET -O $tDB $DLROOT/$c.zone || exit 1
      done
    
      # convert IP and mask to decimal IP (32-bit value) (and leave mask unchanged)
      BADIPS="`for c in $ISO; do cat $c.zone; done | awk 'BEGIN{FS="."}
      	{
      		if ($0 == "" || $0 ~ "/^#/") next;
      		mask=gensub("^[0-9]*/", "", "", $4)
      		n=gensub("/[0-9]*$", "", "", $4)
      		n=(($1*256 + $2)*256 + $3)*256 + n
      		print n " " mask
      	}' | sort -n`"
    
      # merge adjacent IP ranges until nothing changes
      N=""
      limit=20
      while [ "$N" != "$BADIPS" ]; do
      	echo "simplifying `echo \"$BADIPS\" | wc -l` rules"
      	N="$BADIPS"
      	BADIPS="`echo \"$N\" | awk 'BEGIN{p1="";p2=""}
      		{
      			n1=\$1
      			n2=\$2
      			if (p1 != "") {
      				e=2 ** (32-p2)
      				if (n2 == p2 && int(p1 / e) % 2 == 0 && int(n1 / e) - int(p1 / e) == 1) {
      					n1=p1
      					n2--
      				} else {
      					print p1 " " p2
      				}
      			}
      			p1=n1
      			p2=n2
      		}
      		END{ if (p1 != "") print p1 " " p2 }'`"
      	limit=$(( $limit - 1 ))
      	[ $limit -eq 0 ] && break
      done
    
      # convert back to IP format
      echo "$BADIPS" | awk '{
      		o4=$1
      		o1=o4 % 256
      		o4=int(o4 / 256)
      		o2=o4 % 256
      		o4=int(o4 / 256)
      		o3=o4 % 256
      		o4=int(o4 / 256)
      		print o4 "." o3 "." o2 "." o1 "/" $2
      	}' | while read a; do
      		echo "$IPT -A $SPAMLIST -s $a -j DROP"
      		$IPT -A $SPAMLIST -s $a -j DROP || exit 1
      	done
    

# let me end by just saying that blocking an entire country is the WRONG
solution, though it might be considered part of a "layered defense" strategy.
On the other hand, if you want to apply this to your home router and play with
it, that's a different story.

~~~
mergy
You're right. Outright blocking is not a solution. I understand that. But,
there comes a time when you just don't want to tell people to stop knocking on
your door. You know?

~~~
sounds
Sure! In fact, I was thinking about the pros/cons of doing it about the time
Mandiant posted their APT1 writeup, and I decided to spend some time
implementing it.

It's important to me to preserve the open nature of the internet. So I hope
the karma bonus of posting some code offsets the karma loss from the code
being "racist" ;-)

Great article, thanks!

------
ck2
We cut our blog and forum spam massively by blocking China. I'd estimate like
80% or more

Also consider if you can not restrict your ssh and ftp access to very tiny
blocks, you can just allow US (or your country) addresses into those ports.

Of course proxies defeat all this but it slows down the generic script use.

Configserver firewall is amazingly powerful and easy (and free) in this regard

<http://www.configserver.com/cp/csf.html>

CSF is also good at noticing distributed attacks across ip ranges.

ps. please consider donating to Chirpy for CSF, I'd hate to see it die someday

------
dragonfax
Blocking china doesn't help anyone, and just hurts people that didn't do
anything wrong.

The script kiddies (fake hackers) can't really get into your systems if you
apply simple security policies and sanity checks.

The real hackers that can get it aren't blocked by any of your ip filters.
They just go through proxies.

------
nwh
Be extremely careful using public IP lists, they're not always up to date. My
iPhone was reassigned an IP in the 1.43.0.0 block last year, which used to be
issued by a Chinese supplier. Caused havoc with geoIP and locked me out of a
number of websites for suddenly changing country.

------
lmz
Rather than putting multiple deny rules in a chain, why not use xt_geoip?
<http://xtables-addons.sourceforge.net/geoip.php>

------
jmspring
I'm waiting for Dalton to complain about the use of the Svbtle theme...It
seems to happen to _every_ post that links to somewhere not svbtle that uses
it.

~~~
knowaveragejoe
<https://github.com/gravityonmars/wp-svbtle>

~~~
mergy
wp-svbtle does comments and some other stuff above and beyond svbtle. I like
it. Works for me for now.

------
zobzu
Blocking an entire country sounds very stupid from the technological and moral
point of view (and yes, it may make sense from the financial/time pov).

1) that doesn't make your shitty (lets be rough here) passwords & web apps
secure. You didn't care for security yesterday, it's not going to come to you
by blocking "china".

2) that doesn't stop anyone from proxying elsewhere

3) the more doing it, the more segmented the internet, the less it actually IS
the internet. basically, you're breaking the fucking point of the internet
(that justify the swearing.)

~~~
mergy
You're right on all accounts. But, the internet "works" on a common
understanding that the various entities involved act with some form
responsibility. That is NOT the case right now with China. I can beef-up
security all I want, but perhaps people will get to a point when even
interacting and rejecting bad connections is a waste?

------
antihero
This is essentially racist (well, xenophobic), and doesn't actually solve the
problems.

------
_account
you can do this on your SOHO router at home with DDWRT and Optware's
asiablock.

[http://www.dd-
wrt.com/wiki/index.php/Optware%2C_the_Right_Wa...](http://www.dd-
wrt.com/wiki/index.php/Optware%2C_the_Right_Way)

I've had this setup for years. It's simple and effective. I block China and
Russia entirely.

