Hacker News new | comments | show | ask | jobs | submit login
Blocking China IP Address Blocks (mergy.org)
46 points by mergy 1695 days ago | hide | past | web | 43 comments | favorite

We were very seriously considering if we should block China from our game servers recently. The reason is massive account compromises of our users.

There are 300,000 IPs from China that are just trying public leaked email / password databases against our servers. With so many IPs, any kind of normal per IP limiting just doesn't work. Each IP is only trying 10 or so accounts per day.

Blocking China was potentially a very real solution because I just don't think that they would have access to other bot nets of that sheer size outside of China.

The trouble is that the users don't understand that they are pre-compromised before they even arrive.

Anyway, we have now implemented a system whereby accounts get locked if someone attempts to log in from a different country than last time and they have to type in a verification code sent to their email.

All the "My account got hacked" support requests have been replaced by an equivalent number of "Why does my account keep getting locked" support requests. But there you go.

I was about to link this story back to Path of Exile folks given what's happened there. When I saw your post, I looked at your profile - nice that you're here!

For what it's worth, you should consider locking not on attempt to log in, but on successful login from abroad. This was an old problem in some Windows networks: accounts would be locked with 5 failed logins. People discovered they could lock out friends' accounts (or ahem the president's) by failing a login 5 times.

(P.S. If anyone's looking for a great way to waste more time than they should, Path of Exile is a pretty great game.)

You should implement automatic unlocking of the account if the auth attempt is successful and comes from the "usual" country (or from the same "usual" IP).

We talked about this for a while and decided that, at least at first, we want to lock out the original owner.

The reasoning behind this was that their actual password is compromised. We want to make sure that the user understands this fact and changes their password. Not only on our service, but on all the others that they may be using the same password for as well.

The email does say that someone else has your password, but if you can just ignore the email then most will not actually get it or assume it's some kind of phishing email.

I suppose it doesn't matter for your service, but that would tend to automatically block people who use the Tor network.

It's tough. Security vs. ease of use for the end-user.

If you resort to blocking IP ranges to prevent attacks, you are missing the point of how to properly respond to an attack. Blocking ranges might by an extra layer of security (philosophy of defense in depth), but in addition to that you should analyze how this email user account was compromised.

Weak password was bruteforced? Start enforcing strong passwords.

Email server vulnerability exploited? Patch your server.


Requiring strong passwords doesn't help if users enter the same strong password on every site, and one of those sites is compromised in a way that exposes plain text passwords. This has happened many times in the last few years. Personally I use separate passwords for every site that matters, but there's no way to force users to do this.

Password length and complexity aren't all that critical if it's salted and hashed. Locking out a user after a number of incorrect attempts and then requiring a different password during the reset than the one already used is a better alternative.

Reusing passwords on different sites is a much bigger problem IMO since a lot of places still don't store passwords correctly or don't lock out users after failed attempts.

Password length and complexity aren't all that critical if it's salted and hashed.

Unless your users' passwords are something like "password" or their user names. Password length and complexity are important, if overplayed.

Ah yes, well... if they're using 'password' for the password, they've got bigger problems ;)

Passwords that can be guessed in 1-3 tries should be excluded, naturally: password, 12345, 11111 etc... But mixed case, special character stuff is a bit redundant.

Pretty sure the issue I had to deal with was related to the Java OSX exploit. That being said, it is a total trade-off vs. security or ease of use for the end-users.

I haven't talked with the user involved besides trying to stop the bleeding, but it seems it was around the OSX java exploit on a BYOD mac laptop. You are totally correct though, I could do more to restrict this. But, if I can nuke the ip block because I will never get legit traffic from it anyway why not?

For my personal servers, that only host private information, I have no reason for them to be accessed from China - though login attempts were extremely common.

I created this iptables script and update it when I notice any new patterns of abuse


I'm using fail2ban on one of our linux servers. I have a bunch of fail2ban reports that I can run that lists all ips being blocked, how they were blocked, etc. A lot of times if we get multiple ips being blocked from china (and elsewhere) on the same subnet, I'll just block the entire subnet.

Yeah I think an approach like fail2ban is generally better than wholesale banning of IP blocks by country. Block the people who show bad behavior, not everyone.

Of course if you KNOW you have no users in e.g. China, no harm in blocking them, but any skilled attacker in China is not going to appear to be in China, from your vantage point.

Many of us have users (actual valid users) who live in and visit China and other countries in the world. So we don't block a IP because we think it is in China.

Use rate limiting and block bad IPs that are brute-forcing services (don't lock accounts) then you'll be able to serve your users while keeping the bad guys out.

Absolutely. Gladly, that is not an issue in my case.

The ability to do this (and not just for China) is one of the primary reasons I'm looking at new VPN router possibilities to replace the venerable-but-stable RV042s that we've been using for years at clients.

I just haven't found anything yet with a good combination of price, capabilities and hardware VPN support - doubling the price we're currently paying would be feasible, quadrupling it when replacing functioning equipment is harder to justify to non-technical users.

A worthwhile resource for folks with Windows (and with some useful links for others): http://www.sans.org/windows-security/2011/10/25/windows-fire...

I was also looking to switch out some RV042 (tried the newer RV180 series -- terrible mistake). Finally settled on RouterBoard / MikroTik RB2011L-IN.

The feature base is incredible: http://routerboard.com/RB2011L-IN

Perhaps this will one day be so widely implemented that the great firewall of China will become obsolete, and the censors' dream will be realized.

The Chinese can use a foreign botnet just like anyone else. The fact that so many attacks originate (traceably) from China is probably just down to laziness but that doesn't mean you'll be protected if you block the country outright. Ultimately, individual IP addresses should be blocked for a certain time after your service recognizes anomalies in client behavior (such as multiple login fishing attempts).

That said, it's pretty easy to block countries from accessing web apps at least if you use Cloudflare. The CF proxy passes a special field down to your server containing the country of origin. Works quite well actually.

Interesting, most of the cranky search stuff seems to come from the Ukraine or Russia. I've seen some Chinese activity but perhaps because we're a search engine [1] the Chinese government blocks us for their citizens.

Its probably not sustainable to just block the entire country long term though. You have to figure out a different way of figuring out folks who are real from folks who aren't otherwise you end up with really irritated users.

[1] blekko.com

There was a massive password leakage happened in the end of 2011 and early 2012. Probably more than 100 millions of passwords from more than ten popular websites including some popular social network websites, were made available on the internet (BT or eDonkey). The size of the password files added up to 10GB after compressed. Some significant amount of the passwords were in plain text when obtained so that with such a huge dictionary rainbow table can be used to decrypt the a large portion of rest.

So the reality is really nasty. Many of the netizen in China are somehow running naked: you can simply query the password after you get the email.

This would backfire. The goal, I suppose, is that the Chinese government go after hackers in China more; but even if this happened on a mass scale, the Chinese government would /love/ for more services to be run domestically. They don't need Google or Facebook, what makes you think they won't survive well without any of our sites?

True. I am a total "small fish" and China could give a damn, but I think I am just sick of even dishing any bandwidth to known bad address blocks.

I looked at the links in the article and its comments, but this one seemed much more "immediately useful" for me: (and not China-specific either, you can pick any ISO country code to add to your iptables)


If you have a linux-based router, this can be a 5 minute job.

In fact, I'll save you some time. I modified the script slightly to better suit my needs. Enjoy:


  # License: any/both of the following: public domain or MIT
  ### Block all traffic from AFGHANISTAN (af) - ISO code ###
  # you will need to do the following setup steps manually:
  # iptables -N drop-by-country
  # do iptables -I $a 1 -j drop-by-country
  # done




  for c in $ISO; do
  	#rm -f $tDB
  	[ -f $tDB ] || $WGET -O $tDB $DLROOT/$c.zone || exit 1

  # convert IP and mask to decimal IP (32-bit value) (and leave mask unchanged)
  BADIPS="`for c in $ISO; do cat $c.zone; done | awk 'BEGIN{FS="."}
  		if ($0 == "" || $0 ~ "/^#/") next;
  		mask=gensub("^[0-9]*/", "", "", $4)
  		n=gensub("/[0-9]*$", "", "", $4)
  		n=(($1*256 + $2)*256 + $3)*256 + n
  		print n " " mask
  	}' | sort -n`"

  # merge adjacent IP ranges until nothing changes
  while [ "$N" != "$BADIPS" ]; do
  	echo "simplifying `echo \"$BADIPS\" | wc -l` rules"
  	BADIPS="`echo \"$N\" | awk 'BEGIN{p1="";p2=""}
  			if (p1 != "") {
  				e=2 ** (32-p2)
  				if (n2 == p2 && int(p1 / e) % 2 == 0 && int(n1 / e) - int(p1 / e) == 1) {
  				} else {
  					print p1 " " p2
  		END{ if (p1 != "") print p1 " " p2 }'`"
  	limit=$(( $limit - 1 ))
  	[ $limit -eq 0 ] && break

  # convert back to IP format
  echo "$BADIPS" | awk '{
  		o1=o4 % 256
  		o4=int(o4 / 256)
  		o2=o4 % 256
  		o4=int(o4 / 256)
  		o3=o4 % 256
  		o4=int(o4 / 256)
  		print o4 "." o3 "." o2 "." o1 "/" $2
  	}' | while read a; do
  		echo "$IPT -A $SPAMLIST -s $a -j DROP"
  		$IPT -A $SPAMLIST -s $a -j DROP || exit 1
# let me end by just saying that blocking an entire country is the WRONG solution, though it might be considered part of a "layered defense" strategy. On the other hand, if you want to apply this to your home router and play with it, that's a different story.

You're right. Outright blocking is not a solution. I understand that. But, there comes a time when you just don't want to tell people to stop knocking on your door. You know?

Sure! In fact, I was thinking about the pros/cons of doing it about the time Mandiant posted their APT1 writeup, and I decided to spend some time implementing it.

It's important to me to preserve the open nature of the internet. So I hope the karma bonus of posting some code offsets the karma loss from the code being "racist" ;-)

Great article, thanks!

Just wanted to say; thanks for that awesome link.

We cut our blog and forum spam massively by blocking China. I'd estimate like 80% or more

Also consider if you can not restrict your ssh and ftp access to very tiny blocks, you can just allow US (or your country) addresses into those ports.

Of course proxies defeat all this but it slows down the generic script use.

Configserver firewall is amazingly powerful and easy (and free) in this regard


CSF is also good at noticing distributed attacks across ip ranges.

ps. please consider donating to Chirpy for CSF, I'd hate to see it die someday

Blocking china doesn't help anyone, and just hurts people that didn't do anything wrong.

The script kiddies (fake hackers) can't really get into your systems if you apply simple security policies and sanity checks.

The real hackers that can get it aren't blocked by any of your ip filters. They just go through proxies.

Be extremely careful using public IP lists, they're not always up to date. My iPhone was reassigned an IP in the block last year, which used to be issued by a Chinese supplier. Caused havoc with geoIP and locked me out of a number of websites for suddenly changing country.

Rather than putting multiple deny rules in a chain, why not use xt_geoip? http://xtables-addons.sourceforge.net/geoip.php

I'm waiting for Dalton to complain about the use of the Svbtle theme...It seems to happen to every post that links to somewhere not svbtle that uses it.

wp-svbtle does comments and some other stuff above and beyond svbtle. I like it. Works for me for now.

Really Dalton Caldwell? Dalton is pretty cool. I don't think he cares. Dennis might not be too happy though, but I haven't heard anything from him.

I meant Dustin (begin with D, end with N, a T in the 4th spot...) Too tired at the time of posting, and a tad cranky with some code in a new language. :)

Dalton's app.net is one of the things I was playing with last night.

Blocking an entire country sounds very stupid from the technological and moral point of view (and yes, it may make sense from the financial/time pov).

1) that doesn't make your shitty (lets be rough here) passwords & web apps secure. You didn't care for security yesterday, it's not going to come to you by blocking "china".

2) that doesn't stop anyone from proxying elsewhere

3) the more doing it, the more segmented the internet, the less it actually IS the internet. basically, you're breaking the fucking point of the internet (that justify the swearing.)

You're right on all accounts. But, the internet "works" on a common understanding that the various entities involved act with some form responsibility. That is NOT the case right now with China. I can beef-up security all I want, but perhaps people will get to a point when even interacting and rejecting bad connections is a waste?

This is essentially racist (well, xenophobic), and doesn't actually solve the problems.

you can do this on your SOHO router at home with DDWRT and Optware's asiablock.


I've had this setup for years. It's simple and effective. I block China and Russia entirely.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact