Bugtraq mailing list archives
RE: All China, All The Time
From: Jim Harrison <Jim () isatools org>
Date: Sat, 16 Jan 2010 14:17:18 +0000
I've used Tim's block sets for awhile in my own FOAD rule, but I ended up having to adjust the policy because of the toolsets I provide to the folks that are trying to do a good day's work in those same locations. Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this. How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable. Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer. Jim -----Original Message----- From: Thor (Hammer of God) [mailto:thor () hammerofgod com] Sent: Friday, January 15, 2010 10:05 AM To: Gadi Evron Cc: bugtraq () securityfocus com Subject: RE: All China, All The Time Inline:
Subject: Re: All China, All The Time The solution of blocking China, however, is one which harms both people outside of China, as well as those inside of China. Therefore, it translates into an attack on them. Looking it this operationally: 1. Functionality Do you have clients who need to interconnect with China's networks, or expect people to connect to you from China? If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at: http://www.securityfocus.com/infocus/1900/1 It's dated, but the concepts hold true. The entire implementation is based on research and analysis, and of course, business applicability. To be sure, I receive significant US-based attack traffic, but I can't block that for business reasons. Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective." This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, protocol-by-protocol based access policy. It's the same thing we do now from a protocol standpoint, but this simply allows one to aggregate data by geographic location. I have no business need for traffic to/from China and many other countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is valid to disallow traffic from sources that are not needed.
2. Urgency If a lot of IP sources attack you from China RIGHT NOW, and you need immediate mitigation, blocking China short-term may work, but obviously not as a permanent solution.
Of course. You can apply the sets without blocking. In fact, I recommend that FIRST in the article. That way you can report on and analyze traffic from sources to make your own decisions on an ongoing basis. When the time comes, you can change your policy as needed. I currently block traffic from Russia, but I might start allowing in SMTP since this Anastasia chick I get emails from on my other address seems pretty hot. :)
As to "getting rid" or "refusing to connect with" networks with extremely bad reputation, that may be quite acceptable on an individual bases, but not on the Internet-scale, as things stand right now.
Totally agreed. Sorry if I said something that inferred any scale above individual/corporate.
When I facilitated making Atrivo (and others) no longer welcome on the Internet, it was a brand new move, and it helped change the social belief of "don't be the Internet's firewall" to "some bad actors shouldn't be here, but generally don't be the Internet's firewall." Such social change to encourage new technological and operational solutions happenes every 2-5 years or so, and I don't expect anything large enough such as an AS-based reputation system to happen anytime soon.
And, of course, there's nothing to say this will have any effect on attacks from "evil" people in the countries I block when they can easily source the attacks from networks I allow. It just provides security-in-depth.
Also, you should consider that such actions also have direct political and diplomatic ramifications neither of us understands. So, for now, I'd say that each of us should make such decisions by our own risk analysis with the trade-off between costs and benefits in mind, and only for our own networks.
You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are).
Aside to that, I know some people in China who work very hard on security, and do a better job than we do at it. But that does not mean the situation as it stands now is acceptable.
Agreed, and noted above. T
IOW, I really don't think the tag had that much to do with it now...People are just picking on you because they can. I can only share how I see such Internet discussions. Cost of doing business, just consider your responses on a level of (time == money) && what your response would gain for you or the community. If the answer is nothing, then examine whether you still believe it is worth it. If yes, just do it. If not, move along. That is my basic guideline after years of trial by fire. Also, you will always be misunderstood, be careful in your language, but not so much that tl;dr. State your case with the obvious exceptions, and discuss misunderstandings later. As trying to anticipate everything as an opposite example to just saying what you think would mean people will just nitpick on one lower-hanging fruit item, or ignore. Gadi.T-----Original Message----- From: Gadi Evron [mailto:ge () linuxbox org] Sent: Thursday, January 14, 2010 6:27 PM To: Thor (Hammer of God) Cc: bugtraq () securityfocus com Subject: Re: All China, All The Time On 1/14/10 8:09 AM, Thor (Hammer of God) wrote:So, apparently my "witty" tag via Google Translate means somethingIdidn't quite mean. Surprise, surprise. Luckily it wasn't something vulgar, (that's what I get for trusting Google Translate and tryingtobe funny) but what I meant it to say was "If you can read this,don'tbother replying because my servers won't get it." However, it seemstomean something like "don't reply because you are not welcome here"orsimilar. That wasn't my intention, as it seems to infer I actually have something against the Chinese people and not their networks,whichI take issue with.Sorry for the poorly translated reference.People always try and send me Hebrew using Google Translate... it's usually word for word which means it breaks sentence structure. Thenitmisses context, translating words with different meanings. Then it completely mistranslates by using the root of the word, or similar, anything it doesn't know. All in all, while it can't be confused with real Hebrew, it is quite clear. Chinese seems a bit (understatement) more complicated, though.Hebrew,while hard to learn at first, is a very easy language whenconsideringmost parameters. Gadi. -- Gadi Evron, ge () linuxbox org. Blog: http://gevron.livejournal.com/-- Gadi Evron, ge () linuxbox org. Blog: http://gevron.livejournal.com/
Current thread:
- RE: All China, All The Time Thor (Hammer of God) (Jan 14)
- Message not available
- Message not available
- Re: All China, All The Time Gadi Evron (Jan 15)
- RE: All China, All The Time Thor (Hammer of God) (Jan 15)
- RE: All China, All The Time Jim Harrison (Jan 18)
- Message not available
- Re: All China, All The Time Steven J. Koch (Jan 18)
- Message not available
- Re: All China, All The Time Marcello Magnifico (Jan 18)
- RE: All China, All The Time Jim Harrison (Jan 21)
- Message not available
- <Possible follow-ups>
- All China, All The Time Thor (Hammer of God) (Jan 14)
- Re: All China, All The Time Neil Dickey (Jan 19)
- Re: All China, All The Time Lawrence Pingree (Jan 20)
- RE: All China, All The Time Tim Mullen (Jan 20)