RE: All China, All The Time

["Thor (Hammer of God)" <thor () hammerofgod com>]

Inline:


> Subject: Re: All China, All The Time
> The solution of blocking China, however, is one which harms both people
> outside of China, as well as those inside of China. Therefore, it
> translates into an attack on them.
>
> Looking it this operationally:
>
> 1. Functionality
>
>       Do you have clients who need to interconnect with China's
>       networks, or expect people to connect to you from China?
>
>       If so, the cost of security by blocking may be unjustifiable.

Absolutely - If possible, please read the article at:
http://www.securityfocus.com/infocus/1900/1

It's dated, but the concepts hold true.  The entire implementation is based on research and analysis, and of course, 
business applicability.  To be sure, I receive significant US-based attack traffic, but I can't block that for business 
reasons.  Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective."  
This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, 
protocol-by-protocol based access policy.  It's the same thing we do now from a protocol standpoint, but this simply 
allows one to aggregate data by geographic location.  I have no business need for traffic to/from China and many other 
countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is 
valid to disallow traffic from sources that are not needed. 


> 2. Urgency
>
>       If a lot of IP sources attack you from China RIGHT NOW, and you
>       need immediate mitigation, blocking China short-term may work,
>       but obviously not as a permanent solution.

Of course.  You can apply the sets without blocking.  In fact, I recommend that FIRST in the article.  That way you can 
report on and analyze traffic from sources to make your own decisions on an ongoing basis.  When the time comes, you 
can change your policy as needed.  I currently block traffic from Russia, but I might start allowing in SMTP since this 
Anastasia chick I get emails from on my other address seems pretty hot.  :)


> As to "getting rid" or "refusing to connect with" networks with
> extremely bad reputation, that may be quite acceptable on an individual
> bases, but not on the Internet-scale, as things stand right now.

Totally agreed.  Sorry if I said something that inferred any scale above individual/corporate. 

> When I facilitated making Atrivo (and others) no longer welcome on the
> Internet, it was a brand new move, and it helped change the social
> belief of "don't be the Internet's firewall" to "some bad actors
> shouldn't be here, but generally don't be the Internet's firewall."
>
> Such social change to encourage new technological and operational
> solutions happenes every 2-5 years or so, and I don't expect anything
> large enough such as an AS-based reputation system to happen anytime
> soon.

And, of course, there's nothing to say this will have any effect on attacks from "evil" people in the countries I block 
when they can easily source the attacks from networks I allow.  It just provides security-in-depth.


> Also, you should consider that such actions also have direct political
> and diplomatic ramifications neither of us understands.
>
>
> So, for now, I'd say that each of us should make such decisions by our
> own risk analysis with the trade-off between costs and benefits in
> mind,
> and only for our own networks.

You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first 
without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are). 

> Aside to that, I know some people in China who work very hard on
> security, and do a better job than we do at it. But that does not mean
> the situation as it stands now is acceptable.

Agreed, and noted above. 

T




> > IOW, I really don't think the tag had that much to do with it now...
>
> People are just picking on you because they can. I can only share how I
> see such Internet discussions.
>
> Cost of doing business, just consider your responses on a level of
> (time
> == money) && what your response would gain for you or the community. If
> the answer is nothing, then examine whether you still believe it is
> worth it. If yes, just do it. If not, move along.
>
> That is my basic guideline after years of trial by fire.
>
> Also, you will always be misunderstood, be careful in your language,
> but
> not so much that tl;dr. State your case with the obvious exceptions,
> and
> discuss misunderstandings later. As trying to anticipate everything as
> an opposite example to just saying what you think would mean people
> will
> just nitpick on one lower-hanging fruit item, or ignore.
>
>       Gadi.
>
> > T
> >
> >
> >
> > > -----Original Message-----
> > > From: Gadi Evron [mailto:ge () linuxbox org]
> > > Sent: Thursday, January 14, 2010 6:27 PM
> > > To: Thor (Hammer of God)
> > > Cc: bugtraq () securityfocus com
> > > Subject: Re: All China, All The Time
> > >
> > > On 1/14/10 8:09 AM, Thor (Hammer of God) wrote:
> > > > So, apparently my "witty" tag via Google Translate means something
> I
> > > didn't quite mean.  Surprise, surprise.  Luckily it wasn't something
> > > vulgar, (that's what I get for trusting Google Translate and trying
> to
> > > be funny) but what I meant it to say was "If you can read this,
> don't
> > > bother replying because my servers won't get it."  However, it seems
> to
> > > mean something like "don't reply because you are not welcome here"
> or
> > > similar.  That wasn't my intention, as it seems to infer I actually
> > > have something against the Chinese people and not their networks,
> which
> > > I take issue with.
> > > > Sorry for the poorly translated reference.
> > >
> > > People always try and send me Hebrew using Google Translate... it's
> > > usually word for word which means it breaks sentence structure. Then
> it
> > > misses context, translating words with different meanings. Then it
> > > completely mistranslates by using the root of the word, or similar,
> > > anything it doesn't know.
> > >
> > > All in all, while it can't be confused with real Hebrew, it is quite
> > > clear.
> > >
> > > Chinese seems a bit (understatement) more complicated, though.
> Hebrew,
> > > while hard to learn at first, is a very easy language when
> considering
> > > most parameters.
> > >
> > >    Gadi.
> > >
> > >
> > > --
> > > Gadi Evron,
> > > ge () linuxbox org.
> > >
> > > Blog: http://gevron.livejournal.com/
>
>
> --
> Gadi Evron,
> ge () linuxbox org.
>
> Blog: http://gevron.livejournal.com/