[Dshield] Cutoff China

Johannes B. Ullrich jullrich at euclidian.com
Sun Jun 26 15:03:39 GMT 2005


> I've also received a few nasty comments for blocking various countries. 
> There has been many discussions in the field of my hobby. It has always 
> been my opinion that it is your personal choice whether to block a 
> country, 

Correct. Nobody can force you to "talk to them". Its very much up to you
to figure out which crowd to hang out with.

Any kind of block list should come down to a business decision. For
example, if my company does not do any business with China, we may as
well block all traffic from them.

What countries/networks to block doesn't depend on just on the number of
"bad traffic" you get, but also on the ratio of "good vs. bad" and the
nature of the bad traffic.

Couple specific examples:

- You see a lot of malicious traffic from China. Sure, its run of the
mill worms you are not vulnerable to, but on the other hand, you never
visit any Chinese websites, don't speak Chinese and don't have any
friends in China. By all means block them!

- Your company is a consumer website for a US website. You do see many
attacks from US cable/DSL modem users infected with worms/bots. In this
case, you may want to think twice before blocking them, if this is where
your orders come from.

- One of your big suppliers, which is link to you via a VPN, is all for
sudden attacking you with a set of sophisticated exploits. Probably give
them a call first (maybe the outside penetration tester they hired
figured you are part of their network), but if you don't get a good
explanation you call your boss and check if you should cut them off.

In short: collect the data and base your conclusion on it.

My personal policy:

I try to keep my blocklist filters very "tight", in many cases limiting
it to single IPs. Given the worldwide audience, country filters do not
work for me. I am not concerned about the run-of-the mill worm/bot
exploits, but more about the higher level sophisticated exploits. And
they will find an IP to launch in my neighborhood.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050626/d5a7b7f2/signature.bin


More information about the list mailing list