[Dshield] Blocking Offending Countries

Mike Simkins mike at g7obs.net
Tue Jun 28 07:54:12 GMT 2005


Blocking by country/continent/whatever is not the answer. 

A block by a specific threat, possibly. I have (almost daily) someone try an 
SSH attack on various hosts of mine, and I have a script that blocks the 
offending IP (only), and sends an auto-abuse e-mail if there is either an 
ABUSE, Technical, or Admin E-Mail Address listed for that IP or block.

If I get a reply from the admin saying its fixed (as I have done in about 5% 
of the cases), then the block is removed.

Mike.

On Tuesday 28 June 2005 08:41, Cefiar wrote:
> On Tuesday 28 June 2005 12:54, Mike Wydra wrote:
> > More to come - but for now, would
> > someone please explain to me "how blocking China IP's would also block
> >
> > Canada? I truly don't understand the following piece of a post:
> > > Hmm, if we applied that logic, traffic from the US would be cut off
> > > from entering Canada. The two countries who target Canadian IPs
> > > on a regular basis are China and the US.
> >
> >From a brief look at the discussion, it seems this was made in response to
> > the
>
> idea of blocking the biggest countries that produce unwanted traffic. It's
> also made from the point of view of Canada. Hence blocking the biggest
> offenders against Canada would mean blocking not just China, but the US as
> well.
>
> Blocking solely based on the biggest offenders without understanding of any
> other relationships can lead to collateral damage. The above was apparently
> an example in point. There were a number of replies, some specifically from
> "the other side" (eg: people in the US) about the fact that they are
> already dropping traffic from Canada. This is despite the fact that Canada
> is a land-connected neighbour and quite possibly could legitimately have
> reasons for contacting them (IMO).
>
> One of the biggest downsides of dropping traffic from anywhere however
> would be companies that run some part of their infrastructure out of a
> specific country (be it Taiwan, the US, China, Canada, the UK, Australia,
> or whatever). A num, not from the US.ber of companies that I deal regularly
> with in Australia run their entire mail infrastructure out of some of the
> above countries, and blocking legitimate traffic from those destinations
> would therefore be a no-no. Of course, there is no reason to let them get
> to a VPN end-point, so dropping such traffic makes perfect sense. As they
> say, horses for courses.
>
> IMO, dropping traffic from other corners of the world without reason is
> simply a band-aid solution that will not solve the problem, and may
> actually make the problem worse. It's also a bit hard to complain about a
> lack of traffic when your complaints get dropped on the floor along with
> everything else.
>
> Looking forward to the plan details when you get the time. Till then, stay
> well.


More information about the list mailing list