[Dshield] Blocking Country Access

Tomas L. Byrnes tomb at byrneit.net
Wed Feb 21 16:17:32 GMT 2007

The issue with deny all whitelist is configuration management. The
theory is great, but even for sites that don't need access from the
public Internet, road warriors, or people on vacations in exotic places,
managing and propagating the whitelist(s) becomes a serious O&M

It's easy on one or maybe two firewalls to do IP based Closed User
Groups, but you run into two major issues as you scale:

1: How do you make sure all your access control systems have the same

2: What about users coming from dynamic IPs?

Disclaimer: This is a somewhat shameless plug for what I've been working
on for the last 9 months, but the work is derivative from DShield, and
has been based on the needs and requests of the users of this list.

threatSTOP, the service for propagating the DShield (and other) block
lists that I've built based on my collaboration with Marc and Johannes,
and based on discussions on this list and last year's DShield user
survey, actually includes user whitelisting, so you can do IP CUGs. We
don't handle DynDNS yet.

The service is currently in early alpha, and we will be contacting
DShield survey respondents who indicated they'd like to do dynamic
firewall updates, and that we could contact them, to get testers with a
variety of firewalls.

If anyone who hasn't responded to the DShield survey wants to know more,
please complete the DShield user survey:


Be sure to tell us we can contact you, give us your e-mail, and we will
be in touch as we ramp up.

End shameless plug.

Tom Byrnes

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of 
> Valdis.Kletnieks at vt.edu
> Sent: Tuesday, February 20, 2007 10:44 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Blocking Country Access
> On Tue, 20 Feb 2007 08:54:14 PST, Dave Hatz said:
> > I am trying to find information on how to block countries 
> from our networks.
> > I remember seeing lists that contain the IP addresses for 
> the countries.
> > Can someone please point me in the right direction on where I can 
> > obtain a list of the country IP address so we can block them.
> Depending on your exact business and traffic patterns, it may 
> make a lot more sense to block *the entire world*, and then 
> only punch holes for places you expect traffic from.
> Just a thought - seems people seem to be reminded of Marcus 
> Ranum's thoughts on "default allow and trying to enumerate 
> badness". ;)

More information about the list mailing list