RE: All China, All The Time
I've used Tim's block sets for awhile in my own FOAD rule, but I ended up h=
aving to adjust the policy because of the toolsets I provide to the folks t=
hat are trying to do a good day's work in those same locations.
Yes; there are plenty of good folks, computers and networks in China and ot=
her countries, but the sad fact is these countries also represent the netwo=
rk-sources (even if, as has been stated; not the "true" source) of the majo=
rity of attacks. My own firewall logs validate this.
How you use the lists Tim provides is a matter of personal choice according=
to your capabilities and priorities. If your firewall is smart enough to i=
gnore anyone trying to bash your network or play silly buggers in the upper=
layers, then you may feel that an IP-based block set is overkill. If, lik=
e so many your firewall operates primarily at L4 and below, this data may p=
rove very valuable.
Frankly, I like that someone has taken the time to do the numbers and produ=
ce the data; even if I can't use it the way I'd prefer.
Jim
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]=20
Sent: Friday, January 15, 2010 10:05 AM
To: Gadi Evron
Cc: bugtraq@securityfocus.com
Subject: RE: All China, All The Time
Inline:
> Subject: Re: All China, All The Time
> The solution of blocking China, however, is one which harms both people
> outside of China, as well as those inside of China. Therefore, it
> translates into an attack on them.
>=20
> Looking it this operationally:
>=20
> 1. Functionality
>=20
> Do you have clients who need to interconnect with China's
> networks, or expect people to connect to you from China?
>=20
> If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at:
http://www.securityfocus.com/infocus/1900/1
It's dated, but the concepts hold true. The entire implementation is based=
on research and analysis, and of course, business applicability. To be su=
re, I receive significant US-based attack traffic, but I can't block that f=
or business reasons. Unfortunately, many people see "block China" and imme=
diately say "oh, that's unrealistic and ineffective." This is not an Inter=
net based suggestion - it is a simply a toolset one may use to implement co=
untry-by-country, protocol-by-protocol based access policy. It's the same =
thing we do now from a protocol standpoint, but this simply allows one to a=
ggregate data by geographic location. I have no business need for traffic =
to/from China and many other countries (which I also block) so even in the =
absence of hard attack traffic, "least privilege" dictates that it is valid=
to disallow traffic from sources that are not needed.=20
>=20
> 2. Urgency
>=20
> If a lot of IP sources attack you from China RIGHT NOW, and you
> need immediate mitigation, blocking China short-term may work,
> but obviously not as a permanent solution.
Of course. You can apply the sets without blocking. In fact, I recommend =
that FIRST in the article. That way you can report on and analyze traffic =
from sources to make your own decisions on an ongoing basis. When the time=
comes, you can change your policy as needed. I currently block traffic fr=
om Russia, but I might start allowing in SMTP since this Anastasia chick I =
get emails from on my other address seems pretty hot. :)
>=20
> As to "getting rid" or "refusing to connect with" networks with
> extremely bad reputation, that may be quite acceptable on an individual
> bases, but not on the Internet-scale, as things stand right now.
Totally agreed. Sorry if I said something that inferred any scale above in=
dividual/corporate.=20
>=20
> When I facilitated making Atrivo (and others) no longer welcome on the
> Internet, it was a brand new move, and it helped change the social
> belief of "don't be the Internet's firewall" to "some bad actors
> shouldn't be here, but generally don't be the Internet's firewall."
>=20
> Such social change to encourage new technological and operational
> solutions happenes every 2-5 years or so, and I don't expect anything
> large enough such as an AS-based reputation system to happen anytime
> soon.
And, of course, there's nothing to say this will have any effect on attacks=
from "evil" people in the countries I block when they can easily source th=
e attacks from networks I allow. It just provides security-in-depth.
>=20
> Also, you should consider that such actions also have direct political
> and diplomatic ramifications neither of us understands.
>
>=20
> So, for now, I'd say that each of us should make such decisions by our
> own risk analysis with the trade-off between costs and benefits in
> mind,
> and only for our own networks.
You and I seem perfectly aligned on that, as I state in the article. I woul=
d hope that other people would read it first without jumping to the conclus=
ion that I'm making sweeping blocking suggestions (not saying you are).=20
>=20
> Aside to that, I know some people in China who work very hard on
> security, and do a better job than we do at it. But that does not mean
> the situation as it stands now is acceptable.
Agreed, and noted above.=20
T
>=20
> > IOW, I really don't think the tag had that much to do with it now...
>=20
> People are just picking on you because they can. I can only share how I
> see such Internet discussions.
>=20
> Cost of doing business, just consider your responses on a level of
> (time
> =3D=3D money) && what your response would gain for you or the community. =
If
> the answer is nothing, then examine whether you still believe it is
> worth it. If yes, just do it. If not, move along.
>=20
> That is my basic guideline after years of trial by fire.
>=20
> Also, you will always be misunderstood, be careful in your language,
> but
> not so much that tl;dr. State your case with the obvious exceptions,
> and
> discuss misunderstandings later. As trying to anticipate everything as
> an opposite example to just saying what you think would mean people
> will
> just nitpick on one lower-hanging fruit item, or ignore.
>=20
> Gadi.
>=20
> >
> > T
> >
> >
> >
> >> -----Original Message-----
> >> From: Gadi Evron [mailto:ge@linuxbox.org]
> >> Sent: Thursday, January 14, 2010 6:27 PM
> >> To: Thor (Hammer of God)
> >> Cc: bugtraq@securityfocus.com
> >> Subject: Re: All China, All The Time
> >>
> >> On 1/14/10 8:09 AM, Thor (Hammer of God) wrote:
> >>> So, apparently my "witty" tag via Google Translate means something
> I
> >> didn't quite mean. Surprise, surprise. Luckily it wasn't something
> >> vulgar, (that's what I get for trusting Google Translate and trying
> to
> >> be funny) but what I meant it to say was "If you can read this,
> don't
> >> bother replying because my servers won't get it." However, it seems
> to
> >> mean something like "don't reply because you are not welcome here"
> or
> >> similar. That wasn't my intention, as it seems to infer I actually
> >> have something against the Chinese people and not their networks,
> which
> >> I take issue with.
> >>>
> >>> Sorry for the poorly translated reference.
> >>
> >> People always try and send me Hebrew using Google Translate... it's
> >> usually word for word which means it breaks sentence structure. Then
> it
> >> misses context, translating words with different meanings. Then it
> >> completely mistranslates by using the root of the word, or similar,
> >> anything it doesn't know.
> >>
> >> All in all, while it can't be confused with real Hebrew, it is quite
> >> clear.
> >>
> >> Chinese seems a bit (understatement) more complicated, though.
> Hebrew,
> >> while hard to learn at first, is a very easy language when
> considering
> >> most parameters.
> >>
> >> Gadi.
> >>
> >>
> >> --
> >> Gadi Evron,
> >> ge@linuxbox.org.
> >>
> >> Blog: http://gevron.livejournal.com/
> >
>=20
>=20
> --
> Gadi Evron,
> ge@linuxbox.org.
>=20
> Blog: http://gevron.livejournal.com/
討論串 (同標題文章)