Blocking China IP Address Blocks

After having a user email account compromised and our mailserver used to dish spam for a few hours, I am going ahead and starting to block China IP addresses outright that are attacking us. This doesn’t solve the issue, but I am kind of done with even negotiating and rejecting attack traffic at our servers now that originate from China. Blocking ranges that attack us is an intermediate step for me. I don’t want to just block China outright, but at this point, I know it wouldn’t solve the issue but it also really couldn’t hurt either. This is not what the internet is supposed to be about, but sadly, it has come to this. I am blocking them inbound at my network level.

If you are going down this road as well, IP2CIDR is a helpful site to use after you get the ranges detailed via whois. When you take the next step and start blocking countries entirely, CIPB is the resource for you. Here are my first few entries from China.

220.181.0.0/16

blockip1

 

115.230.124.0/22

blockip2

 

183.0.0.0/10

blockip3

 

 

118.244.0.0/16

blockip4

16 thoughts on “Blocking China IP Address Blocks

  1. I do the same, and a few other countries as well. To me it should be the default setting. If you want to turn on China, go ahead. Sure it won’t stop attacks but makes various hacks 1 step harder.

  2. Thing is, china doesn’t have a great deal of ipv4 addresses; their country operates mostly on NAT and ipv6.

    They rolled out v6 in 2008 for the Olympics, so chances are if you have v6 on your services most of the unique traffic will be there. You are also blocking potentially millions of users. One globally routed ip could be serving an entire city of people!

  3. In my opinion, blocking any countries IP addresses based on the fact that they are either known for generating bad traffic, or because “it really couldn’t hurt, either” is almost always a bad idea.

    I realize this might be a bandaid to protect your network from attackers, but chances are these people weren’t necessarily targeting you, it just so happened that one of your users mailboxes got compromised. Most spammers using hacked accounts that you see connecting from China are just using ChinaNetcom/ChinaUnicom/ChinaMobile servers due to their ignorance toward abuse complaints.

    With that being said, it’s almost always better to setup rulesets and dual factor authentication to prevent attacks, this way you are actually protected, versus security by obscurity, which isn’t true security at all.

    1. Yer, most will use proxies including Tor anyway, you could be merely blocking a proxy. In any case, if they were connecting direct, they’ll work out that they can no longer reach you and consequently begin using proxies, although a large amount will likely move to another target. And don’t forget the some worst vulnerabilities are things like Java targetting users… Don’t lull yourself a false sense of security.

  4. Blocking China might help at first, but my experience over the last few weeks has been that once they smell blood they start trying a lot harder.

    After we had one or two users (out of 1000+) fall for phishing mails they became a lot more targeted. We have blocked every country except Canada and the US (where our users are) and the spammers are simply using VPN and proxy services. It’s a bit of an arms race.

    We are working on educating (and threatening :P) users but it’s a slow process.

  5. I’m getting a lot of spam of US-based servers. Usually owned by people who have no clue about security. Maybe I should just block email traffic from the US entirely.

    1. European, is 100% of your US-based traffic spam? We get at least 500 probes a day, every day, for open ports from China with not a single bit that is legitimate traffic (we have one port open for a service used by 50 people, all within a 15 mile radius). We get about 500 A YEAR from every other country on earth COMBINED. This is not a matter of “feelings are hurt, must block China!” like your petulant little tantrum. If I had an infestation of rats, why would I install bear traps? If I have a rash of break-ins to my house, should I purchase flood insurance? If I have 1000 times as many attacks from one place with not even one legitimate visitor, why WOULDN’T I block them outright? Oh, right, we might upset European’s finely honed sense of self-righteousness.

      1. I understand both of you guys.
        But as things are going China is going to have IPs blocked from everywhere else. Even Google accounts without cell phone security are being attacked.
        This is not how we idealized the Internet but among the phishing, brute-force hacks, the copyright claims it’s a matter of time before Internet too becomes fragmented. In a sense aren’t e already?

        @Europe
        What you propose then?
        You detect static IPs that keep making hack attempts to seize control of your accounts while their ISP doesn’t give a shit about your complaints, nor does the China Government. You wait with crossed arms for them to succeed?

        This block by no means makes us safe, but if they start using proxies for their bidding the same will at some point extend to those flagged proxies unless they take measures (unlike the chinese parties).

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − four =