Lockout a country.

Hi.

I'm not trying to be like George Bush, but I got the idea from this issue.

I'm having a website where Nigerian people can't find anything else
then addresses for spam. And, I've seen that they are registering to get
access
to members lists etc.

Since I feel that I can live without Nigerian IP's on my website, I would
love to know
how I could lock out Nigerian IP's!

I know the terms in .htaccess Deny from xxx.xxx.xxx.

Else? Just to lockout that country?

-Reffo

Reffo

On Tue, 4 Jan 2005 03:17:42 +0100, "Reffo" <> wrote:

>Hi.
>
>I'm not trying to be like George Bush, but I got the idea from this issue.
>
>I'm having a website where Nigerian people can't find anything else
>then addresses for spam. And, I've seen that they are registering to get
>access
>to members lists etc.
>
>Since I feel that I can live without Nigerian IP's on my website, I would
>love to know
>how I could lock out Nigerian IP's!
>
>I know the terms in .htaccess Deny from xxx.xxx.xxx.
>
>Else? Just to lockout that country?
>
>-Reffo
>
################################
I don't know about writing rule sets to block entire contries but you
can start to gather some info at:
http://www.jidaw.com/isp.html
donnie

donnie

Reffo wrote on 1/3/2005 9:17 PM:
> Hi.
>
> I'm not trying to be like George Bush, but I got the idea from this issue.
>
> I'm having a website where Nigerian people can't find anything else
> then addresses for spam. And, I've seen that they are registering to get
> access
> to members lists etc.
>
> Since I feel that I can live without Nigerian IP's on my website, I would
> love to know
> how I could lock out Nigerian IP's!
>
> I know the terms in .htaccess Deny from xxx.xxx.xxx.
>
> Else? Just to lockout that country?
>
> -Reffo
>
>
Whats with the cheap W shot? Moron. Spain would be a much better
example. If only we would back down, they wouldnt bomb us any more...
Wait....

Jim

Jim

In article <R2nCd.79549$>, Reffo wrote:

>Since I feel that I can live without Nigerian IP's on my website, I would
>love to know how I could lock out Nigerian IP's!

Fix your firewall.

[compton ~/incoming]$ grep Nigeria domains
NG Nigeria
[compton ~/incoming]$ zgrep NG IP.ADDR/stats/[ALR]*
IP.ADDR/stats/RIPE.gz:NG 62.173.32.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 62.193.160.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 80.248.0.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 80.250.32.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 81.18.32.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 81.24.0.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 82.128.0.0 255.255.128.0 allocated
IP.ADDR/stats/RIPE.gz:NG 195.166.224.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 196.200.0.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 196.200.112.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 196.200.64.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 196.202.160.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 196.202.224.0 255.255.248.0 allocated
IP.ADDR/stats/RIPE.gz:NG 212.100.64.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 213.166.160.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 213.181.64.0 255.255.224.0 allocated
IP.ADDR/stats/RIPE.gz:NG 217.117.0.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 217.14.80.0 255.255.240.0 allocated
IP.ADDR/stats/RIPE.gz:NG 217.78.64.0 255.255.240.0 allocated
[compton ~/incoming]$

Now, should they try to connect using a proxy server...

Old guy

Moe Trin

In article <R2nCd.79549$>, nospam@ja-
takk.com says...
> Hi.
>
> I'm not trying to be like George Bush, but I got the idea from this issue.
>
> I'm having a website where Nigerian people can't find anything else
> then addresses for spam. And, I've seen that they are registering to get
> access
> to members lists etc.
>
> Since I feel that I can live without Nigerian IP's on my website, I would
> love to know
> how I could lock out Nigerian IP's!
>
> I know the terms in .htaccess Deny from xxx.xxx.xxx.
>
> Else? Just to lockout that country?

There is no clear way to just block a country as some IP get intermixed
in locations, but, using a program called VisualRoute I've managed to
block most of the Nasty places.

I'm in the USA and only have a couple countries that I work with outside
the US, here's my block list:

12.144.182.0/24
12.45.203.0/24
12.98.139.0/24
155.48.106.0/24
172.184.111.203
193.251.0.0/16
193.252.0.0/16
193.253.0.0/16
195.58.124.0/24
200.30.203.0/24
202.88.186.0/24
203.152.22.0/24
205.251.79.0/24
210.173.37.0/24
210.201.153.0/24
210.71.115.0/24
212.150.124.0/24
212.18.57.0/24
212.202.178.0/24
212.27.32.0-212.27.63.255
212.9.7.0/24
213.13.26.0/24
213.190.213.0/24
213.228.7.0/24
216.184.97.0/24
216.76.35.0/24
217.118.224.0/24
217.118.225.0/24
217.160.110.0/24
217.224.0.0-217.237.161.47
217.80.0.0-217.89.31.255
218.164.28.0/24
218.252.74.0/24
218.67.128.0-218.29.255.255
218.69.108.0/24
218.69.148.0/24
218.76.98.0/24
219.212.4.0/24
219.56.0.0/24
219.97.93.0/24
61.135.148.0/24
61.175.239.0/24
61.181.0.0/16
61.218.19.0/24
61.33.206.0/24
61.48.18.0/24
62.154.0.0/17
64.230.125.0/24
66.250.125.0/24
66.250.32.0/24
66.28.35.131
66.57.133.0/24
80.117.220.0/24
80.12.255.0/24
80.145.85.0/24
80.201.16.0/24
81.56.58.0-81.56.59.255


--
--

(Remove 999 to reply to me)

Leythos

On Tue, 04 Jan 2005 20:00:21 -0500, Jim <> wrote:

>Whats with the cheap W shot? Moron. Spain would be a much better
>example. If only we would back down, they wouldnt bomb us any more...
>Wait....
>
>Jim
###########################
Are you saying that he should block Spain instead?
donnie

donnie

In article <>,
Leythos wrote:

>There is no clear way to just block a country as some IP get intermixed
>in locations, but, using a program called VisualRoute I've managed to
>block most of the Nasty places.

Other than knowing which servers to ask, what does 'VisualRoute' tell you
that 'whois' doesn't? (I really don't care about intermediate hops that
can't be blocked, and I know what a map looks like.) And is the information
any more reliable?

>I'm in the USA and only have a couple countries that I work with outside
>the US, here's my block list:

You seem to be using classless notation only for /16s and /24s... no, I see
a single /17. That might help avoid typos:

>218.67.128.0-218.29.255.255

I suspect that should be

218.67.128.0 - 218.69.255.255 Tianjing province network CHINANET-TJ

but APNIC says

CN 218.56.0.0 255.252.0.0 allocated
CN 218.62.0.0 255.255.128.0 allocated
CN 218.62.128.0 255.255.128.0 allocated
CN 218.63.0.0 255.255.0.0 allocated
CN 218.64.0.0 255.254.0.0 allocated
CN 218.66.0.0 255.255.0.0 allocated
CN 218.67.0.0 255.255.128.0 allocated
CN 218.67.128.0 255.255.128.0 allocated
CN 218.68.0.0 255.254.0.0 allocated
CN 218.70.0.0 255.254.0.0 allocated
CN 218.72.0.0 255.248.0.0 allocated
CN 218.80.0.0 255.240.0.0 allocated
CN 218.96.0.0 255.252.0.0 allocated

218.56.0.0/13
218.64.0.0/11
218.96.0.0/14 does it in three, or

218.56.0.0-218.99.255.255 does it in one.

Of course, if you are trying to block China...

[compton ~]$ zgrep -c '^CN' IP.ADDR/stats/[ALR]* | grep -v ':0'
IP.ADDR/stats/APNIC.gz:775
IP.ADDR/stats/ARIN.gz:3
[compton ~]$ zgrep -h '^CN' IP.ADDR/stats/[ALR]* | cut -d'.' -f1 | sort |
uniq -c | sort -n +2 | column
21 CN 59 1 CN 161 7 CN 192 33 CN 211 56 CN 222
30 CN 60 1 CN 162 1 CN 198 46 CN 218
67 CN 61 1 CN 166 289 CN 202 27 CN 219
1 CN 134 1 CN 167 59 CN 203 10 CN 220
1 CN 159 1 CN 168 69 CN 210 56 CN 221
[compton ~]$

That's just the first octet (based on RIR zone files grabbed Sunday).

Old guy

Moe Trin

In article <>,
says...
> In article <>,
> Leythos wrote:
>
> >There is no clear way to just block a country as some IP get intermixed
> >in locations, but, using a program called VisualRoute I've managed to
> >block most of the Nasty places.
>
> Other than knowing which servers to ask, what does 'VisualRoute' tell you
> that 'whois' doesn't? (I really don't care about intermediate hops that
> can't be blocked, and I know what a map looks like.) And is the information
> any more reliable?

Visual Route provides a very nice spreadsheet that lets me see every %
Loss, IP Address, Node Name, Location, TimeZone, ms time, a time graph,
and the Network owner.

I like the ability to click on the network owner name and get a full
list of IP's they own.

>
> >I'm in the USA and only have a couple countries that I work with outside
> >the US, here's my block list:
>
> You seem to be using classless notation only for /16s and /24s... no, I see
> a single /17. That might help avoid typos:

When I started I use to just enter single IP's and then ranges, and now
I've just moved to blocking the /xx when I have time to calculate it. I
have not gone back and calculated the addresses and I've not gone back
to see if any should be removed.

> >218.67.128.0-218.29.255.255
>
> I suspect that should be
>
> 218.67.128.0 - 218.69.255.255 Tianjing province network CHINANET-TJ

Nice catch, I missed that. I will have to update it so I don't block
more than intended.

The thing I like most about VR is that I can see the entire hop count
and have a clickable item for every column/row that expands into more
information than having to do several lookups. When I get a probe from
country X, I can see the full path to them (every network) and with just
a few simple clicks I can see every network that the hop owns and block
it.

--
--

(Remove 999 to reply to me)

Leythos

In article <>,
Leythos wrote:

>In article <>,
> says...

>> Other than knowing which servers to ask, what does 'VisualRoute' tell you
>> that 'whois' doesn't? (I really don't care about intermediate hops that
>> can't be blocked, and I know what a map looks like.)

>Visual Route provides a very nice spreadsheet that lets me see every %
>Loss, IP Address, Node Name, Location, TimeZone, ms time, a time graph,
>and the Network owner.

And this helps you exactly how? I don't know how your network is set,
but every upstream I've worked with in the past eight years has been
ignoring Source Routing, and that's the only control you have on where
your packets go when routing from "here" to "there". You have no control
at all at how packets are routed from "there" to "here". The IPs of the
intermediate hops only become known when using a network diagnostic
like traceroute (or clones). There is nothing in a packet that comes
from $THERE that tells where it's been, so what do you do with the
information you gain?

I'm assuming the program uses ICMP echos with incremental TTL values like
the Microsoft "tracert" (or the *nix "mtr" application from bitwizard).
Given that some routers/firewalls are dropping pings, have you compared
results using the original Unix version of traceroute (defaults to UDP)
or the Linux TCP version??

>I like the ability to click on the network owner name and get a full
>list of IP's they own.

And you can't get this from 'whois'?

>When I started I use to just enter single IP's and then ranges, and now
>I've just moved to blocking the /xx when I have time to calculate it.

1878 Variable Length Subnet Table For IPv4. T. Pummill, B. Manning.
December 1995. (Format: TXT=19414 bytes) (Obsoletes RFC1860) (Status:
INFORMATIONAL)

Grab a copy of RFC1878 from your favorite mirror.

>I have not gone back and calculated the addresses and I've not gone back
>to see if any should be removed.

Generally speaking, CIDR notation is faster than writing out the bit mask
(and equally useful), and takes less CPU cycles to evaluate than a from/to
list. The from/to list is _usually_ easier to visualize. Of course, the
zone reports from the RIRs use yet another system (number of IPs in a block)
which is even more useless. Part of the script I use that processes these
zone files converts the counts to CIDR when easy, though I'm still able
to comprehend 3840 hosts as the equivalent of 15 x 256. Above an
assignment of a /24, the RIRs nearly always are allocating some multiple
of 256 - though I have seen a couple I swear have to be typos on someone's
part.

>> >218.67.128.0-218.29.255.255
>>
>> I suspect that should be
>>
>> 218.67.128.0 - 218.69.255.255 Tianjing province network CHINANET-TJ
>
>Nice catch, I missed that. I will have to update it so I don't block
>more than intended.

I've no idea how a firewall would interpret the higher to lower number.
One hopes they have a sanity check, and don't try 218.67.128.0 through
255.255.255.255, then wrap 0.0.0.0 to 218.29.255.255.

>The thing I like most about VR is that I can see the entire hop count
>and have a clickable item for every column/row that expands into more
>information than having to do several lookups. When I get a probe from
>country X, I can see the full path to them (every network) and with just
>a few simple clicks I can see every network that the hop owns and block
>it.

I'm assuming you mean the end points. For me, many routes to the Far East
pass through Los Angles, San Francisco, Portland OR, Seattle, Salt Lake
City or Denver, but blocking the IP ranges of those routers does absolutely
nothing other than break traceroute at those hops, because their IPs never
appear in the packets from APNIC, nor can I cause my packets to go
elsewhere. Sending complaints to (for example) AT&T Long Lines that they
shouldn't be carrying packets from/to $COUNTRY does no good, because I'm
not a customer of theirs anyway.

Old guy

Moe Trin

In article <>,
says...
> In article <>,
> Leythos wrote:
>
> >In article <>,
> > says...
>
> >> Other than knowing which servers to ask, what does 'VisualRoute' tell you
> >> that 'whois' doesn't? (I really don't care about intermediate hops that
> >> can't be blocked, and I know what a map looks like.)
>
> >Visual Route provides a very nice spreadsheet that lets me see every %
> >Loss, IP Address, Node Name, Location, TimeZone, ms time, a time graph,
> >and the Network owner.
>
> And this helps you exactly how? I don't know how your network is set,
> but every upstream I've worked with in the past eight years has been
> ignoring Source Routing, and that's the only control you have on where
> your packets go when routing from "here" to "there". You have no control
> at all at how packets are routed from "there" to "here". The IPs of the
> intermediate hops only become known when using a network diagnostic
> like traceroute (or clones). There is nothing in a packet that comes
> from $THERE that tells where it's been, so what do you do with the
> information you gain?
>
> I'm assuming the program uses ICMP echos with incremental TTL values like
> the Microsoft "tracert" (or the *nix "mtr" application from bitwizard).
> Given that some routers/firewalls are dropping pings, have you compared
> results using the original Unix version of traceroute (defaults to UDP)
> or the Linux TCP version??

When I to a VR I get the NOC info for every hop, that's the nice part
for me - full owner info and block. It means that I can quickly get the
info from one source while viewing everything. Sure, I know it can be
done after a tracert by doing individual looks, but that would require
more work - since I use and love VR it's just a simple click to see what
path takes me to the probing IP - the info along the path is what I'm
looking for.

> >I like the ability to click on the network owner name and get a full
> >list of IP's they own.
>
> And you can't get this from 'whois'?

Sure, as can anyone, but, as I said, it's a very nice, all inclusive,
type interface. Why would I want to take the extra steps when it's a
single click on the GUI to see it all?

[snip]
> >> >218.67.128.0-218.29.255.255
> >>
> >> I suspect that should be
> >>
> >> 218.67.128.0 - 218.69.255.255 Tianjing province network CHINANET-TJ
> >
> >Nice catch, I missed that. I will have to update it so I don't block
> >more than intended.
>
> I've no idea how a firewall would interpret the higher to lower number.
> One hopes they have a sanity check, and don't try 218.67.128.0 through
> 255.255.255.255, then wrap 0.0.0.0 to 218.29.255.255.

Yea, I think it ignored the range. I've since corrected it.

> >The thing I like most about VR is that I can see the entire hop count
> >and have a clickable item for every column/row that expands into more
> >information than having to do several lookups. When I get a probe from
> >country X, I can see the full path to them (every network) and with just
> >a few simple clicks I can see every network that the hop owns and block
> >it.
>
> I'm assuming you mean the end points. For me, many routes to the Far East
> pass through Los Angles, San Francisco, Portland OR, Seattle, Salt Lake
> City or Denver, but blocking the IP ranges of those routers does absolutely
> nothing other than break traceroute at those hops, because their IPs never
> appear in the packets from APNIC, nor can I cause my packets to go
> elsewhere. Sending complaints to (for example) AT&T Long Lines that they
> shouldn't be carrying packets from/to $COUNTRY does no good, because I'm
> not a customer of theirs anyway.

The block list appears to block anything from the ranges I specify -
since the probe comes from a foreign host and since I can see all the
other hops and that they are foreign, it allow me to block their ranges
too. While I may not have got a probe from hop 15, if I can see that hop
15 is some place in Korea and it's network block assignment, I can block
it before I get probed. It's nice to see the list (I don't use the map
function, only the spreadsheet mode).

I added 220.72.0.0/12 tonight along with 211.54.40.0/25

I don't even bother complaining to anyone outside the US, it almost
never does any good. It's easier to block their network and just not
have to deal with them. If there is no reason for anyone in country XYZ
to hit our servers I don't see any reason I should expose the network to
them.

Here's a link to their site http://www.visualiptrace.com/index.html


--
--

(Remove 999 to reply to me)

Leythos