Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CHINANET

89 views
Skip to first unread message

riserman

unread,
Jul 2, 2012, 2:30:20 PM7/2/12
to
ESET firewall has been reporting daily port scans from 58.218.199.147,
58.218.199.250 and at least two other IP's all related to CHINANET,
Beijing, for a month or so.

What is going on here? Is this happening to anyone else in
comp.security.firewalls, and is this an exploit I should be concerned about?

Thanks,

riserman

Sr Peabody

unread,
Jul 3, 2012, 9:31:50 AM7/3/12
to
"riserman" <rise...@RemoveThis.optonline.net> escribió en el mensaje de
noticias:4ff1e8bc$0$11512$607e...@cv.net...
If you search in Google you´ll find many posts in forums complaining about
intrusion attemps from that IP, since 2010 until now.

Saludos,

--
Sr Peabody

riserman

unread,
Jul 3, 2012, 2:32:44 PM7/3/12
to
Thanks Sr Peabody, but I'm aware of all the complaints. What I really
want to know is who is conducting the port scanning and what is their
*ultimate* purpose? What do they do after finding an open port?

riserman

Sr Peabody

unread,
Jul 4, 2012, 6:43:48 AM7/4/12
to
"riserman" <rise...@RemoveThis.optonline.net> escribió en el mensaje de
noticias:4ff33acb$0$1208$607e...@cv.net...
Why port scanning? uh... one of the most popular reconnaissance techniques
attackers use to discover services they can break into, and all that hackers
stuff.

Who is conducting it? who knows, possibly a script kiddie, or even the PLA
(People's Liberation Army) cyberwarfare division :)

You´re not alone, i.e. take a look on posts of this page:
http://cort.as/2BGx

Just be sure you have shields up with a good and updated firewall and, if
possible, use the firewall blocking options to block traffic coming from
that IPs.

Saludos,

--
Sr Peabody

Moe Trin

unread,
Jul 4, 2012, 2:43:41 PM7/4/12
to
On Wed, 4 Jul 2012, in the Usenet newsgroup comp.security.firewalls, in article
<jt16nl$bq9$1...@dont-email.me>, Sr Peabody wrote:

>"riserman" <rise...@RemoveThis.optonline.net> escribió:

>>Sr Peabody wrote:

>>> "riserman" <rise...@RemoveThis.optonline.net> escribió

>>>> ESET firewall has been reporting daily port scans

>>>> What is going on here? Is this happening to anyone else in
>>>> comp.security.firewalls, and is this an exploit I should be
>>>> concerned about?

If you have an out-dated O/S, or have crap open to the world - perhaps.
Otherwise, why care. They aren't getting in to your computer, so why
are you wasting time worrying about it?

>>> If you search in Google you'll find many posts in forums
>>> complaining about intrusion attemps from that IP, since 2010
>>> until now.

If you search in Google, you'll find millions of posts about port
scans since the 1990s. What's new?

>> Thanks Sr Peabody, but I'm aware of all the complaints. What I
>> really want to know is who is conducting the port scanning and
>> what is their *ultimate* purpose? What do they do after finding
>> an open port?

Depends - some are looking for open proxy servers, while some are
looking for systems to convert into zombies that they can use to
conduct port scans or run spam or virus/trojan servers.

>Who is conducting it? who knows, possibly a script kiddie, or even the
>PLA (People's Liberation Army) cyberwarfare division :)

or the schools where they are training them. So? What are you going
to do if you find out who they are - call the police? Wag your finger
at them and say "BAD Boy" or "BAD Girl"? Oh, that will make them stop.

>Just be sure you have shields up with a good and updated firewall

Fix your toy computer so that it's not running unneeded services. For
a home user, that usually means NO network services. Your computer has
a tool to show what services are open/running. Use it, and find out
what is running. If nothing is open, no one is getting in - a firewall
isn't needed when there is no door to open.

>and, if possible, use the firewall blocking options to block traffic
>coming from that IPs.

If you're worried about blocking systems in China, you've got your
work cut out for you. As of two weeks ago, China had 3879 networks
containing 330342508 IPv4 addresses, ranging from 1.0.1.1 to
223.255.253.254 - and that's ignoring Taiwan, Hong Kong, and Macau.
But then, there are 3114348564 _other_ IP addresses in 113381 _other_
networks in 230 _other_ countries in the world - shouldn't you be
blocking them as well? Hmmm, maybe a better idea is to allow those
you want to, and ignore/block those not allowed.

Old guy

riserman

unread,
Jul 6, 2012, 7:07:23 PM7/6/12
to
<SNIP>
>
> If you're worried about blocking systems in China, you've got your
> work cut out for you. As of two weeks ago, China had 3879 networks
> containing 330342508 IPv4 addresses, ranging from 1.0.1.1 to
> 223.255.253.254 - and that's ignoring Taiwan, Hong Kong, and Macau.
> But then, there are 3114348564 _other_ IP addresses in 113381 _other_
> networks in 230 _other_ countries in the world - shouldn't you be
> blocking them as well? Hmmm, maybe a better idea is to allow those
> you want to, and ignore/block those not allowed.
>
> Old guy
>
Where did these numbers come from?

riserman


Moe Trin

unread,
Jul 7, 2012, 12:23:05 PM7/7/12
to
On Fri, 06 Jul 2012, in the Usenet newsgroup comp.security.firewalls, in article
<4ff76fa8$0$11513$607e...@cv.net>, riserman wrote:

>> As of two weeks ago, China had 3879 networks containing 330342508
>> IPv4 addresses, ranging from 1.0.1.1 to 223.255.253.254 - and
>> that's ignoring Taiwan, Hong Kong, and Macau. But then, there
>> are 3114348564 _other_ IP addresses in 113381 _other_ networks in
>> 230 _other_ countries in the world - shouldn't you be blocking them
>> as well?

>Where did these numbers come from?

Which? Numbers of Chinese networks and hosts? APNIC, ARIN and RIPE
statistics files, published nightly. I only bother grabbing a copy
monthly on the 15th. Other countries? There is AfriNIC and LACNIC as
well as the first three. If you need them, you'd be looking for "RIR
Statistics" files where RIR means Regional Internet Registry. I
haven't seen the data offered by the RIRs as a web page, but they're on
the five RIR FTP servers. Examples of the source filenames would be

delegated-afrinic-20120615
delegated-apnic-20120615
delegated-arin-20120615
delegated-lacnic-20120615
delegated-ripencc-20120615

but they're rather boring and useless if you're not in the trade.

apnic|AU|ipv4|1.0.0.0|256|20110811|assigned
apnic|CN|ipv4|1.0.1.0|256|20110414|allocated
apnic|CN|ipv4|1.0.2.0|512|20110414|allocated
apnic|AU|ipv4|1.0.4.0|1024|20110412|allocated
apnic|CN|ipv4|1.0.8.0|2048|20110412|allocated
apnic|JP|ipv4|1.0.16.0|4096|20110412|allocated

First field in name of RIR, second field is country (know your ISO3166
country codes?), third field is data type (here, IPv4), fourth is the
network address, fifth is size, sixth is date assigned/allocated, and
last field is whether the block is assigned to a "final user" or
allocated for further sub-assignment or sub-allocation, often by a
national or local internet registry. The IPv6 data is even more
useless because the smallest data block refers to a /64 which is 2^64
or 18446744073709551616 addresses. IPv6 lines look like

apnic|JP|ipv6|2001:200::|35|19990813|allocated
apnic|JP|ipv6|2001:200:2000::|35|20030423|allocated

fields as above except the size field is the mask width - the "35" means
a mask of ffff:ffff:e000:0000:0000:0000:0000:0000 and that means a total
of 9903520314283042199192993792 addresses in the block. Takes a little
data manipulation to get these files into something usable, as there's
around 182000 lines of text to parse in the five files. Oh, and the big
bugaboo - the country code is where the netblock is _registered_ in, not
where the individual hosts are physically located. Company I work for
has corporate offices in New York state, but I'm in Arizona, and the
company being multi-national has facilities in 40+ countries on seven
continents. So, are we all to be considered New Yorkers? The RIRs
would seem to say yes.

Old guy

Davis

unread,
Nov 3, 2012, 7:03:43 AM11/3/12
to
# China IP blocks:
# List of ip blocks allocated and assigned directly by RIRs to ISPs
# and other large companies in the country of China
# This file is based on data collected on Thu Jan 31 07:03:40 PST
2008

other countries:
http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/

58.14.0.0/15
58.16.0.0/13
58.24.0.0/15
58.30.0.0/15
58.32.0.0/11
58.66.0.0/15
58.68.128.0/17
58.82.0.0/15
58.87.64.0/18
58.99.128.0/17
58.100.0.0/15
58.116.0.0/14
58.128.0.0/13
58.144.0.0/16
58.154.0.0/15
58.192.0.0/11
58.240.0.0/12
59.32.0.0/11
59.64.0.0/12
59.80.0.0/14
59.107.0.0/16
59.108.0.0/14
59.151.0.0/17
59.155.0.0/16
59.172.0.0/14
59.191.0.0/17
59.191.240.0/20
59.192.0.0/10
60.0.0.0/11
60.55.0.0/16
60.63.0.0/16
60.160.0.0/11
60.194.0.0/15
60.200.0.0/13
60.208.0.0/12
60.232.0.0/15
60.235.0.0/16
60.245.128.0/17
60.247.0.0/16
60.252.0.0/16
60.253.128.0/17
60.255.0.0/16
61.4.80.0/20
61.4.176.0/20
61.8.160.0/20
61.28.0.0/17
61.29.128.0/17
61.45.128.0/18
61.47.128.0/18
61.48.0.0/13
61.87.192.0/18
61.128.0.0/10
61.232.0.0/14
61.236.0.0/15
61.240.0.0/14
110.232.32.0/20
116.1.0.0/16
116.2.0.0/15
116.4.0.0/14
116.8.0.0/14
116.13.0.0/16
116.16.0.0/12
116.52.0.0/14
116.56.0.0/15
116.58.128.0/20
116.58.208.0/20
116.60.0.0/14
116.66.0.0/17
116.69.0.0/16
116.70.0.0/17
116.76.0.0/14
116.89.144.0/20
116.90.184.0/21
116.95.0.0/16
116.112.0.0/14
116.116.0.0/15
116.128.0.0/10
116.192.0.0/16
116.193.16.0/20
116.193.32.0/19
116.194.0.0/15
116.196.0.0/16
116.198.0.0/16
116.199.0.0/17
116.199.128.0/19
116.204.0.0/15
116.207.0.0/16
116.208.0.0/14
116.212.160.0/20
116.213.64.0/18
116.213.128.0/17
116.214.32.0/19
116.214.64.0/20
116.214.128.0/17
116.215.0.0/16
116.216.0.0/14
116.224.0.0/12
116.242.0.0/15
116.244.0.0/14
116.248.0.0/15
116.252.0.0/15
116.254.128.0/17
116.255.128.0/17
117.8.0.0/13
117.21.0.0/16
117.22.0.0/15
117.24.0.0/13
117.32.0.0/13
117.40.0.0/14
117.44.0.0/15
117.48.0.0/14
117.53.48.0/20
117.53.176.0/20
117.57.0.0/16
117.58.0.0/17
117.59.0.0/16
117.60.0.0/14
117.64.0.0/13
117.72.0.0/15
117.74.64.0/20
117.74.128.0/17
117.75.0.0/16
117.76.0.0/14
117.80.0.0/12
117.100.0.0/15
117.103.16.0/20
117.103.128.0/20
117.106.0.0/15
117.112.0.0/13
117.120.64.0/18
117.120.128.0/17
117.121.0.0/17
117.121.128.0/18
117.121.192.0/21
117.122.128.0/17
117.124.0.0/14
117.128.0.0/10
118.24.0.0/13
118.64.0.0/15
118.66.0.0/16
118.67.112.0/20
118.72.0.0/13
118.80.0.0/15
118.84.0.0/15
118.88.32.0/19
118.88.64.0/18
118.88.128.0/17
118.89.0.0/16
118.91.240.0/20
118.102.16.0/20
118.112.0.0/13
118.120.0.0/14
118.124.0.0/15
118.126.0.0/16
118.132.0.0/14
118.144.0.0/14
118.178.0.0/16
118.180.0.0/14
118.184.0.0/13
118.192.0.0/12
118.212.0.0/15
118.224.0.0/14
118.228.0.0/15
118.230.0.0/16
118.239.0.0/16
118.242.0.0/16
118.244.0.0/14
118.248.0.0/13
119.0.0.0/15
119.2.0.0/19
119.2.128.0/17
119.3.0.0/16
119.4.0.0/14
119.8.0.0/15
119.10.0.0/17
119.15.136.0/21
119.16.0.0/16
119.18.192.0/20
119.18.208.0/21
119.18.224.0/19
119.19.0.0/16
119.20.0.0/14
119.27.64.0/18
119.27.160.0/19
119.27.192.0/18
119.28.0.0/15
119.30.48.0/20
119.31.192.0/19
119.32.0.0/13
119.40.0.0/18
119.40.64.0/20
119.40.128.0/17
119.41.0.0/16
119.42.0.0/19
119.42.136.0/21
119.42.224.0/19
119.44.0.0/15
119.48.0.0/13
119.57.0.0/16
119.58.0.0/16
119.59.128.0/17
119.60.0.0/15
119.62.0.0/16
119.63.32.0/19
119.75.208.0/20
119.78.0.0/15
119.80.0.0/15
119.84.0.0/14
119.88.0.0/14
121.0.16.0/20
121.4.0.0/15
121.8.0.0/13
121.16.0.0/12
121.32.0.0/13
121.40.0.0/14
121.46.0.0/15
121.48.0.0/15
121.51.0.0/16
121.52.160.0/19
121.52.208.0/20
121.52.224.0/19
121.55.0.0/18
121.56.0.0/15
121.58.0.0/17
121.58.144.0/20
121.59.0.0/16
121.60.0.0/14
121.68.0.0/14
121.76.0.0/15
121.79.128.0/18
121.89.0.0/16
121.100.128.0/17
121.101.208.0/20
121.192.0.0/13
121.201.0.0/16
121.204.0.0/14
121.224.0.0/12
121.248.0.0/14
121.255.0.0/16
122.0.64.0/18
122.0.128.0/17
122.4.0.0/14
122.8.0.0/13
122.48.0.0/16
122.49.0.0/18
122.51.0.0/16
122.64.0.0/11
122.96.0.0/15
122.102.0.0/20
122.102.64.0/19
122.112.0.0/14
122.119.0.0/16
122.136.0.0/13
122.144.128.0/17
122.152.192.0/18
122.156.0.0/14
122.192.0.0/14
122.198.0.0/16
122.200.64.0/18
122.204.0.0/14
122.224.0.0/12
122.240.0.0/13
122.248.48.0/20
123.0.128.0/18
123.4.0.0/14
123.8.0.0/13
123.49.128.0/17
123.52.0.0/14
123.56.0.0/13
123.64.0.0/11
123.96.0.0/15
123.98.0.0/17
123.99.128.0/17
123.100.0.0/19
123.101.0.0/16
123.103.0.0/17
123.108.128.0/20
123.108.208.0/20
123.112.0.0/12
123.128.0.0/13
123.136.80.0/20
123.137.0.0/16
123.138.0.0/15
123.144.0.0/12
123.160.0.0/12
123.176.80.0/20
123.177.0.0/16
123.178.0.0/15
123.180.0.0/14
123.184.0.0/13
123.196.0.0/15
123.199.128.0/17
123.206.0.0/15
123.232.0.0/14
123.242.0.0/17
123.244.0.0/14
123.249.0.0/16
123.253.0.0/16
124.6.64.0/18
124.14.0.0/15
124.16.0.0/15
124.20.0.0/14
124.28.192.0/18
124.29.0.0/17
124.31.0.0/16
124.40.112.0/20
124.40.128.0/18
124.42.0.0/16
124.47.0.0/18
124.64.0.0/15
124.66.0.0/17
124.67.0.0/16
124.68.0.0/14
124.72.0.0/13
124.88.0.0/13
124.108.8.0/21
124.108.40.0/21
124.112.0.0/13
124.126.0.0/15
124.128.0.0/13
124.147.128.0/17
124.156.0.0/16
124.160.0.0/13
124.172.0.0/14
124.192.0.0/15
124.196.0.0/16
124.200.0.0/13
124.220.0.0/14
124.224.0.0/12
124.240.0.0/17
124.240.128.0/18
124.242.0.0/16
124.243.192.0/18
124.248.0.0/17
124.249.0.0/16
124.250.0.0/15
124.254.0.0/18
125.31.192.0/18
125.32.0.0/12
125.58.128.0/17
125.61.128.0/17
125.62.0.0/18
125.64.0.0/11
125.96.0.0/15
125.98.0.0/16
125.104.0.0/13
125.112.0.0/12
125.169.0.0/16
125.171.0.0/16
125.208.0.0/18
125.210.0.0/15
125.213.0.0/17
125.214.96.0/19
125.215.0.0/18
125.216.0.0/13
125.254.128.0/17
134.196.0.0/16
159.226.0.0/16
161.207.0.0/16
162.105.0.0/16
166.111.0.0/16
167.139.0.0/16
168.160.0.0/16
192.83.122.0/24
192.83.169.0/24
192.124.154.0/24
192.188.170.0/24
198.17.7.0/24
202.0.110.0/24
202.0.176.0/22
202.4.128.0/19
202.4.252.0/22
202.8.128.0/19
202.10.64.0/20
202.14.88.0/24
202.14.235.0/24
202.14.236.0/23
202.14.238.0/24
202.20.120.0/24
202.22.248.0/21
202.38.0.0/20
202.38.64.0/18
202.38.128.0/21
202.38.136.0/23
202.38.138.0/24
202.38.140.0/22
202.38.146.0/23
202.38.149.0/24
202.38.150.0/23
202.38.152.0/22
202.38.156.0/24
202.38.158.0/23
202.38.160.0/23
202.38.164.0/22
202.38.168.0/21
202.38.176.0/23
202.38.184.0/21
202.38.192.0/18
202.41.152.0/21
202.41.240.0/20
202.43.144.0/20
202.46.32.0/19
202.46.224.0/20
202.60.112.0/20
202.63.248.0/22
202.69.4.0/22
202.69.16.0/20
202.70.0.0/19
202.74.8.0/21
202.75.208.0/20
202.85.208.0/20
202.90.0.0/22
202.90.224.0/20
202.90.252.0/22
202.91.0.0/22
202.91.128.0/22
202.91.176.0/20
202.91.224.0/19
202.92.0.0/22
202.92.252.0/22
202.93.0.0/22
202.93.252.0/22
202.95.0.0/19
202.95.252.0/22
202.96.0.0/12
202.112.0.0/13
202.120.0.0/15
202.122.0.0/21
202.122.32.0/21
202.122.64.0/19
202.122.112.0/21
202.122.128.0/24
202.123.96.0/20
202.124.24.0/22
202.125.176.0/20
202.127.0.0/21
202.127.12.0/22
202.127.16.0/20
202.127.40.0/21
202.127.48.0/20
202.127.112.0/20
202.127.128.0/19
202.127.160.0/21
202.127.192.0/20
202.127.208.0/23
202.127.212.0/22
202.127.216.0/21
202.127.224.0/19
202.130.0.0/19
202.130.224.0/19
202.131.16.0/21
202.131.48.0/20
202.131.208.0/20
202.136.48.0/20
202.136.208.0/20
202.136.224.0/20
202.141.160.0/19
202.142.16.0/20
202.143.16.0/20
202.148.96.0/19
202.149.160.0/19
202.149.224.0/19
202.150.16.0/20
202.152.176.0/20
202.153.48.0/20
202.158.160.0/19
202.160.176.0/20
202.164.0.0/20
202.164.25.0/24
202.165.96.0/20
202.165.176.0/20
202.165.208.0/20
202.168.160.0/19
202.170.128.0/19
202.170.216.0/21
202.173.8.0/21
202.173.224.0/19
202.179.240.0/20
202.180.128.0/19
202.181.112.0/20
202.189.80.0/20
202.192.0.0/12
203.18.50.0/24
203.79.0.0/20
203.80.144.0/20
203.81.16.0/20
203.83.56.0/21
203.86.0.0/18
203.86.64.0/19
203.88.32.0/19
203.88.192.0/19
203.89.0.0/22
203.90.0.0/22
203.90.128.0/18
203.90.192.0/19
203.91.32.0/19
203.91.96.0/20
203.91.120.0/21
203.92.0.0/22
203.92.160.0/19
203.93.0.0/16
203.94.0.0/19
203.95.0.0/21
203.95.96.0/19
203.99.16.0/20
203.99.80.0/20
203.100.32.0/20
203.100.80.0/20
203.100.96.0/19
203.100.192.0/20
203.110.160.0/19
203.118.192.0/19
203.119.24.0/21
203.119.32.0/22
203.128.32.0/19
203.128.96.0/19
203.130.32.0/19
203.132.32.0/19
203.134.240.0/21
203.135.96.0/19
203.135.160.0/20
203.148.0.0/18
203.152.64.0/19
203.156.192.0/18
203.158.16.0/21
203.161.192.0/19
203.166.160.0/19
203.171.224.0/20
203.174.7.0/24
203.174.96.0/19
203.175.128.0/19
203.175.192.0/18
203.176.168.0/21
203.184.80.0/20
203.187.160.0/19
203.190.96.0/20
203.191.16.0/20
203.191.64.0/18
203.191.144.0/20
203.192.0.0/19
203.196.0.0/21
203.207.64.0/18
203.207.128.0/17
203.208.0.0/20
203.208.16.0/22
203.208.32.0/19
203.209.224.0/19
203.212.0.0/20
203.212.80.0/20
203.222.192.0/20
203.223.0.0/20
210.2.0.0/19
210.5.0.0/19
210.5.144.0/20
210.12.0.0/15
210.14.64.0/19
210.14.112.0/20
210.14.128.0/17
210.15.0.0/17
210.15.128.0/18
210.16.128.0/18
210.21.0.0/16
210.22.0.0/16
210.23.32.0/19
210.25.0.0/16
210.26.0.0/15
210.28.0.0/14
210.32.0.0/12
210.51.0.0/16
210.52.0.0/15
210.56.192.0/19
210.72.0.0/14
210.76.0.0/15
210.78.0.0/16
210.79.64.0/18
210.79.224.0/19
210.82.0.0/15
210.87.128.0/18
210.185.192.0/18
210.192.96.0/19
211.64.0.0/13
211.80.0.0/12
211.96.0.0/13
211.136.0.0/13
211.144.0.0/12
211.160.0.0/13
218.0.0.0/11
218.56.0.0/13
218.64.0.0/11
218.96.0.0/14
218.104.0.0/14
218.108.0.0/15
218.185.192.0/19
218.192.0.0/12
218.240.0.0/13
218.249.0.0/16
219.72.0.0/16
219.82.0.0/16
219.128.0.0/11
219.216.0.0/13
219.224.0.0/12
219.242.0.0/15
219.244.0.0/14
220.101.192.0/18
220.112.0.0/14
220.152.128.0/17
220.154.0.0/15
220.160.0.0/11
220.192.0.0/12
220.231.0.0/18
220.231.128.0/17
220.232.64.0/18
220.234.0.0/16
220.242.0.0/15
220.248.0.0/14
220.252.0.0/16
221.0.0.0/13
221.8.0.0/14
221.12.0.0/17
221.12.128.0/18
221.13.0.0/16
221.14.0.0/15
221.122.0.0/15
221.129.0.0/16
221.130.0.0/15
221.133.224.0/19
221.136.0.0/15
221.172.0.0/14
221.176.0.0/13
221.192.0.0/14
221.196.0.0/15
221.198.0.0/16
221.199.0.0/17
221.199.128.0/18
221.199.192.0/20
221.199.224.0/19
221.200.0.0/13
221.208.0.0/12
221.224.0.0/12
222.16.0.0/12
222.32.0.0/11
222.64.0.0/11
222.125.0.0/16
222.126.128.0/17
222.128.0.0/12
222.160.0.0/14
222.168.0.0/13
222.176.0.0/12
222.192.0.0/11
222.240.0.0/13
222.248.0.0/15

Moe Trin

unread,
Nov 3, 2012, 10:57:02 PM11/3/12
to
On 03 Nov 2012, in the Usenet newsgroup comp.security.firewalls, in article
<5094fa0f$0$14766$426a...@news.free.fr>, Davis wrote:

Please _RE-READ_ what I posted:

]] As of two weeks ago,

which was from 03 July, 2012 (meaning data from 15 June, 2012)

]] China had 3879 networks containing 330342508
]] IPv4 addresses, ranging from 1.0.1.1 to 223.255.253.254 - and
]] that's ignoring Taiwan, Hong Kong, and Macau.

># China IP blocks:
># List of ip blocks allocated and assigned directly by RIRs to ISPs
># and other large companies in the country of China
># This file is based on data collected on Thu Jan 31 07:03:40 PST
>2008

That's over FOUR YEARS NINE MONTHS OUT OF DATE. On January 31, 2008,
there were 84451 allocations and assignments world-wide, totaling
2575807388 (2.58e9) IPv4 addresses. On December 31, 2011, those
numbers had increased to 113278 allocations/assignments and 3402331040
(3.40e9) IPv4 addresses. On October 15, 2012 it was up to 120276
and 3471537408 (3.47e9). Things can change rather significantly in
time, and data nearly five years old is not very useful.

You list 650 address ranges out of 3527 ranges they had allocated or
assigned on October 15, 2012. Notice that's a different number from
what they had 15 June.

[fermi ~]$ zgrep CN RIPE.gz
CN 91.196.232.0 255.255.252.0 assigned 20070704 ri
CN 91.234.36.0 255.255.255.0 assigned 20111222 ri
[fermi ~]$ zgrep CN ARIN.gz
CN 199.59.240.0 255.255.252.0 allocated 20101209 ar
[fermi ~]$ zgrep CN APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort
-n | uniq -c | column
59 1 152 103 29 120 7 157 17 183
17 14 23 106 49 121 1 159 2 192
32 27 42 110 37 122 1 161 556 202
25 36 34 111 50 123 1 162 968 203
10 39 21 112 72 124 6 163 78 210
90 42 44 113 40 125 1 166 45 211
17 49 30 114 1 134 1 167 73 218
45 58 28 115 16 139 1 168 42 219
34 59 56 116 13 140 12 171 17 220
38 60 38 117 6 144 20 175 64 221
89 61 47 118 7 150 36 180 64 222
75 101 77 119 7 153 29 182 32 223
[fermi ~]$

That shows the number of blocks in each /8 from APNIC - 59 in 1.x.x.x,
17 in 14.x.x.x and so on. Note, 45 in 58.x.x.x (you list 17), 34 in
59.x.x.x (you list 11), and 968 in 203.x.x.x (you list 69).

Old guy

meagain

unread,
Dec 1, 2012, 7:50:18 AM12/1/12
to
Could you summarize this into a shorter list? In other words what
ranges exactly should one block?

Moe Trin

unread,
Dec 1, 2012, 3:45:12 PM12/1/12
to
On Sat, 01 Dec 2012, in the Usenet newsgroup comp.security.firewalls, in article
<k9cue8$8vi$1...@dont-email.me>, meagain wrote:

>Moe Trin wrote:

>> [fermi ~]$ zgrep CN RIPE.gz
>> CN 91.196.232.0 255.255.252.0 assigned 20070704 ri
>> CN 91.234.36.0 255.255.255.0 assigned 20111222 ri
>> [fermi ~]$ zgrep CN ARIN.gz
>> CN 199.59.240.0 255.255.252.0 allocated 20101209 ar
>> [fermi ~]$ zgrep CN APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort
>> -n | uniq -c | column
>> 59 1 152 103 29 120 7 157 17 183
>> 17 14 23 106 49 121 1 159 2 192
>> 32 27 42 110 37 122 1 161 556 202
>> 25 36 34 111 50 123 1 162 968 203
>> 10 39 21 112 72 124 6 163 78 210
>> 90 42 44 113 40 125 1 166 45 211
>> 17 49 30 114 1 134 1 167 73 218
>> 45 58 28 115 16 139 1 168 42 219
>> 34 59 56 116 13 140 12 171 17 220
>> 38 60 38 117 6 144 20 175 64 221
>> 89 61 47 118 7 150 36 180 64 222
>> 75 101 77 119 7 153 29 182 32 223
>> [fermi ~]$
>>
>> That shows the number of blocks in each /8 from APNIC - 59 in
>> 1.x.x.x, 17 in 14.x.x.x and so on.

>Could you summarize this into a shorter list? In other words what
>ranges exactly should one block?

Same range you were told to block back in early 2007 when you asked.

Block 0.0.0.0/0
Allow 127.0.0.1

If you've got IPv6 (most home users don't), you also want to

Block 0::/0
Allow 0::1

Quite simple, actually. Just two rules to block all 3530 IPv4 nets
in China, and the 220 IPv6 ones too (never mind the 1030 nets in Hong
Kong, 27 in Macau and 575 in Taiwan)! You might want to "Allow" a
few other addresses, but that can be risky.

Old guy

meagain

unread,
Dec 2, 2012, 9:59:54 AM12/2/12
to
Moe Trin wrote:
...
>
>> Could you summarize this into a shorter list? In other words what
>> ranges exactly should one block?
>
> Same range you were told to block back in early 2007 when you asked.

I guess it is nice to be remembered, even by another old guy.

>
> Block 0.0.0.0/0
> Allow 127.0.0.1
>
> If you've got IPv6 (most home users don't), you also want to
>
> Block 0::/0
> Allow 0::1

mmmm, that feels like it would block everything - I'm not THAT curmudgeony.

Moe Trin

unread,
Dec 2, 2012, 2:32:43 PM12/2/12
to
On Sun, 02 Dec 2012, in the Usenet newsgroup comp.security.firewalls, in article
<k9fqda$a7b$1...@dont-email.me>, meagain wrote:

>Moe Trin wrote:

>>> Could you summarize this into a shorter list? In other words what
>>> ranges exactly should one block?

>> Same range you were told to block back in early 2007 when you asked.

>I guess it is nice to be remembered, even by another old guy.

the computer rarely forgets

>> Block 0.0.0.0/0
>> Allow 127.0.0.1

>> If you've got IPv6 (most home users don't), you also want to

>> Block 0::/0
>> Allow 0::1

>mmmm, that feels like it would block everything - I'm not THAT
>curmudgeony.

So you've removed the locks on your house to allow anyone in at any
time? Do you also tape your car keys to the driver's window so
anyone can use the car at any time you're not using it?

>> Quite simple, actually. Just two rules to block all 3530 IPv4 nets
>> in China, and the 220 IPv6 ones too (never mind the 1030 nets in
>> Hong Kong, 27 in Macau and 575 in Taiwan)! You might want to
>> "Allow" a few other addresses, but that can be risky.

Most people don't intentionally offer services to everyone in the
world. I limit access to my systems to a /22 and two /24s "outside"
(a total of 1530 addresses) because I can't see any reason to allow
connections from you or anyone else that I haven't approved in
advance, and I really don't expect authorized users to be connecting
from Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a
lot of other places either. Lest someone from those countries object,
I also don't allow access from nearly all ISPs in the rest of the
world Not expected == not allowed.

Blocking access FROM the world does not mean blocking your access TO
the world - subtle difference, no?

Most people ignore the existence of the Linux Documentation Project,
must less the 453 "HOWTO" documents and 46 guides, because they have
words in them, and you have to _read_ those words to gain knowledge.
Consequently, the documents aren't being updated as they once were.
But see if you can find a copy of

85507 Aug 20 2001 Firewall-HOWTO
42743 Nov 24 2001 Firewall-Piercing
203891 Sep 29 2004 NET3-4-HOWTO
155096 Jan 23 2004 Security-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

The last one is particularly useful. The commands have changed in
7-10 years, but not the concepts.

Old guy

meagain

unread,
Dec 4, 2012, 6:55:42 PM12/4/12
to
And I asked for "short". I manage a SonicWall firewall with 5 static
IP hiding two video servers, two video mixers, and a half dozen
video editing and scheduling computers. Only the servers are Linux.
Yet we have remote access so I can control the servers from anywhere.
So I don't want to block the world.

Moe Trin

unread,
Dec 5, 2012, 3:01:23 PM12/5/12
to
On Tue, 04 Dec 2012, in the Usenet newsgroup comp.security.firewalls, in article
<k9m2i0$ug5$1...@dont-email.me>, meagain wrote:

>Moe Trin wrote:

>> Blocking access FROM the world does not mean blocking your access TO
>> the world - subtle difference, no?

>And I asked for "short".

The short answer is "you can't do so". There are a couple of problems
with IP filtering to _block_ access by country.

1. ARIN, and there-after the four other Regional Internet Registrars
did not assign blocks in a "convenient" manner. Address ranges were
assigned from a range such as 202.x.x.x in an arbitrary manner - more
or less "first come, first assigned". There was no en-mass assignment
of a large block to this country or that. While blocks are being
divided to better administer them,

[fermi ~]$ zgrep CN APNIC.gz | cut -d' ' -f3 | sort | uniq -c | column
10 255.192.0.0 163 255.255.192.0
19 255.224.0.0 258 255.255.224.0
51 255.240.0.0 253 255.255.240.0
106 255.248.0.0 234 255.255.248.0
226 255.252.0.0 326 255.255.252.0
317 255.254.0.0 256 255.255.254.0
382 255.255.0.0 737 255.255.255.0
194 255.255.128.0
[fermi ~]$

the adjacent block is assigned to one of 36 other countries. That
output shows how many networks of each size exist in China - ten /10s
(36.128.0.0 - 36.191.255.255, 39.128.0.0 - 39.191.255.255, 59.192.0.0,
111.0.0.0, 112.0.0.0, 116.128.0.0, 117.128.0.0, 120.192.0.0, 183.0.0.0
and 183.192.0.0) nineteen /11s, fifty-one /12s, and so on down to 737
/24s, and as initially mentioned, they are scattered over the IPv4
address space from 1.0.1.0 to 223.255.253.255. Got a shotgun?

2. The country reported in the registration data is that of the main
office of the registrant, and has no guarantee that the computers are
located in that country. The company I work for is registered in New
York but if you traceroute to our address range, the last IP you see
before hitting the firewall is near San Francisco - yet I'm in the
Phoenix metro area (about 360 miles/600 KM East of Los Angeles), and
systems in our address range are located in 27 other countries around
the world. So are we in New York, the USA, North America or what?

3. You can not count on the DNS name to show country information. In
the first place, there are a lot of network administrators who haven't
figured out how to run a DNS server or think the data to be secret, and
looking up an address will often return a "NXDOMAIN" reply - meaning
"no answer could be found". And contrary to common wisdom, not all
domains in China (or any other country) have a .cn (or similar
ISO-3166) country code as the top level domain - many in fact fit the
common misconception that Internet hostnames all end with ".com".

So, if you want to block China ALONE, you have about 2500 address
ranges to block. If you don't want to use that many, you can use wider
blocks, such as a /8 - China is only in 60 of those 222 blocks. You're
going to have co-lateral damage, by blocking others at the same time,
such as 1.x.x.x/8 which blocks AU, CN, HK, IN, JP, KR, MY, PH, TH,
TW and VN. Some other /8s have more countries, some less.

>I manage a SonicWall firewall with 5 static IP hiding two video
>servers, two video mixers, and a half dozen video editing and
>scheduling computers.

If customers have to access things, get a separate firewall. If access
is limited to employees only, use better access controls. Are you
trying to combat skript kiddiez who attempt to log in to your servers
by trying "root" and a hundred thousand different passwords one after
another? Use one of the "shoot yourself in the a$$" anti-intrusion
programs, like 'BlockHosts', 'DenyHosts', 'fail2ban', 'sshguard' or
similar but set the block times to ten minutes or less - that's enough
to deter the skript kiddiez, and only blocks legitimate users for that
long if they repeatedly screw up. A much better solution is strong
encryption and authentication. Creating "outside" accounts that are
isolated from internal (email) account names is desirable. Teaching
your users to create/use "good" passwords (non-dictionary, mixed
characters/case) helps, and you can use a brute-force password cracker
like 'John-the-ripper' to detect lapses. If worried about one IP
address, or a small range of addresses, use a 'whois' client/tool

[fermi ~]$ whatis whois
whois (1) - client for the whois service
[fermi ~]$

to identify the assigned network, and block that, BUT be aware of
possible co-lateral damage, and performance degradation.

>Yet we have remote access so I can control the servers from anywhere.

Do you travel the world WITHOUT advance notice? I normally have at
least two days to prepare - more than that if I need to get a visa.
Your best bet would be dynamic usernames and passwords - they are used
just once then become invalid to prevent the bad guys from gaining
access through packet sniffing or shoulder surfing. At one time, it
was thought good practice to move the server port to a non-standard
value, but many systems have _OUTBOUND_ filters to block access to all
but a few well-known (standard) ports to avoid nasty things, and that
can block your access from those sites. Best to depend on one-time
authentication, and strong encryption.

>So I don't want to block the world.

Then you have to live with it.

Old guy

Sr Peabody

unread,
Dec 11, 2012, 5:55:49 AM12/11/12
to
"meagain" <rick0....@gmail.com> escribi� en el mensaje de
noticias:k9m2i0$ug5$1...@dont-email.me...
[snip]
> And I asked for "short". I manage a SonicWall firewall with 5 static
> IP hiding two video servers, two video mixers, and a half dozen
> video editing and scheduling computers. Only the servers are Linux.
> Yet we have remote access so I can control the servers from anywhere.
> So I don't want to block the world.

Errr, Sonicwall has a Geo-IP filtering service in 5.8.1.0 firmware release
and newers. Maybe it can help.

http://www.firewalls.com/blog/blocking-ip-sonicwall


Saludos,
--
Sr Peabody

0 new messages