News from PANUG April 25, 2001 CHINA ATTACKS by Ed Sawicki The security-oriented news souces are reporting that Chinese and American hackers/attackers are waging a private war. They say "The American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4. Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1." For details: http://www.wired.com/news/business/0,1367,43134,00.html I check my firewall logs every day and I have noticed a small increase in packets coming from Asia that have been denied. Most are just pinging my site. Some are probing port 139 looking for Windows machines to break in to. Some are port 53-related; clearly people looking to see if they can exploit BIND problems. If you attended the Mastering Firewalls class a few weeks ago, you saw how it was possible to block email traffic from certain geographic regions. You can use the same technique to block ALL IP packets as well. If you're concerned about Chinese attacks against your Internet site and you don't mind blocking all traffic from China, you can put in simple firewall rules to deny all packets whose source IP address is from China. Dozens of IP address ranges have been assigned to China. To block all of China (and only China) you'd have to block these address ranges: 61.128/11 (the trailing zeros have been stripped out in this list) 202.0.110/24 202.0.160/20 202.0.176/22 202.4.128/19 202.4.252/22 202.14.88/24 202.14.235/24 202.14.236/23 202.14.238/24 202.20.120/24 202.22.224/19 202.38/16 202.90.0/18 202.90.224/19 202.91.0/18 202.91.128/18 202.92.0/18 202.92.160/19 202.92.192/18 202.93.0/18 202.93.192/18 202.94/16 202.95.0/18 202.95.64/19 202.95.224/19 202.96/12 202.112/13 202.120/15 202.122.0/18 202.122.128/24 202.127/16 202.130.0/19 202.130.224/19 202.136.224/19 202.192/12 203.87.224/19 203.88.0/18 203.89.0/18 203.90.0/18 203.91.0/18 203.92.0/18 203.93/16 203.94.0/18 203.95.0/18 203.128.128/19 203.184.0/19 203.192.0/19 203.196.0/17 203.204/14 203.208.0/18 203.223.0/20 210.12/15 210.14.128/17 210.15.0/17 210.25/16 210.26/15 210.28/14 210.32/12 210.52/15 210.72/13 211.64/13 211.80/12 211.96/13 211.136/13 211.144/12 211.160/13 The reality is that these attacks will come from other countries as well. It would be relatively easy for a Chinese attacker to break in to a machine in Thailand, for example, and conduct attacks against U.S. targets from there. If you want to block all of Asia, there would be far fewer rules. You'd only have to block these IP address ranges: 61.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8 211.0.0.0/8 218.0.0.0/8 If you're using a Linux machine, you can do this easily with the following IP Chains rules: ipchains -A input -s 61.0.0.0/8 -l -j DENY ipchains -A input -s 202.0.0.0/8 -l -j DENY ipchains -A input -s 203.0.0.0/8 -l -j DENY ipchains -A input -s 210.0.0.0/8 -l -j DENY ipchains -A input -s 211.0.0.0/8 -l -j DENY ipchains -A input -s 218.0.0.0/8 -l -j DENY Of course, you can't do any of this if you do business with people in China. Good luck. It's lamentable that the Internet is being used as the battleground for world politics and that we have to cut our lines of communications with other people on the planet to protect ourselves.