Blocking Networks & IP Addresses by Country

Discussion in 'other security issues & news' started by Tech Manager, Jan 7, 2008.

Thread Status:
Not open for further replies.
  1. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    As an I.T. Manager and programmer one of my biggest concerns is security. One of the most common questions I receive my clients is "Can I block entire Countries and the IP Ranges from within that country?"

    The answer to this question is "Yes, you can." First let's deal with getting the data. You can go out and do endless searches for the data, try to mine it from one of the five Regional Registries or take advantage of a program I wrote that does it for you.

    I wrote a PHP program (with a MySQL backend) that does all the data mining and processing of the data into Countries, networks, subnets, etc and then outputs it into CIDR or Netmask format. It also creates on the fly .htaccess deny lists. The data is located at Country IP Blocks at a site called Country IP Blocks dot Net.

    The database is searchable by IP and will produce the Network, CIDR and Netmask for the network where the IP Address belongs and the country to which it is assigned.

    The database data can be customized to create Cisco ACLs, .htaccess files, hosts.deny/hosts.allow files, IP Tables, IP Chains, etc.

    The database is refreshed at least once a day so it contains the latest possible data for 239 countries. If you use the data all I ask is a link back to the site.

    Please do not use the IP Block data unless you have a good understanding of routing, networking, etc.

    What I'd like to know from you is whether you believe the IP/Network by Country data is valuable? While blocking entire countries or networks is not a good idea for everybody there are situations where you might want to use this type of data in your firewall ACL, etc.

    The only current limitation on the data is the amount of data it outputs for networks within the USA. As there are over 33,000 networks and approximately 2 billion IP addresses in the USA I am limiting the output to only 7,500 networks in the USA.

    As I am still developing this project I would appreciate any and all feedback. Incidentally, the Country IP Block data is free to use at this time.
     
  2. attila4000

    attila4000 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    51
    Location:
    Rahway, NJ, USA
    great site :)
     
  3. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Thank you so much for the input. Did you find the data usable? Would you like the data in additional formats?
     
  4. attila4000

    attila4000 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    51
    Location:
    Rahway, NJ, USA
    i just quickly browsed the site. i might in the future add some of the deny list to my winxp client pc host file or maybe my dsl modem.
     
  5. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Thanks for responding. If you are looking for additional data or would like to see other security formats, etc., please let me know.
     
  6. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    i personally don't like the idea of blocking certain ip ranges.
    while it might be effective, it's not a beatiful solution.

    i myself use a heavily modified version of 'fail2ban' .. two mistakes within 24 hours and all packets from that IP will get dropped immediatly for the next 24 hours.
     
  7. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Sort of like shooting a butterfly with a canon!
    It might work but in any case it's overkill... besides they can use IP spoofers and your whole "Mechanism" is instantly rendered useless.... or all they need is to access a local gateway and again useless...

    IP filters only work on static IP's and these are rarely used by SOB's...
     
  8. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Just curious: How long have you been managing networks of any size?

    Anyone can use IP Spoofing? Perhaps. Just like anyone can use proxies. Perhaps we should throw away firewalls and locks on doors? After all, if someone can get the key to your office and find the passwords to your machine written on sticky notes attached to the front of your computer...they can get access to your system.

    After 25 years in I.T. & network management, as well as security consulting, I just have to disagree with your position. But I do appreciate your post.

    Network security is both an art and a science. It requires a whole lotta thought and a little bit of luck. There are few one stop solutions for preventing intrusions. But there are various techniques to improve your odds and to protect your data.

    A significant amount of testing went into studying the effect of Country IP Blocks used in various hardware and software firewalls. The results were compelling. Certain networks experienced decreases in SPAM by several hundred thousand to a few million each week. Hacking attempts dropped by 95% and more.

    While I appreciate your response I think it would behoove you and your clients to be aware of some of the bigger issues involved in network security. You don't throw away your security provisions simply because someone might use another technique to attempt to bypass your security.

    There are also other issues as well. Using Country IP Blocks (meaning contiguous IP Address space by country, not blocking a country) can help provide better stats and diagnostics. Country IP Blocks can lessen server traffic be eliminating worthless traffic (though there will be increased load on your firewall due to ruleset processing).

    Don't throw the baby out with the bath water.
     
    Last edited: Jan 25, 2008
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I started my career as a network engineer in the early 90's Now I'm more or less a technical janitor... :rolleyes:

    ok.. Then here's another one: What about the IP database being inaccurate as some IP block's "class C or even larger groups" are often moved across zones on a lease base to compensate for address shortage in some zones...

    As for IP spoofing you can download the software for free on the internet my friend.. and it is used extensively by all those doing Peer to Peer to bypass prosecution from moving illicit content as well as those who rummage around illegal porn sites. Besides most nasty stuff is performed via bots which are controlled locally via out calls/client response to IRC servers and bouncing around via a bunch of relays... filtering IP has some value but it is limited in scope given the sophistication of todays online systems...
     
    Last edited: Jan 25, 2008
  10. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    I am glad to see you have some experience.

    It is possible for the IP Database to be inaccurate. It will be just as accurate as the data provided by the Regional Registries. There are specific rules the RIR's use to output the allocate network assignments. There are situations when certain addresss blocks will be further leased to other entities. There are IP blocks in the USA that have portions leased to your beloved country of Canada. These things can and do happen. This is why most applications related to Country IP Blocks should only be performed by network professionals.

    IP Spoofing does exist. Yes, there is software freely available to mask addresses. I deal with these little social miscreants every single day. And that's why I use a multi-tiered approach to network and system security.
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Keep in mind my comment about Using a canon to kill a butterfly relates to filtering based on Country... Even if it could work to block "the Bad" elements in would also prove effective against the "Desirable" elements as well...

    It was not intended as a critic to your development work.
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hermescomputers: surely if i know that i don't need country A or B, blocking them is of some use. It won't block everything from said countries, but it should eliminate plenty of noise no?
     
  13. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I don't know but personally I think wholesale discrimination is overkill...
    You should know what you are filtering before you actually engage in filtering it.

    You may filter an entire class C or a /25 or whatever block contains the "Indesirable" ip's but the whole country? isn't that throwing the baby out with the bath water?
     
  14. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You're right.
    It's like a minefield. You now know they won't come through there anytime soon, but you won't either :)
     
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    In the end it depends what you are managing.. your pc, LAN or manage a corporate infrastructure... On a PC it's all about preference...

    Also most of these country database are used to buildup demographic statistics as in web servers or to be used in market analysis. I don't see them used much otherwise from a security perspective... Perhaps I'm wrong?

    I know in my own Web server the country IP database seems to be skewed most of the time... Not accurate enough to make reliable business decisions. But good enough to give a general idea of source traffic.
     
    Last edited: Jan 25, 2008
  16. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Most of the country databases in web servers are entirely unreliable and based on older data. The data I rely upon is updated from the RIR's daily. It is nearly as close as you can come to 100% accuracy, though still imperfect.
     
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    I have never used RIR's. I think I'm due for another "refresher" research run...
    These days I don't manage networks as I'm mostly dealing with small Biz & SOHO... Too busy mopping up after the fact to be able to be of much use in "pro active or pre emptive security... Aaaargh... "They" are turning me into a Technical Janitor!
     
    Last edited: Jan 25, 2008
  18. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    If you are seeking accurate data you must rely on the network allocation assignments related to the RIR's and ICAAN/IANA. You can't rely on the very limited data available from most if not all the stats programs currently being used.
     
  19. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Incidentally, while network assignments don't change dramatically during short time spans, they can over longer periods of time. For example, within the past 5 weeks I've noted approximately 2500 reassignments of network allocations to various countries.

    This is why you need to make certain you refresh your country IP blocks as often as possible. This includes changes to your .htaccess files. The network data at Country IP Blocks is updated daily.

    So, if you are blocking entire countries or networks or using .htaccess files to block countries like Russia, China, Korea or any of the other 244 countries in the Country IP Blocks database, make certain to check back weekly to update your .htaccess files (or other rulesets) with the latest versions.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    What about using these country ranges as a "white" list?
    For example, I block the whole world except 6 countries I need to allow?

    That way the other 200 countries can switch ip's all they want I only have to maintain the 6 allowed counties.
     
  21. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    You can certainly do that. In a few weeks I'll be adding some additional tools to automatically create a wide variety of rulesets. Just let me know what you need.
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I need only 2 things:

    The starting ip and ending ip for the entire www.

    And second the starting ip and ending ips for each of the 220+ countries.

    I just tested PG 2 on this notion and it worked for Romania which I have a block range. I then entered an ip within that range and with my FW off PG 2 stopped me from going to that site. I then clicked on the block and chose allow and then that ip was allowed and allowed overided the deny range entry.

    What this means then is using the www entire range blocked I could allow one by one each ip I deliberately try to access like my isp, bank, wilders etc etc.

    Can anybody see a flaw? Not the concept just a logic error, it is too simple so it must be wrong?
     
  23. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    Ok, here you go:

    The starting and ending IP addresses for the entire internet (IPv4 only) are:
    0.0.0.0 - 255.255.255.255.

    However, you aren't going to be able to get the starting and endign IP address for each country because the addresses are continguous not continuous.

    If you really wanted to limit access to such a narrow range create a ruleset with explicit allow for the IP ranges you want and then deny everything else.
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, I'm working on a non FW based solution here. But if I read you right the various countries Canada for example doesn't have a starting and ending ip, if that is the point it must be represented somehow in your DB as a set of ip's or ranges of ip's. You must have those ip's for 220+ countries?

    If I wanted to do it in a FW rule set, I still need the ip sets or ranges for each to allow them as you suggest?:doubt:
     
  25. Tech Manager

    Tech Manager Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    61
    To be accurate you need to know the network ranges for any of the 244 countries you want to allow/deny (depending on how sophisticated you want to make your ruleset).

    Let's use Afghanistan as an example. As of February 13, 2008, Afghanistan has 13 Networks with 65,536 IP addresses allocated for use.

    Here are the 13 networks with CIDR ranges:

    58.147.128.0/19
    117.55.192.0/20
    117.104.224.0/21
    119.59.80.0/21
    121.58.160.0/21
    121.100.48.0/21
    121.127.32.0/19
    125.213.192.0/19
    202.56.176.0/20
    202.86.16.0/20
    203.215.32.0/20
    210.80.0.0/19
    210.80.32.0/19

    Here are the 13 networks with netmasks:

    58.147.128.0/255.255.224.0
    117.55.192.0/255.255.240.0
    117.104.224.0/255.255.248.0
    119.59.80.0/255.255.248.0
    121.58.160.0/255.255.248.0
    121.100.48.0/255.255.248.0
    121.127.32.0/255.255.224.0
    125.213.192.0/255.255.224.0
    202.56.176.0/255.255.240.0
    202.86.16.0/255.255.240.0
    203.215.32.0/255.255.240.0
    210.80.0.0/255.255.224.0
    210.80.32.0/255.255.224.0

    Looking at the first allocated network in Afghanistan, your Starting Network Address = 58.147.128.0 and your Ending Network Address = 58.147.159.255.

    If you understand CIDR/Netmask, you can figure out the entire address space from beginning to end.

    You could setup rulesets on your Cisco Firewall/Router to handle these addresses. You could use hosts.deny/hosts.allow, IP Tables, IP Chains, .htaccess files, or even build rulesets into a PHP or ASP application.

    In answer to your last question: The Country IP Blocks database has complete network allocation information on all 244 countries plus the European Union (EU) and the AFRICAN REGIONAL INTELLECTUAL PROPERTY ORGANIZATION (AP). There is also a separate database containing a complete list of Bogons, plus Private Networks, Loopbacks, Auto-configuration ranges and Multicast network space.

    Network assignments change often. To accommodate these changes the entire IPv4 database is updated at least daily. So, you should check back frequently to make sure you have the most recent data.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.