Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
The great firewall of China
Scott Granneman, 2005-08-30

In the 1980s, I was unbeatable in Trivial Pursuit, and to this day, I still possess a love of trivia. Here's some neat facts about the Great Wall of China. Did you know...

Comments Mode:
The great firewall of China 2005-08-31
Trinidex (2 replies)
The answer is simple, block anything that appears suspicous, regardless of where it comes from. It is not my fault that your computer has some form of spyware/worm/other nasty, IT IS MY JOB to make sure you don't compromise my system.

I have traced suspicous requests including port scans back to...

[ more ]  [ reply ]
Re: The great firewall of China 2005-09-09
Anonymous
Testify brother. Is it unfair to the Chinese that they, as a society, are getting shut out? Probably. Should we care. No. The hard reality is the Chinese and the West will likely be hurling nuclear weapons at each other in a couple of decades (after the oil reserves are near exhausted) anyway....

[ more ]  [ reply ]
Re: The great firewall of China 2005-09-22
Anonymous
OT and appropos of nothing re: sites detecting where you're from.

I just came back from a month in China. One of the minor irritations is that Google News kept defaulting to the Chinese version. The only way to make it show US news what to add ?ned=us to the end of the url. Annoying. I'm only one...

[ more ]  [ reply ]
Resources for practical deployment 2005-08-31
Alex Nordstrom
http://okean.com/asianspamblocks.html is a great resource for those wishing to take this approach.

I use
http://www.okean.com/iptables/rc.firewall.sinokorea on which I run some regular expressions to remove the interface, protocol, and port specifics.
...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Art Blummer

I have knowledge of a site that has been doing what you describe for 2 or more years. I am sure he will send you his IP block list if you identify yourself and ask nicely.

The web site is www.knobology.com

He has given talks about security several times to the local Houston User Group for Su...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Erik Norgaard
I had a similar problem, not with web, but with mail. Thousands of incoming delivery attempts to addresses of the type <randomletters>@mydomain.com. It saturated my connection so I had to do something drastic to get legitimate connections through.

Doing the analysis, it turned out that in most ca...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Roger Davies (1 replies)
I was just wondering whether all the China PC's are limited by their ISP to what content they are able to view, e.g are they allowed to look up 'democracy' in google, if not, as I suspect, then the few that know will be looking to use open proxies for their web browsing. I recently had a case for sh...

[ more ]  [ reply ]
Re: The great firewall of China 2005-09-08
transplant
I am a network admin who moved from the States last year and now work in Beijing. Personally, the only sites I haven't been able to access are some State Dept sites, all of nsa.gov, and michaelsavage.com, and universities on the disputed island (Taiw*n). I am not sure which side of the ocean is bl...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Xav
Thanks for the article, I admin my own small server and I have this kind of question in mind. This is not very easy to answer as who knows, the world is small and for business trip I can be send to Shanghai it would be fun that I cannot reach my own webmail :-). That is one of the reason I did not b...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
Well, I live in Romania. I am the sysadmin of the Romanian branch of an American company. I happen to have friends in USA (about 40% of my former colleagues in the University have left Romania). One of my friends is using Verizon as ISP. And guess what? I cannot send email to him: Verizon refuses t...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Andy
I really don't that the Chinese government cares, and worse still isn't likely to change its attitude any time soon. There has been wholesale blocking of Chinese IP space on mail servers for years, which is far more likely to impact on China's ability to do business with the rest of the world than ...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
To me there seems to be two main issues higlighted by this article.
1) Is the solution workable in the long term
2) Should the clients/users of the hosting service be informed.

Point 1 is a difficult question to answer, possibly only time will tell how affective this approach will be, but where...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Mihai
Years ago, Romania was in a similar situation.

Hosting was cheaper and bandwith was higher in the US, so a local company decided to outsource its web site to the US... but surprise: the administrator of that hosting server decided that Romania is on his black list. I was working for an local ISP...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
carpy
Dear Scott,
First off, props for being good at trivial pursuit. I wasn't then, but probably would find it easier now.

Secondly, your friends are obviously not in unique circumstances. I've often contemplated blocking country-wide netblocks, and we make money from our web site... Unfortunately...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
We block a number of IPs based in China and Korea and have been doing so for months. We actually leave port 80 open but block access to other services such as SSH, Email Services (including SMTP), and administrative sections. We found that by simply blocking port 25 the load on our servers due to ...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
Screw em, block the entire region until they can learn to play nice with the rest of the kiddies in the sandbox....

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous (1 replies)
Our organization has blocked all access from China. Why? because we've been bomabarded continuously by hack attempts, viruses, port-scanning, and everything else you can think of -- all from China. We aren't going to block every single country that we don't do business with -- just the ones that be...

[ more ]  [ reply ]
Re: The great firewall of China 2005-09-10
Anonymous InfoSec Guy
While I appreciate your situation, and agree with most here that if any netblock from anywhere becomes a problem, it should be blocked entirely, I think you have some contributory issues that speak to the larger security problem most organizations face. How do "they" know how to target your domain ...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
Blocking an entire IP range or Country does nothing to solve the underlying problem that ISP and endusers alike need to learn about securing thier computers. I see more spam and hacking from att.net and Verizon DSL users, should I blocked them too?...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
Then the question from this article should read, if your business is restricted to a local following, do you block every IP in the world that is not from your local area? ...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
SFN
"What needs to come first: the needs of the web servers my friends run, or the needs of a guy sitting in Shanghai that wants to view the content of that web site?"

For me, the answer is the needs of the web servers. Remember the old "we reserve the right to refuse service" signs that you used to ...

[ more ]  [ reply ]
The great firewall of China, fragmentation is coming. 2005-08-31
omer
to your friends; have all such IPs directed to a page explaining the ban and what they can do about it (of course running on a dumbed out basic/secured web server perhaps even hosted on another network).

about the greater question at hand. it is inevitable for things to grow to a size where it s...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
&#25317;&#26377;=owned. Your friends should notify their clients of the issue and how they resolved it. I assume that since it was necessary, it won't be an issue. I myself have seen the same issues and taken the same course of action. The owners needs and concerns for their property, be it physical...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
Anonymous
If there are no legal repercussions they should block the IP ranges of Chines provinces, AND share the list, (which I'm sure somebody is already doing).
Brad...

[ more ]  [ reply ]
That's just shocking 2005-08-31
Colin
The idea of blocking a country's entire IP space flies in the face the idea of global economy. Professionals, accadmics, hobbyists, and people who are just bored shouldn't have to contend with over-zealous admins.

That, compounded with the idea that this isn't something the hosting service's cust...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
JustDisGuy
What should your friends do? Well, whether they continue to block the Chinese IP address ranges or not, I'll leave to them. They should absolutely be completely forthcoming about their activities to their client base, however. Follow the Microsoft model if you want, and call it a 'feature', but c...

[ more ]  [ reply ]
The great firewall of China 2005-08-31
vonbrand
A simple way out is just to set up your firewall to throttle incomming connections. Say to 10/minute for a originating IP and target port. No, it doesn't stop the nonsense, but it cuts it down. And it should have a negligible impact on legitimate uses....

[ more ]  [ reply ]
The great firewall of China 2005-09-01
Anonymous
When I was in china for a vacation about two months ago, I stopped into one of the internet cafe's to check my email. The boxes were running Windows 98, and the subscription for the antivirus software had expired 4 years ago. I did a netstat and the list went on and on and on... I suspect that is...

[ more ]  [ reply ]
The great firewall of China 2005-09-02
Anonymous
"Blocking Chinese IP address ranges is one thing, but going further and blocking every country except where your organization (or client's organization) does business becomes a slippery slope very fast."

Seems as if the author of the article is suggesting that there is a legal question of whether...

[ more ]  [ reply ]
The great firewall of China 2005-09-03
Anonymous
Honestly, with my websites, well they are mine and I will block whomever I please. My customers pay me for my technical knowlege and guidance and they listen. If my clients want servers fully available to all chinese addresses, so be it, I also make more money that way. ...

[ more ]  [ reply ]
The great firewall of China 2005-09-05
cto74@hotmail.com
If you have linux you can use "snort" + "guardian" and you have an IDS self defending against any kind of http attacks (or another kind).... you will have a dynamic iptables database. Best solution ever!...

[ more ]  [ reply ]
The great firewall of China 2005-09-19
Mike Gaynes
Scott has a terrific grasp of both the mechanics and the ethical issues of IP blocking. In the geolocation business, we at Quova deal with both all the time. We debate them on our blog site at http://the37thparallel.alwayson-network.com/....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus