IP mappings

In article <MeCdnRNztroY7IrfRVn-sA DeleteThis @comcast.com>, no_one DeleteThis @comcast.net
says...
 > Is there a resource i can view that will show me the network IP blocks used
 > in various countries? I've had so many hack attempts from certain specific
 > areas around the world that I want to just block all network traffic from
 > them. One example: a very large portion of the hack attempts i get come
 > from Korea & Taiwan, since i dont have any reason to want even legitimate
 > traffic from that part of the world, I'd just as soon use iptables to block
 > it all. (I have googled around but cant find anything)
 > Thanks
 > Eric
 >
 >
Check out blackholes.us<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

Eric wrote:
 > Is there a resource i can view that will show me the network IP
blocks used
 > in various countries? I've had so many hack attempts from certain
specific
 > areas around the world that I want to just block all network traffic
from
 > them. One example: a very large portion of the hack attempts i get
come
 > from Korea & Taiwan, since i dont have any reason to want even
legitimate
 > traffic from that part of the world, I'd just as soon use iptables to
block
 > it all. (I have googled around but cant find anything)
 > Thanks
 > Eric

<a style='text-decoration: underline;' href="http://www.blackholes.us" target="_blank">http://www.blackholes.us</a> . Use at your own risk.

Good luck,

A. Friend<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

On Sat, 19 Feb 2005 09:04:02 -0800, Eric <no_one DeleteThis @comcast.net> wrote:

 >Is there a resource i can view that will show me the network IP blocks used
 >in various countries? I've had so many hack attempts from certain specific
 >areas around the world that I want to just block all network traffic from
 >them. One example: a very large portion of the hack attempts i get come
 >from Korea & Taiwan, since i dont have any reason to want even legitimate
 >traffic from that part of the world, I'd just as soon use iptables to block
 >it all. (I have googled around but cant find anything)

<a style='text-decoration: underline;' href="http://ip.ludost.net/" target="_blank">http://ip.ludost.net/</a>

Although the traffic I'm seeing is such a small fraction of a percent
I don't know if it is worth the effort -- I rebooted firewall yesterday,
overnight iptables dropped 67kBytes garbage for 350MB transfer data.

I think about a method of adding nasty_ip/24 blocks to a firewall drop
list automagically. Dunno if it worth the effort.

Cheers,
Grant.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

In article <MeCdnRNztroY7IrfRVn-sA RemoveThis @comcast.com>, Eric wrote:

 >Is there a resource i can view that will show me the network IP blocks used
 >in various countries?

Quite a number. All are based on the zone files from the regional
registrars (APNIC, ARIN, LACNIC and RIPE).

 >I've had so many hack attempts from certain specific areas around the world
 >that I want to just block all network traffic from them.

That depends on the size of the shotgun you use, and how much collateral
damage you are willing to accept.

 >One example: a very large portion of the hack attempts i get come from
 >Korea & Taiwan, since i dont have any reason to want even legitimate
 >traffic from that part of the world, I'd just as soon use iptables to block
 >it all.

Let's take Korea as a starting point. These are the zone files from the
first of the month.

[compton ~]$ zgrep -c KR IP.ADDR/stats/[ALR]*gz
IP.ADDR/stats/APNIC.gz:313
IP.ADDR/stats/ARIN.gz:21
IP.ADDR/stats/LACNIC.gz:0
IP.ADDR/stats/RIPE.gz:0
[compton ~]$ zgrep KR IP.ADDR/stats/APNIC.gz | head -4
KR 59.0.0.0 255.224.0.0 allocated
KR 59.150.0.0 255.255.0.0 assigned
KR 59.186.0.0 255.254.0.0 allocated
KR 60.196.0.0 255.254.0.0 allocated
[compton ~]$ zgrep -h 'KR ' IP.ADDR/stats/[ALR]*gz | cut -d' ' -f2 | cut
-d'.' -f1 | sort | uniq -c | column
1 128 2 150 1 161 45 192 9 220
1 129 2 152 3 163 13 202 5 221
1 134 1 154 2 164 24 203 6 222
1 137 1 155 10 165 73 210 3 59
1 141 1 156 4 166 85 211 1 60
1 143 1 157 8 168 9 218 11 61
4 147 1 158 1 169 2 219
[compton ~]$

Korea has 334 assigned blocks from two RIRs. These blocks are scattered over
34 different "Class A" sized ranges. Your firewall scripts are going to be
rather lengthy, no? Also remember that not all Korean ISPs can figure out
how to configure a DNS server, and not all of the domains in Korean have a
TLD of ".kr".

The Peoples Republic of China, (.cn), the Republic of China (.tw), Hong Kong
(.hk) and so on are similarly scattered all over IPv4 address space without
rhyme or reason. Without worrying about collateral damage, some have
advocated blocking 58/7, 60/7, 200/6 (bonus - get Central/South America at
the same time, otherwise use 202/7), 210/7, 218/7 and 220/6 - what's that,
six rules? The downsides of this is (as shown above) this does not get
everything, and it also knocks out most everything from Afghanistan to
Pitcairn Island, from China to Antarctica. Pay your money, take your pick.

 >I have googled around but cant find anything

No idea what you are using as search terms. This has been asked (and
answered) countless times in newsgroups.

Old guy<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

Eric wrote:

 > Is there a resource i can view that will show me the network IP blocks
 > used in various countries? I've had so many hack attempts from certain
 > specific areas around the world that I want to just block all network
 > traffic from them. One example: a very large portion of the hack attempts
 > i get come from Korea & Taiwan, since i dont have any reason to want even
 > legitimate traffic from that part of the world, I'd just as soon use
 > iptables to block it all. (I have googled around but cant find anything)
 > Thanks
 > Eric
blackholes.us does the trick
and Moe, I'm thinking though what you wrote
Thanks
Eric

--
King County Washington: Voter Fraud Capitol of the US<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

On Sat, 19 Feb 2005 09:04:02 -0800, Eric <no_one.TakeThisOut@comcast.net> wrote:

 >Is there a resource i can view that will show me the network IP blocks used
 >in various countries? I've had so many hack attempts from certain specific
 >areas around the world that I want to just block all network traffic from
 >them. One example: a very large portion of the hack attempts i get come
 >from Korea & Taiwan, since i dont have any reason to want even legitimate
 >traffic from that part of the world, I'd just as soon use iptables to block
 >it all. (I have googled around but cant find anything)
 >Thanks

<a style='text-decoration: underline;' href="http://blackholes.us" target="_blank">http://blackholes.us</a>

-Buck

--
Caution: From: address is a trap.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

Moe Trin wrote:

 > In article <MeCdnRNztroY7IrfRVn-sA RemoveThis @comcast.com>, Eric wrote:
 >
  >>Is there a resource i can view that will show me the network IP blocks
  >>used in various countries?
 >
 > Quite a number. All are based on the zone files from the regional
 > registrars (APNIC, ARIN, LACNIC and RIPE).
 >
  >>I've had so many hack attempts from certain specific areas around the
  >>world that I want to just block all network traffic from them.
 >
 > That depends on the size of the shotgun you use, and how much collateral
 > damage you are willing to accept.
 >
  >>One example: a very large portion of the hack attempts i get come from
  >>Korea & Taiwan, since i dont have any reason to want even legitimate
  >>traffic from that part of the world, I'd just as soon use iptables to
  >>block it all.
 >
 > Let's take Korea as a starting point. These are the zone files from the
 > first of the month.
 >

How (or where) did you get the gz'd data ?
Thanks
Eric

 > [compton ~]$ zgrep -c KR IP.ADDR/stats/[ALR]*gz
 > IP.ADDR/stats/APNIC.gz:313
 > IP.ADDR/stats/ARIN.gz:21
 > IP.ADDR/stats/LACNIC.gz:0
 > IP.ADDR/stats/RIPE.gz:0
 > [compton ~]$ zgrep KR IP.ADDR/stats/APNIC.gz | head -4
 > KR 59.0.0.0 255.224.0.0 allocated
 > KR 59.150.0.0 255.255.0.0 assigned
 > KR 59.186.0.0 255.254.0.0 allocated
 > KR 60.196.0.0 255.254.0.0 allocated
 > [compton ~]$ zgrep -h 'KR ' IP.ADDR/stats/[ALR]*gz | cut -d' ' -f2 | cut
 > -d'.' -f1 | sort | uniq -c | column
 > 1 128 2 150 1 161 45 192 9
 > 220
 > 1 129 2 152 3 163 13 202 5
 > 221
 > 1 134 1 154 2 164 24 203 6
 > 222
 > 1 137 1 155 10 165 73 210 3 59
 > 1 141 1 156 4 166 85 211 1 60
 > 1 143 1 157 8 168 9 218 11 61
 > 4 147 1 158 1 169 2 219
 > [compton ~]$
 >
 > Korea has 334 assigned blocks from two RIRs. These blocks are scattered
 > over 34 different "Class A" sized ranges. Your firewall scripts are going
 > to be
 > rather lengthy, no? Also remember that not all Korean ISPs can figure
 > out how to configure a DNS server, and not all of the domains in Korean
 > have a TLD of ".kr".
 >
 > The Peoples Republic of China, (.cn), the Republic of China (.tw), Hong
 > Kong (.hk) and so on are similarly scattered all over IPv4 address space
 > without
 > rhyme or reason. Without worrying about collateral damage, some have
 > advocated blocking 58/7, 60/7, 200/6 (bonus - get Central/South America at
 > the same time, otherwise use 202/7), 210/7, 218/7 and 220/6 - what's that,
 > six rules? The downsides of this is (as shown above) this does not get
 > everything, and it also knocks out most everything from Afghanistan to
 > Pitcairn Island, from China to Antarctica. Pay your money, take your
 > pick.
 >
  >>I have googled around but cant find anything
 >
 > No idea what you are using as search terms. This has been asked (and
 > answered) countless times in newsgroups.
 >
 > Old guy

--
In the 2004 election King County found "missing ballots" 9 times
Each time, in response to vote counts they didnt like
Can you say FRAUD?<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

In article <T_2dnfkjJNX0coXfRVn-uQ.DeleteThis@comcast.com>, Eric wrote:

 >Moe Trin wrote:
 >
  >> Let's take Korea as a starting point. These are the zone files from the
  >> first of the month.
 >
 > How (or where) did you get the gz'd data ?

It's a distillation off the zone files from the RIRs. Try <a style='text-decoration: underline;' href="http://ftp.arin.net" target="_blank">ftp.arin.net</a> in
/pub/stats/*/ - the files you are looking at are fairly large (the four
files total about 4.5 Megs - be warned). The files will look something
like this:

[compton ~]$ head IP.ADDR/stats/lacnic.20030817
1|lacnic|20030817|1858|?|2003-08-17|?
lacnic|*|ipv4|*|1044|*|summary
lacnic|*|asn|*|814|*|summary
lacnic|CL|ipv4|24.152.0.0|32768|2000-04-11|allocated
lacnic|AR|ipv4|24.232.0.0|65536|1997-06-02|allocated
lacnic|TT|ipv4|64.28.128.0|4096|2000-01-11|assigned
lacnic|AR|ipv4|66.60.0.0|16384|2000-12-26|allocated
lacnic|CO|ipv4|66.128.32.0|4096|2001-06-04|allocated
lacnic|CO|ipv4|66.231.64.0|4096|1970-01-01|allocated
lacnic|VE|ipv4|129.90.0.0|65536|1987-09-05|assigned
[compton ~]$

(That's from an older posting - the filenames are in the form
"delegated-$RIR-datestring" where $RIR is 'apnic', 'arin' 'lacnic' and
'ripencc', and the datestring is similar [year month day] to as shown
above.) I pass these files through a rather lengthy shell script to
extract the country code, IP starting address, the field that follows
(above 32768, 65536, 4096, and so on, which is the decimal width of the
assignment) for those lines in the files that contain the string 'ipv4'
(the file also has IPv6 data and ASN numbers which are not needed here).
The script then converts those decimal values into normal masks IF POSSIBLE.
These are routing masks, and they don't have to be binary values - see
RFC1519. The result is the four files that contain about 66,000 block
assignments.

I've lost track of it, but there is a perl module you might find on CPAN
that may also be useful, as it has recent data digested into a more
readable format. Googling for 'perl' and 'IP list' should turn it up.
The zone files _could_ be updated several times a local workday for all
I know, but downloading monthly might be overkill, as the data doesn't
seem to change very often.

On Sun, 20 Feb 2005 08:41:37 -0800, you added:

 >blackholes.us does the trick
 >and Moe, I'm thinking though what you wrote

You really want to think about how much of an effect this form of blocklist
would have on your firewall. EVERY packet is going to have to traverse all
the rules until it either passes, fails or falls out the bottom. That can
be a few CPU cycles. While Korea has 334 assignments (Taiwan 314, Hong Kong
544, China 778, India 323, and so on), some may be consolidated into larger
listings...

[compton ~]$ zgrep -Ec 'KR 211\.(1[6-9]|2[0-5])[0-9]' IP.ADDR/stats/APNIC.gz
40
[compton ~]$

What that is saying is that there are 40 assignments in the block 211.160.x.x
to 211.255.x.x for Korea, but actually looking at the data reveals that
Korea CURRENTLY has all the space between 211.168.0.0 and 211.255.255.255,
and if you understand CIDR, you can convert that into a /21, and a /20 and
a /18 rule - or three rules instead of 40.

On the other hand, maybe it might be easier to whitelist certain address
ranges (for example, pass 202.173.128.0 - 202.173.191.255 which is a block
assigned to an ISP in OZ), and then block 200.0.0.0/6 to wipe off everyone
else. Remember, it takes time to look through all the firewall rules
before deciding to pass/reject a packet.

Old guy<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

"Eric" <no_one RemoveThis @comcast.net> wrote in message
news:MeCdnRNztroY7IrfRVn-sA@comcast.com...
 > Is there a resource i can view that will show me the network IP blocks
 > used
 > in various countries? I've had so many hack attempts from certain specific
 > areas around the world that I want to just block all network traffic from
 > them. One example: a very large portion of the hack attempts i get come
 > from Korea & Taiwan, since i dont have any reason to want even legitimate
 > traffic from that part of the world, I'd just as soon use iptables to
 > block
 > it all. (I have googled around but cant find anything)
 > Thanks
 > Eric

As the other messages have stated, there are many resources, and I had
considered the same type of blocking.
The question becomes, what do you really want to accomplish?
A year ago, I had hundreds of proxy & hack attempts per day, up to about
800,000 in a month including over 2000 from one source on one day. Perhaps
'they' have got the idea that this system is hardened, as I only have 9000
total so far this month.
There was a desire to shorten my log files, but I wrote a simple perl script
to sort out the proxy & hack attempts and only show the real activity.
I picked up an apache tool which does a reverse dns lookup from your log
files, but my experience was that this was only about 50% successful, so I
don't bother anymore.

Stuart<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

Eric wrote:
 > Is there a resource i can view that will show me the network IP blocks used
 > in various countries? I've had so many hack attempts from certain specific
 > areas around the world that I want to just block all network traffic from
 > them. One example: a very large portion of the hack attempts i get come
 > from Korea & Taiwan, since i dont have any reason to want even legitimate
 > traffic from that part of the world, I'd just as soon use iptables to block
 > it all. (I have googled around but cant find anything)
 > Thanks
 > Eric

<a style='text-decoration: underline;' href="http://countries.nerd.dk/" target="_blank">http://countries.nerd.dk/</a>
<a style='text-decoration: underline;' href="http://www.cluecentral.net/rbl/" target="_blank">http://www.cluecentral.net/rbl/</a>
<a style='text-decoration: underline;' href="http://www.blackholes.us/" target="_blank">http://www.blackholes.us/</a>


--
E-Mail Sent to this address <BlackList.TakeThisOut@Griffin-Technologies.net>
will be added to the BlackLists.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

Moe Trin wrote:

 > In article <T_2dnfkjJNX0coXfRVn-uQ.TakeThisOut@comcast.com>, Eric wrote:
 >
  >>Moe Trin wrote:
  >>
   >>> Let's take Korea as a starting point. These are the zone files from the
   >>> first of the month.
  >>
  >> How (or where) did you get the gz'd data ?
 >
 > It's a distillation off the zone files from the RIRs. Try <a style='text-decoration: underline;' href="http://ftp.arin.net" target="_blank">ftp.arin.net</a> in
 > /pub/stats/*/ - the files you are looking at are fairly large (the four
 > files total about 4.5 Megs - be warned). The files will look something
 > like this:
 >
 > [compton ~]$ head IP.ADDR/stats/lacnic.20030817
 > 1|lacnic|20030817|1858|?|2003-08-17|?
 > lacnic|*|ipv4|*|1044|*|summary
 > lacnic|*|asn|*|814|*|summary
 > lacnic|CL|ipv4|24.152.0.0|32768|2000-04-11|allocated
 > lacnic|AR|ipv4|24.232.0.0|65536|1997-06-02|allocated
 > lacnic|TT|ipv4|64.28.128.0|4096|2000-01-11|assigned
 > lacnic|AR|ipv4|66.60.0.0|16384|2000-12-26|allocated
 > lacnic|CO|ipv4|66.128.32.0|4096|2001-06-04|allocated
 > lacnic|CO|ipv4|66.231.64.0|4096|1970-01-01|allocated
 > lacnic|VE|ipv4|129.90.0.0|65536|1987-09-05|assigned
 > [compton ~]$
 >
 > (That's from an older posting - the filenames are in the form
 > "delegated-$RIR-datestring" where $RIR is 'apnic', 'arin' 'lacnic' and
 > 'ripencc', and the datestring is similar [year month day] to as shown
 > above.) I pass these files through a rather lengthy shell script to
 > extract the country code, IP starting address, the field that follows
 > (above 32768, 65536, 4096, and so on, which is the decimal width of the
 > assignment) for those lines in the files that contain the string 'ipv4'
 > (the file also has IPv6 data and ASN numbers which are not needed here).
 > The script then converts those decimal values into normal masks IF
 > POSSIBLE. These are routing masks, and they don't have to be binary values
 > - see RFC1519. The result is the four files that contain about 66,000
 > block assignments.
 >
 > I've lost track of it, but there is a perl module you might find on CPAN
 > that may also be useful, as it has recent data digested into a more
 > readable format. Googling for 'perl' and 'IP list' should turn it up.
 > The zone files _could_ be updated several times a local workday for all
 > I know, but downloading monthly might be overkill, as the data doesn't
 > seem to change very often.
 >
 > On Sun, 20 Feb 2005 08:41:37 -0800, you added:
 >
  >>blackholes.us does the trick
  >>and Moe, I'm thinking though what you wrote
 >
 > You really want to think about how much of an effect this form of
 > blocklist would have on your firewall. EVERY packet is going to have to
 > traverse all the rules until it either passes, fails or falls out the
 > bottom. That can be a few CPU cycles. While Korea has 334 assignments
 > (Taiwan 314, Hong Kong 544, China 778, India 323, and so on), some may be
 > consolidated into larger listings...
 >
 > [compton ~]$ zgrep -Ec 'KR 211\.(1[6-9]|2[0-5])[0-9]'
 > [IP.ADDR/stats/APNIC.gz
 > 40
 > [compton ~]$
 >
 > What that is saying is that there are 40 assignments in the block
 > 211.160.x.x to 211.255.x.x for Korea, but actually looking at the data
 > reveals that Korea CURRENTLY has all the space between 211.168.0.0 and
 > 211.255.255.255, and if you understand CIDR, you can convert that into a
 > /21, and a /20 and a /18 rule - or three rules instead of 40.
 >
 > On the other hand, maybe it might be easier to whitelist certain address
 > ranges (for example, pass 202.173.128.0 - 202.173.191.255 which is a block
 > assigned to an ISP in OZ), and then block 200.0.0.0/6 to wipe off
 > everyone
 > else. Remember, it takes time to look through all the firewall rules
 > before deciding to pass/reject a packet.
 >
 > Old guy
Yes, you are right, once the number of rules gets large performance drops
like a stone. What we need is some kind of a program to scan all the IP
blocks in a file and distill them down to as few "all encompassing" blocks
as possible, like what you said about the 3 rules for korea. I understand
the basics of CDIR but I dont understand how you took a range like
211.168.0.0 - 211.255.255.255 and made 3 rules out of it
I would have come up with: 211.168.0.0/9
Thanks
Eric<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

On 2005-02-19, Eric <no_one DeleteThis @comcast.net> wrote:
 > Is there a resource i can view that will show me the network IP blocks used
 > in various countries? I've had so many hack attempts from certain specific
 > areas around the world that I want to just block all network traffic from
 > them. One example: a very large portion of the hack attempts i get come
 > from Korea & Taiwan, since i dont have any reason to want even legitimate
 > traffic from that part of the world, I'd just as soon use iptables to block
 > it all. (I have googled around but cant find anything)
 >
Do not wet yourself with joy, which I did when I found it but:

<a style='text-decoration: underline;' href="http://ip.ludost.net/" target="_blank">http://ip.ludost.net/</a>

And of course it supplies all the links to ARIN/RIPE/etc so you could make
your own tools.

Cheers

Alex<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings 

On Mon, 21 Feb 2005 09:01:27 -0800, in alt.apache.configuration, Eric
<no_one.RemoveThis@comcast.net> wrote:

 >I dont understand how you took a range like
 >211.168.0.0 - 211.255.255.255 and made 3 rules out of it
 >I would have come up with: 211.168.0.0/9

211.168.0.0/9 expands to 211.128.0.0 through 211.255.255.255. You
have excluded addresses not in the range.

168 is 10101000 binary. You need three rules:
1) 211.168.0.0/13 211.168.0.0 - 211.175.255.255
2) 211.176.0.0/12 211.176.0.0 - 211.191.255.255
3) 211.192.0.0/10 211.192.0.0 - 211.255.255.255

HTH,
Jim<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IP mappings