I'm getting an indordinate number of port accesses from China. I use IP WhoIs to find the address range for the company that owns the IP address, and block the whole range. I'm curious why only China, and nowhere else, in the past few months. Is it as simple as the (likely) fact that they haven't yet becomes as vigilent against infections?
If you keep blocking complete address ranges when you get unsolicited inbound traffic you will soon be very very safe :-) LOL!
-Frank
It's actually a good idea to block ranges of IP that you don't need traffic from. I block close to 50 /24 ranges and another 50 /17 ranges and about 30 other small ranges. It's blocked a LOT of crap.
We also have a firewall that will permit us to create a rule that allows us to trigger a 20 minute temporary block if that port is hit - so we block anyone doing 445 and several others using that method.
'indordinate number' meaning what? 1 - 10 per day? Per hour? Per minute? Per second? It would also be relevant what the protocols and port numbers are. The address of UDP (normally targeting ports 1025 to 1035) is often spoofed - looking at the TTL might give a clue there. TCP is much harder to spoof, but if your system isn't running a server on the targeted port, it provides the same "FOAD" answer as does a firewall.
Generally speaking the only whois server to provide useful information about Chinese IPs is APNIC. The Chinese whois server is totally useless.
I can't say that the traffic has been monopolized by China. I'm in the US, and the last time I bothered to look (logging is normally off) I'm seeing about half the connection attempts coming from zombies on North American broadband links, about a third from Asia (split fairly evenly between China, India, and Korea), and about a quarter from Europe (again fairly evenly split among 10 countries).
China has been in the fore offering "Bullet Proof" hosting (no matter how many complaints - they are ignored) as long as the malefactor is paying cash and isn't bad-mouthing the Chinese government.
[compton ~]$ grep -c CN IP.ADDR/stats/[ALR]* | grep -v ':0$' IP.ADDR/stats/APNIC: 911 [compton ~]$ grep CN IP.ADDR/stats/APNIC | cut -d' ' -f2 | cut -d'.' -f1 | sort -n | uniq -c | column 39 58 25 125 1 166 318 202 27 219 28 59 1 134 1 167 74 203 13 220 30 60 1 159 1 168 70 210 58 221 71 61 1 161 4 192 35 211 63 222 2 124 1 162 1 198 46 218 [compton ~]$China only gets IP space from APNIC, but the second command shows the number of such assignments in each /8 - fairly well distributed.
[compton ~]$ grep -h ' 134\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort | uniq -c | column 7 AU 1 DE 3 JP 1 TW 8 CA 66 EU 1 KR 147 US 1 CN 1 HK 1 PR [compton ~]$ grep -h ' 159\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort | uniq -c | column 7 AU 1 CH 39 EU 1 MX 147 US 14 CA 1 CN 3 JP 1 NZ 1 VE [compton ~]$Note that you can't just block any old /8 without some collateral damage.
If you have no expectation of valid traffic from this or that address range, blocking adds some insurance. If your systems are configured properly in the first place (home users shouldn't be offering ANY service to the world), and the network stack on your O/S isn't a pile of crap ready to fall/bend over at the slightest unexpected packet, then you're already relatively safe. If there are no servers running on your system, ANY unsolicited incoming traffic is not seen at the application level. Imagine that - everything is blocked without causing trouble.
Old guy
I read recently that China accounts for the largest per capita use of the Internet, worldwide. That was interesting to me. I would have guessed U.S. But, I guess China is a "tad" bigger :-)
-Frank
It varies, but it wasn't uncommon to be denying accesses til I was blue in the face. There were brief periods of relative calm though. I found it interesting that prior to about 1.5 months ago, I never got these. Now, every single one is from China. What a big change. Especially yesterday, it got worse and worse. I spent a good chunk of time just setting up rules. It's quieted down now. Just the odd access, for which I create a rule.
Yes, well, I try to keep the system slim, but I'm not a complete expert in it. So I don't presume that there aren't services of which I am unaware.
I think most of the queries get deferred to APNIC.
OK, I'm not completely familiar with the protocols, and the /8 is probably a designation for one of the protocols. I look them up whenever I need to in order to create a rule, but that's not the area I work in. I basically block ALL incoming traffic from the address ranges I look up because I don't think I'm accessing anything at the other side of the world, as you suggested. I think the address ranges are given to companies based on province, and sometimes major cities. It was only a matter of time before I blocked most of them, though a very long time it took.
Per capita??? That's ridiculous. Grabbing figures from an almanac, I find the 2002 population of China is 1,284,211,000. Taiwan is 22,457,000. India is 1,047,671,000, (South) Korea is 47,640,000, Japan is 127,347,000, and the USA is 287,602,000. Now, Looking at the RIR registrations from the middle of December 2005:
[compton ~]$ grep ipv4 IP.ADDR/stats/delegated* | grep CN | awk 'BEGIN { FS="|" } ; { total += $5 } ; END { print total }' 74026752 [compton ~]$ ^CN^TW grep ipv4 IP.ADDR/stats/delegated* | grep TW | awk 'BEGIN {FS="|" } ; { total += $5 } ; END { print total }' 16275968 [compton ~]$ ^TW^IN grep ipv4 IP.ADDR/stats/delegated* | grep IN | awk 'BEGIN {FS="|" } ; { total += $5 } ; END { print total }' 6110720 [compton ~]$ ^IN^KR grep ipv4 IP.ADDR/stats/delegated* | grep KR | awk 'BEGIN {FS="|" } ; { total += $5 } ; END { print total }' 40695040 [compton ~]$ ^KR^JP grep ipv4 IP.ADDR/stats/delegated* | grep JP | awk 'BEGIN {FS="|" } ; { total += $5 } ; END { print total }' 142662912 [compton ~]$ ^JP^US grep ipv4 IP.ADDR/stats/delegated* | grep US | awk 'BEGIN {FS="|" } ; { total += $5 } ; END { print total }' 1324570112 [compton ~]$So, let's line those up nice and neat:
Country Population IPv4 addrs Per Capita China 1,284,211,000 74,026,752 .0576 Taiwan 22,457,000 16,275,968 .7248 India 1,047,671,000 6,110,720 .0058 Korea 47,640,000 40,695,040 .8542 Japan 127,347,000 142,662,912 1.1202 USA 287,602,000 1,324,570,112 4.6056
Where ever you read that little fact - cross them off as non-credible.
Old guy
Here's a free suggestion - don't bother creating a rule for every host you wish to block access. Why?
[compton ~]$ grep ipv4 IP.ADDR/stats/delegated* | grep -v summary | awk 'BEGIN { FS="|" }; { total += $5 } ; END { print total }' 2217290328 [compton ~]$There's 2,217,290,328 hosts out there - 2.2 Gigahosts at 4 bytes per address is 8.8 Gigabytes to just list the address. And as you've discovered, you always are adding more, and more. Why. How many hosts do you WANT to have connect to your system? A hundred? A thousand? Are there really that many people who want to grab that web page with the picture of your pet gerbil wearing an eye patch sticking it to that Saint Bernard that's wearing fish net stockings?
Put in a rule to ALLOW this, or that host/network/what-ever Put in a rule that BLOCKs by default all of that which is not ALLOWED.
I stopped using windoze in 1992, but there are several commands you can use to see what ports are open - one is a copy of the UNIX 'netstat' command. Do a search on google.
No, it's a 'size' of a network. The mask would be 255.0.0.0 which in binary is 11111111 00000000 00000000 00000000 and you may notice there are ^^^^^^^^ eight 'ones' in the mask. See RFC1519 and RFC1878 if you want more information. As far as protocols, there aren't that many in normal use - you'd see ICMP, IGMP, UDP, and TCP, and that's about it. There are another 135 protocols, but they're never used on the Internet. Only UDP and TCP use ports, but there are 65,536 of those for each.
You might guess - I work there.
I know freedom is a wonderful thing - but it ends at my firewall. There, I designate those addresses I want to have connect. All else is blocked by default.
[compton ~]$ grep CN IP.ADDR/stats/APNIC | cut -d' ' -f3 | sort | uniq -c | column 1 255.192.0.0 118 255.254.0.0 106 255.255.240.0 2 255.224.0.0 130 255.255.0.0 83 255.255.248.0 5 255.240.0.0 84 255.255.128.0 34 255.255.252.0 31 255.248.0.0 81 255.255.192.0 20 255.255.254.0 55 255.252.0.0 122 255.255.224.0 39 255.255.255.0 [compton ~]$That's 911 networks. That's a few rules to add, and then, what are you going to do next week when they get some more IP space?
Old guy
Well, I'm not blocking each address individually, I'm blocking ranges addresses assigned to companies. I'm hoping there aren't that many ISPs, though I'm not sure.
I understand the logic of that, but I use the web quite a bit. So I end up going to web pages in many places. I may download drivers, freeware, use web forums, etc.. I would like to avoid having unknowingly interrupting something and troubleshooting a while before I realize that perhaps I should try disabling some rules to see if that's the problem. If things are unmanagable, then I agree absolutely, the only way to go is to allow incoming access from selected addresses. Currently, I've got about 30 address ranges blocked and I'm only getting the occassional access attempt.
I've looked up various commands such as that before and use them on an as-needed bases, and the results are similar to what I see on the Kerio's monitoring of open connections. It's not always clear what all of them are for, and I've googled them more than once (as well as ports in general; many are local loopbacks). In the end, I have to balance my time in becoming knowledgeable in this area versus the demons that I'm wrestling in other areas. Unless I deal in this area all the time, reading lots and lots about what I see doesn't translate into a commensurate amount of knowledge. Especially if weeks or months later, I've forgotten the details. In trying to be effective in selecting how much to delve into it, I think I've got a general idea of the suspicion signs. If an entry shows up in Kerio monitor that doesn't look familiar, if there is an inordinate amount of traffic, if there is a process in the task manager that looks unfamiliar or takes up an unexpected amount of CPU (I have looked them all up before, so even though I can't really know what some do without an in-depth course in windows under-the-hood, I know when something strange is there).
I don't mean to sound unappreciative, because I appreciate your time. I have looked up these numbering schemes before, allotted time to researching them on the web. Read RFCs (and man, they aren't always very readable). Some of it made sense at the time, long ago, much was just greek. Revisited them more than once. The reality is, for those whose stomping grounds are elsewhere and have a limited amount of time to be educated in security, such web research can only impart so much (lasting) knowlege. It is unavoidable that such people will have to make the trade-off of how much to know and not know -- each has its consequences, and it's a bit of a gamble how one calls it.
Yes, good area to be in these days.
I had enough difficulties with other firewalls (e.g. Zone Alarm) that I'm trying to avoid the prospect of unknowingly interrupting a useful communication. For example, I go on campus and plug the laptop into DHCP. Different servers have to be communicated with for different things (file serving, network, some valid queries of which I'm unaware, mail access, mail filtering service, news service, CAD tools, license servers) -- then I go home and dial up to my ISP -- again who knows what all the communications are needed, I'm not even guaranteed that the servers I need to contact will be constant. Then a visit a friend and plug into the home router there and get these queries of my kernel driver -- things change enough that if I do a blanket blocking of everything except what I know, I'll spend most of my time troubleshooting or creating exceptions to the rule -- which can be a problem if the IP address for the exceptions are guaranteed to be constant.
As I said, that may be the way that one has to go eventually. At the moment, things seem managable.
I'm not sure. It is disturbing. How often do the IP address ranges change? Why would it change? Currently, the address ranges I have start with 60, 61, the low 20X's, high 21X's, and low 22X's. If they get more address ranges, I hope some of them will merge with ranges for which I already have rules. The expansion of "attackers" (if that's not too dramatic a term) address ranges will happen gradually, I hope, so that I can evolve the rules (either in number or range). If it gets too much, I will have to fall back to a more exclusionary approach such as the one you suggest.
ISPs - interesting concept in China. "CHINANET" is the Peoples Liberation Army, which is acting as a National Internet Registry. Look again at the tabulation at the end of the post you responded to. There is a block of 64 (former) "Class B" size, two of 32 "Class B"s, five of 16 "Class B"s, and so on.
Use a packet sniffer, and learn how a TCP connection works. When you try to connect to some web site, your computer chooses a "high" port number on your side - high meaning a number between 1025 and 65535 - and makes a connection from that port on your system to the "well known port" for the service you are seeking. These are almost always a low port number on "their" system. Example: you connect from your 1040 to their 80 which is the web server. Now, they're going to send the web page (OR WHAT-EVER YOU REQUESTED) back to you - how? They send the "data" from the port you connected to - their 80 to your 1040. Do they refer you to another site? Fine - that referral will be in the packet you receive from them, and you will then make a SEPARATE request to the other site, and repeat this process. AT NO TIME DO "THEY" INITIATE A CONNECTION TO YOU (except for some mail or IRC servers that may send a "who are you" request to your port 113). Big clue number two - they have no reason to connect to any "low" port (except for a possible connection to 113) on your end. Just because you are looking at some wankers web page does NOT involve your port 80. The ONLY reason your port 80 should be open is if you are _serving_ web pages. As a home user, you shouldn't be, and if you are, you should be selective about who gets to see those pictures or what-ever you are serving.
There is one exception to this rule. For some reason, BOOTP and DHCP (similar services to get assigned a dynamic IP address) decided that the _client_ should send and receive on UDP port 68, and the remote server should use UDP port 67. Your system would send a request from your port 68 to the server port 67, and get the answer back from 67 to your 68. NORMALLY, your port 68 would be closed, except when it has initiated the connection (at boot time, and a configurable interval there after). After the (quick) conversation, that port should again be closed.
Rather than disable a rule, enable logging, and see what the complaint it. Once you know, turn off the logging and ignore the noise.
Connections to/from 127.0.0.1 which is the loopback address can be ignored in your firewall. It's those OTHER connections you want to know about. Anything that is listening on an address OTHER THAN 127.0.0.1 on a port below 1025 is usually bad news unless you have to be running a specific server. For a home user, that's never a good sign. The single exception _MAY_ be port 113 if some remote server requires it. In reality, I'd be looking to replace a service provider that wants 113 because it proves them to be totally clueless. On the other hand, if you have something that is listening on an address other than 127.0.0.1 on a port on a port above 1024, I'd recommend finding out what it is, and why it's open. Note that BOOTP or DHCP uses your port 68, BUT there should never be anything _listening_ on that port - it may get opened for a single connection, but will be immediately closed thereafter.
Perhaps you've just figured out that they lied to you when they told you even an untrained monkey on crack can use a computer. Yes, there's a lot to learn. Some of it is comparatively simple, some not.
First solution - configure your system so it's not offering services you didn't intend. (Look to see if anything - with the possible exception of that port 113 - is open to the world. If it's not, you have most of the problem solved.)
Second solution - ignore connection attempts to ports on your system that are not open. These so-called personal firewalls like to scream attack when some host in Korea or Kenya attempted to connect to a trojan that they don't have installed. If nothing is open, it can't be exploited.
Third solution - don't install crap without knowing exactly what it is. There is no software fairy that comes around when you aren't looking, waves a magic wand, and installs mal-ware. It gets installed when you install that neat toolbar, or helper, or what-ever. Know where the software you install comes from and check it out on google before installing.
There are (as of Christmas) about 4200 RFCs. You're right - most are unreadable, or at least not needed by 99.999% of the people. About a third are totally useless (909 classed as Status: Unknown, 243 classed as Experimental and 145 as Historic). Another 1300 are meant to be informative - light to heavy reading. Examples might be RFC2100 (The Naming of Hosts - watch for stuff dated April 01) or RFC1536 (Common DNS Implementation Errors and Suggested Fixes - which I think translates to "no need for a sleeping pill here"). Others might be useful to some such as RFC2664 (FYI on Questions and Answers - Answers to Commonly Asked "New Internet User" Questions), or RFC25054 (Users' Security Handbook). Another 1500 are some form of standard that defines how the Internet works - few of which are useful to the common user.
See those rules above.
[snip laptop configuration needs]The rules still apply. The only "low" ports on your system that may need to be open are DHCP Client outbound (when you make a "call", the firewalls do allow traffic over that connection in both ways - thus when your system ISN'T asking a DHCP server for an address, the port is closed), and perhaps 113 inbound from brain dead service providers. Nothing else needs to be open unless you are running a server.
I only update my zonefiles monthly - there are perhaps 100 - 150 changes world wide on average.
At the end of 1995, there were roughly 1.1 billion IP addresses in use. At the end of 2005, that figure is up to 2.2 billion.
58.x.x.x and 59.x.x.x have been in use for 19 months - 124.x.x.x through 126.x.x.x were allocated to Asia a year ago. Seemost professionals laugh at it
If you are not running a server, you don't need a firewall. When someone attempts to connect, there is nothing there to answer the connection. A firewall can help make certain that you don't accidentally start serving stuff - or can restrict who can access any server you intentionally run, but all of your post has yet to show what server you might need to run. With the possible exception of that port 113, nothing you are talking about doing needs a server running. Work from that concept, and life will be a lot easier for you. Microsoft is working from the opposite end - enable everything because someone _might_ find it useful. Strange that third party vendors can figure out how to limit exposure, and microsoft sees no need for such limits.
Old guy
Hi, Moe,
Thanks for your very informative response. I certainly endeavour to continue reading up on how these things work as time permits.
P.S. Major snippage is due to news server restriction on quoted lines.
Windows users need to be paranoid on the use of 135-139,445 from the web. These ports are used heavily in a LAN environment for File/Print sharing amongst other things. The default freebe firewall and/or SP2 will automatically close these ports, but if you need sharing, then be sure to enable them ONLY on your private, non-routable lan addresses. There are many trojans that use these ports to really mess with your life.
No, they don't need delusions of persecution, they need to actually be concerned.
don't get too literal. the clear issue is not perception but taking action :)
Thanks, I've seen those ports quite often when googling around. I got
135 & 445 blocked, and will block 135-139 if I run into any problems that I find are related to them.
That may be, but WHY if you decide to share (or more correctly, if microsoft decides you want to share) files or the printer, WHY OH WHY does anyone think you want to share with the world? Do you really think that someone half way around the world is going to need to use your printer? Do you REALLY want to share your personal details, or that recipe for those Neiman-Marcus cookies you paid US$250 for
Microsoft intentionally tries to scare people away from looking at technical stuff, but the 'route print' command will show that windoze is aware of three classes of computer, based on the IP address. It knows about the loopback (meaning "this" computer), and the address range used on the "local" LAN. It also knows about "everyone else". It doesn't have to share BY DEFAULT with all three classes.
Is that to hard? OK, the mechanism they've added for Link Local (also called ZeroConf - the 169.254.0.0 network the system defaults to when it can't find a DHCP server because who ever set up the network screwed up) has the TCP limitation of "time to live" set - packets using that address are set to a TTL of "1" - meaning local network only.
Is your LAN so big that you have more than one sub-net? The 10.0.0.0 network with a 255.0.0.0 mask allows for 4.2 million computers on the same wire, but only an idiot would have as many as a thousand. If you have that many, you also have enough to engage the services of someone who can spell 'TCP'. Even a drooler who has spent a thousand bucks to memorize a few facts to pass the memory "test" to become an MCSE has some idea of how it's done.
Why is that not the default configuration? If you don't HAVE a local LAN, trying to share with a non-existent net won't matter. On the other hand, the choice of "share with no-one" or "share with everyone" is about as dumb as you can get. I don't know about you, but I don't know of anyone who really needs to share their printer with the world, and the number of those who need to share files with the world is quite limited.
Isn't it interesting that other operating systems have had file and print sharing as far back as the late 1970s and don't have this problem?
Old guy
Take one technical person at HQ who knows little about security but likes the GUI that Microsoft gives for an application. Season with warnings from people who have a Clue but are located a long way away. Add one highly placed supervisor who would rather not lose the technical person. Stir well and half-bake. Serves one organization... badly. Lasts: far too long.
This point can also be reached directly by a decree from on high as well. "The president's personal secretary wants..."
All too true. What's worse, it that it's also the default setup for every home installation, where there is no one with Clue.
Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.