Blocking Country Attacks
Posted by mike I recently checked mail stats on a server and discovered that 71% of the mail that the server handled was rejected. That means the server lost 71% of it’s total resources to connections that were either malicious in nature or intended to solicit resources from individuals. As a result I have gone into a campaign to begin dropping all subnets that I really do not need to allow connections from.
Selecting Countries to Drop
The criteria that I developed may not work for you so keep that in mind. However, I am giving you some idea on my reasoning to help in your decision making.
1. Countries that are frequent attackers
One of the things I have done is watch logs so that I can drop those who are constantly stealing my resources.
2. Countries I cannot read the mail
I have limited language skills. If I cannot speak Chinese why allow Chinese mail to arrive at my mail server?
3. Countries I do not do business with
There are a lot of countries that I do not do business with. Some countries like Indonesia have been constant sources of fraud, I have never had a legitimate order from Indonesia.
Here is a list of countries subnets that I am currently dropping. It is important to recognize that many of these subnets overlap and are used by other countries so you will need to be careful and do your own research.
#####################################################
# BLOCK COUNTRY ATTACKS
#####################################################
# Asia
iptables -A INPUT -s 220.0.0.0/8 -j DROP
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 61.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROP
iptables -A INPUT -s 168.208.0/16 -j DROP
iptables -A INPUT -s 196.192.0/16 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
# Africa
iptables -A INPUT -s 41.0.0.0/8 -j DROP
# Brazil and Argentina
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/8 -j DROP
iptables -A INPUT -s 201.0.0.0/8 -j DROP
# China
iptables -A INPUT -s 62.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/8 -j DROP
iptables -A INPUT -s 79.0.0.0/8 -j DROP
iptables -A INPUT -s 130.0.0.0/8 -j DROP
iptables -A INPUT -s 131.0.0.0/8 -j DROP
iptables -A INPUT -s 137.0.0.0/8 -j DROP
iptables -A INPUT -s 146.0.0.0/8 -j DROP
iptables -A INPUT -s 147.0.0.0/8 -j DROP
iptables -A INPUT -s 150.0.0.0/8 -j DROP
iptables -A INPUT -s 151.0.0.0/8 -j DROP
# Indonesia
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 60.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 114.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 119.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP
2 responses to "Blocking Country Attacks"
16:44 on December 3rd, 2008
PLEASE tell me you put this list up as an example, and that you’re not actually using it yourself.
one quick example: 131.96.100.46 is in atlanta, not china.
5:18 on December 4th, 2008
Yes this is the problem that you face. In the example you can see that many of these subnets will include IPs from other countries as you mentioned and as I warned in the article. However, you will have to make a choice…2000 lines of small subnets or larger subnets that will overlap into other counties..it is not perfect.