Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] NYT covers China cyberthreat

Eugen Leitl eugen at
Sat Feb 23 03:25:43 PST 2013

----- Forwarded message from "Naslund, Steve" <SNaslund at> -----

From: "Naslund, Steve" <SNaslund at>
Date: Thu, 21 Feb 2013 11:47:44 -0600
To: nanog at
Subject: RE: NYT covers China cyberthreat

> I can't help but wonder what would happen if US Corporations simply 
> blocked all inbound Chinese traffic. Sure it would hurt their 
> business, but imagine what the Chinese people would do in response

First thing is the Chinese government would rejoice since they don't
want their citizens on our networks (except the ones they recruit for
cyber warfare, they can get other address ranges for those guys).  

Second thing is someone will make a ton of money bouncing Chinese
traffic through somewhere else (and someone will create a SPAMHAUS like
service to detect that, and so on, and so on, and so on)

Third thing is all the companies that do business in and around China
would be screaming because tons of them use VPNs that are sourced from
Chinese IP address space.  Some people even like to travel and access
things back home, you know weird stuff, like email, news, music, videos.

One of the biggest problems with geoblocking is that often the addresses
do not reveal the true source of the traffic.  If you block everything
from China, you miss attacks sourced from China that are bouncing
through bot networks with hosts worldwide.  Remember Tor, it is built to
defeat just that sort of security by obscuring source locations.
Corporations also often have egress points to the Internet in countries
other than the one the user is in.  If you block everything from China,
then you are locking out any of your own personnel that travel
Internationally or any of your customers that travel.  Who here has not
surfed the web from a hotel room on business.  Anyone with malicious
intent has a zillion ways to bypass that sort of security.  Obscuring
your source address is child's play.  The management of the geoblocking
will not be worth the minimal protection it provides.  Trying to locate
someone by address is a complete PITA in my opinion.  If you go to
Europe you will often get sent to the wrong Google sites because they
attempt to locate you instead of just letting you put in the correct URL
(if you are in the UK, it is not that hard to include in your
URL.  I have been in the UK and gotten Google Germany and Google Spain
for no apparent reason (except that carriers in Europe have addresses
from all over the place because of mergers, alliances, and all sort of
other arrangements).

Blocking networks by service will also be a management nightmare since
addresses often change and new blocks get assigned and companies offer
different services.  Who manages all of that and who is going to tell
you when something changes (the answer is nobody, you will know when
stuff breaks).  If my network security guy had enough time to keep track
of all of Amazon's address space and what services they are offering
this week and all the services they host in their datacenters, I would
fire him for having that much time on his hands.  Can you keep track of
all the stuff coming from Akamai and where all their servers are at on a
continuing basis?  Cloud services will make blocking by service nearly
impossible since the network can reconfigure at any time.

I would love to see this implementation in a large corporate or
government network.  What a huge game of whack a mole that is.  Seems to
me that the time would be much better spent tuning up firewalls and
securing hosts properly. 

I think geoblocking gives you nothing but a false sense of security.  I
also believe that if you see an attack coming from China in particular
it is because they WANT you to know it is coming from China.  I would
think any state sponsor conducting a very serious attack would conceal
themselves better than that.  I also believe that a lot of attacks that
look like they are coming from China are actually coming from elsewhere.
Think about this,  if I am a hacker in the US, attacking a US victim, it
would be a big advantage to look like I was coming from China because it
almost guarantees no attempt to prosecute or track me down since
everyone in this business knows that if it comes out of China you can't
do anything about it.  I would not be surprised to find out China is
letting their capabilities be known just to remind everyone of what the
implications of messing with them is.  Remember Doctor Strangelove,
"what good is a doomsday bomb if you don't tell anyone about it ?!?!?"

Steven Naslund

-----Original Message-----
From: Rich Kulawiec [mailto:rsk at] 
Sent: Thursday, February 21, 2013 10:00 AM
To: nanog at
Subject: Re: NYT covers China cyberthreat

On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:
> I can't help but wonder what would happen if US Corporations simply 
> blocked all inbound Chinese traffic. Sure it would hurt their 
> business, but imagine what the Chinese people would do in response.

Would it hurt their business?  Really?

Well, if they're eBay, probably.  If they're Joe's Fill Dirt and
Croissants in Omaha, then probably not, because nobody, NOBODY in China
is ever actually going to purchase a truckload of dirt or a tasty
croissant from Joe.  So would it actually matter if they couldn't get to
Joe's web site or Joe's mail server or especially Joe's VPN server?
Probably not.

Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any
time soon either.

This is why I've been using geoblocking at the network and host levels
for over a decade, and it works. But it does require that you make an
effort to study and understand your own traffic patterns as well as your
organizational requirements. [1]

I use it on a country-by-country basis (thank you and on a
service-by-service basis: a particular host might allow http from
anywhere, but ssh only from the country it's in.  I also deny selected
networks access to selected services, e.g., Amazon's cloud doesn't get
access to port 25 because of the non-stop spam and Amazon's refusal to
do anything about it.  Anything on the Spamhaus DROP or EDROP lists
(thank you Spamhaus) is not part of my view of the Internet.  And so on.
Combined, all this achieves lossless compression of abusive traffic.

This is not a security fix, per se; any services that are vulnerable are
still vulnerable.  But it does cut down on the attack surface as
measured along one axis, which in turn reduces the scope of some
problems and renders them more tractable to other approaches.

An even better approach, when appropriate, is to block everything and
then only enable access selectively.  This is a particularly good idea
when defending things like ssh.  Do you *really* need to allow incoming
ssh from the entire planet?  Or could "the US, Canada, the UK and
Germany" suffice?  If so, then why aren't you enforcing that?
Do you really think it's a good idea to give someone with a 15-million
member global botnet 3 or 5 or 10 brute-force attempts *per bot* before
fail2ban or similar kicks in?  I don't.  I think 0 attempts per most
bots is a much better idea.  Let 'em eat packet drops while they try to
figure out which subset of bots can even *reach* your ssh server.

Which brings me to the NYTimes, and the alleged hacking by the Chinese.
Why, given that the NYTimes apparently handed wads of cash over to
various consulting firms, did none of those firms get the NYTimes to
make a first-order attempt at solving this problem?  Why in the world
was anything in their corporate infrastructure accessible from the 2410
networks and 143,067,136 IP addresses in China?  Who signed off on THAT?

(Yes, yes, I *know* that the NYTimes has staff there, some permanently
and some transiently.  A one-off solution crafted for this use case
would suffice.  I've done it.  It's not hard.  And I doubt that it would
need to work for more than, what, a few dozen of the NYTimes'
7500 employees?  Clone and customize for Rio, Paris, Moscow, and other
locations.  This isn't hard either.  Oh, and lock it out of everything
that a field reporter/editor/photographer doesn't need, e.g., there is
absolutely no way someone coming in through one of those should be able
to reach the subscriber database.)

Two more notes: first, blocking inbound traffic is usually not enough.
Blocks should almost always be bidirectional. [2]  This is especially
important for things like the DROP/EDROP lists, because then spam
payloads, phishes, malware, etc. won't be able to phone home quite so
readily, and while your users will still be able to click on links that
lead to bad things...they won't get there.

Second, this may sound complex.  It's not.  I handle my needs with make,
rsync, a little shell, a little perl, and other similar tools, but
clearly you could do the same thing with any system configuration
management setup.  And with proper logging, it's not hard to discover
the mistakes and edge cases, to apply suitable fixes and temporary point
exceptions, and so on.


[1] 'Now, your typical IT executive, when I discuss this concept with
him or her, will stand up and say something like, "That sounds great,
but our enterprise network is really complicated. Knowing about all the
different apps that we rely on would be impossible! What you're saying
sounds reasonable until you think about it and realize how absurd it
is!" To which I respond, "How can you call yourself a 'Chief Technology
Officer' if you have no idea what your technology is doing?" A CTO isn't
going to know detail about every application on the network, but if you
haven't got a vague idea what's going on it's impossible to do capacity
planning, disaster planning, security planning, or virtually any of the
things in a CTO's charter.'  --- Marcus Ranum

[2] "We were so concerned with getting out that we never stopped to
consider what we might be letting in, until it was too late."

Let's see who recognizes that one. ;-)

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the liberationtech mailing list