[lug] looking for address block reference...
Hugh Brown
hugh at math.byu.edu
Wed Jan 10 18:55:15 MST 2007
D. Stimits wrote:
> I'm dealing with thousands of brute force ssh attacks from IP addresses
> all over China. I'm just tired of it, is there a list of all Chinese
> addresses somewhere so I can firewall? I have maybe a dozen /16 bans but
> it always comes up that there's another the instant I close one. I've
> been able to find name servers but finding an explicit list of address
> blocks is a pain (just try searching for China and address block on
> google). I've gone to some of the root organizations, like icann, where
> I've found domain name server lists, and not domain blocks. I really
> wish I could just do "whois cn" and get more than a name server list.
>
> D. Stimits, stimits AT comcast DOT net
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
There is no easy way to do this (as allocations change and folks use
netblocks that aren't in China, ...).
However, if forced to do this, I'd google around to see which IP space
APNIC distributes (apnic.net) and then do lookups on their blocks to see
which ones got assigned to China or a Chinese corporation. I did try
this once and got over zealous and blocked traffic I hadn't meant to
block. The drawback is that any legitimate traffic can be blocked with
very little opportunity for the blockee to notify you of the blockage.
http://www.iana.org/assignments/ipv4-address-space has a list of which
regional registries have which blocks. From there, you'd have to walk
the APNIC allocations to see who had what.
Hugh
More information about the LUG
mailing list