Re: Internet diagnosing

help-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Internet diagnosing

From:	Jonesy
Subject:	Re: Internet diagnosing
Date:	Mon, 6 Sep 2021 18:08:31 -0000 (UTC)
User-agent:	slrn/1.0.3 (FreeBSD)

On Sun, 5 Sep 2021 17:36:50 -0400, Jeffrey Walton wrote:
>
> Right now I think I have most of China and Digital Ocean blocked.
> Below is partial list of iptable rules. Since the ban is not complete,
> Chinese users may experience intermittent problems like you are
> describing. The problems for the user come and go as the user switches
> service providers/networks.
>
> # China Mobile permanent ban. Constant
> # problems. Emails to abuse@ bounce.
> # This appears to be the Chinese military.
> # Each time we banned a host another
> # drone showed up, but using a longer time
> # interval between attacks. Attacks
> # started at 1s apart, then 5s, 30s, 1min, 5min,
> # 10min and 30min.
> -A INPUT -p all -s 111.0.0.0/10 -j DROP
> -A INPUT -p all -s 183.192.0.0/10 -j DROP
> -A INPUT -p all -s 183.197.0.0/17 -j DROP
> -A INPUT -p all -s 221.130.0.0/15 -j DROP
> -A INPUT -p all -s 221.176.0.0/13 -j DROP
> -A INPUT -p all -s 223.119.255.0/24 -j DROP
>
> # Chinanet permanent ban. Once we banned
> # China Mobile, the same probes and
> # attacks started from Chinanet.
> -A INPUT -p all -s 49.64.0.0/11 -j DROP
> -A INPUT -p all -s 106.119.0.0/16 -j DROP
> -A INPUT -p all -s 117.41.48.0/20 -j DROP
> -A INPUT -p all -s 118.112.0.0/13 -j DROP
> -A INPUT -p all -s 124.236.0.0/14 -j DROP
> -A INPUT -p all -s 222.184.0.0/13 -j DROP
> -A INPUT -p all -s 218.92.0.0/16 -j DROP
>
> # And then from China Internet Network
> # Information Center (CNNIC).
> -A INPUT -p all -s 121.4.0.0/15 -j DROP
>
> # And from China Unicom. They are Wiki spammers.
> -A INPUT -p all -s 115.48.0.0/12 -j DROP
> -A INPUT -p all -s 123.8.0.0/13 -j DROP
>
> # And more Chinese attacks
> -A INPUT -p all -s 129.211.160.0/20 -j DROP
> -A INPUT -p all -s 192.144.192.0/18 -j DROP
>
> # Digital Ocean. Constant problems. They are as bad as
> # the Chinese Military. It looks like they are working together.
> -A INPUT -p all -s 68.183.0.0/16 -j DROP
> -A INPUT -p all -s 104.131.0.0/16 -j DROP
> -A INPUT -p all -s 128.199.0.0/16 -j DROP
> -A INPUT -p all -s 142.93.0.0/16 -j DROP
> -A INPUT -p all -s 157.230.128.0/20 -j DROP
> -A INPUT -p all -s 192.241.128.0/17 -j DROP

heh... Small list.
On my VPS:

 |[example~] ip_count.sh /home/example/pf_files/BLOCK/MASTER_block_lst 
 |
 |Total CIDR count in file /home/example/pf_files/BLOCK/MASTER_block_lst = 4,941
 |Total  IP  count in file /home/example/pf_files/BLOCK/MASTER_block_lst = 
2,079,962,699

It grows slowly now -- just one or two /20's or so each day.
I collect new CIDRs into geo- or domain- -specific files, e.g. block_LACNIC ,
block_amazon_ips , block_DigitalSewer , etc.,uzw.

To keep pf happy, I use FreeBSD's (linux's) `aggregate` utility to reduce the 
collection to a nice, tight-nit set of CIDRs for use an a main block file for 
pf.

See also https://github.com/stamparm/ipsum -- where I fetch a daily 
list of /32 Bad Acting IP's (replacing the previous day's download.)

Jonesy
-- 
  Marvin L Jones    | Marvin      | W3DHJ.net  | linux
   38.238N 104.547W |  @ jonz.net | Jonesy     |  FreeBSD
    * Killfiling google & XXXXbanter.com: jonz.net/ng.htm

[Prev in Thread]

Current Thread

[Next in Thread]

Internet diagnosing, Julius Hamilton, 2021/09/05
- Re: Internet diagnosing, Jeffrey Walton, 2021/09/05
  - Re: Internet diagnosing, Jonesy <=
- Re: Internet diagnosing, Alex fxmbsw7 Ratchev, 2021/09/06

Prev by Date: Re: Internet diagnosing
Next by Date: Handling short and long options
Previous by thread: Re: Internet diagnosing
Next by thread: Re: Internet diagnosing
Index(es):
- Date
- Thread