I've actually done this before. Back 3 or 4 years ago, probably as a
repercussion of the great firewall of China, all Chinese traffic seemed to
always have one ASN in common. We used to have a regular DDoS against a
server, and the DDoS always originated from China. I'm guessing it was a
botnet that comprised of hosts infected by something that was only
available in China or to people that read/write Chinese.
Either way, if you can get a full BGP feed, back then it was trivial to
script an ACL that blocked all China IPs. Alternatively the public FTP
servers that APNIC offer may allow you to do the same. I've parsed their
public information with a bit of awk before to make lists of IPs for
individual countries. I also considered doing something using Quagga and
communities but never got around to it.
Eventually the DDoSes eased and we stopped blocking Chinese IPs to this
server.
YMMV etc.
Cheers
Dave
On Sun, Dec 8, 2013 at 11:22 AM, Don Gould
Hi,
I've got a machine that's been hacked twice in the past week from IP ranges in China.
I have it behind a Mikrotik router.
There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.
I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.
Keen for ideas.
D
-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb)
I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP.
Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog