I've actually done this before. Back 3 or 4 years ago, probably as a repercussion of the great firewall of China, all Chinese traffic seemed to always have one ASN in common. We used to have a regular DDoS against a server, and the DDoS always originated from China. I'm guessing it was a botnet that comprised of hosts infected by something that was only available in China or to people that read/write Chinese.

Either way, if you can get a full BGP feed, back then it was trivial to script an ACL that blocked all China IPs. Alternatively the public FTP servers that APNIC offer may allow you to do the same. I've parsed their public information with a bit of awk before to make lists of IPs for individual countries. I also considered doing something using Quagga and communities but never got around to it.

Eventually the DDoSes eased and we stopped blocking Chinese IPs to this server.

YMMV etc.

Cheers
Dave





On Sun, Dec 8, 2013 at 11:22 AM, Don Gould <don@bowenvale.co.nz> wrote:
Hi,

I've got a machine that's been hacked twice in the past week from IP ranges in China.

I have it behind a Mikrotik router.

There is no reason for anything outside of NZ and AU to be looking at this box so I'm keen to just block the rest of the world from it.

I'm currently thinking an address list to just block out the world or an address list to include Au and Nz.

Keen for ideas.

D

--
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699
Ph: +61 3 9111 1821 (Melb)

I'M COLLECTING COFFEE CUPS FOR PROJECT COFFEE CUP.

Deja vue (missing the French accent mark) - literally means already seen, that sense of haven't we been here before.

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog