On Sun, 08 Jun 2008, in the Usenet newsgroup comp.security.misc, in article
<87hcc4t0vv.fsf@newsguy.com>,
reader@newsguy.com wrote:
>ibuprofin@painkiller.example.tld (Moe Trin) writes:
>> If you don't want people from country $FOO attempting to connect to your
>> system, WHY ARE YOU ALLOWING CONNECTIONS FROM THAT BLOCK OF ADDRESSES?
>> Do you someday plan on visiting Jilin province (the Chinese "state"
>> just North of Korea), and will need to connect to your system from
>> there? Until you do, block 222.168.0.0/15. . . . . . .
>Sorry to butt in here...
That's OK - this is Usenet! And I was on vacation anyway.
>Moes' advice is good and I've been meaning to do something like that
>but I wondered if anyone in this thread has a URL for a site that
>shows what address blocks go to what country.
Oh, Fsck! What you are asking for is enormous. What I'm using
is the delegated blocks from the five Regional Internet Registries
(AFRINIC, APNIC, ARIN, LACNIC, RIPE), and the data source is quite large.
This month, there were 86818 IPv4 allocations/assignments from /29s (8
hosts) to /8s (16777216 hosts) totalling 2,660,804,976 addresses (never
mind the 2552 IPv6 allocations/assignments totalling some mind-boggling
number like ~5.73e33 addresses). Let's see what's in the logs...
-rw-r--r-- 1 ftp1 ftp1 85679 Jun 15 06:00 delegated-afrinic-20080615
-rw-r--r-- 1 ftp1 ftp1 894326 Jun 15 11:17 delegated-apnic-20080615
-rw-r--r-- 1 ftp1 ftp1 2640786 Jun 15 04:01 delegated-arin-20080615
-rw-r--r-- 1 ftp1 ftp1 165528 Jun 16 03:30 delegated-lacnic-20080615
-rw-r--r-- 1 ftp1 ftp1 2244084 Jun 15 11:00 delegated-ripencc-20080615
(I grab these files ~04:00 UTC on the 16th of each month, which is
plenty often enough.) What's that, 6030403 bytes? 'wc' says that's a
total of 128062 lines of text. Each file (this is the delegated-afrinic
file) has a four line summary, then ASN lines in the form
afrinic|ZA|asn|1228|1|19910301|allocated
which is probably meaningless to you (which is OK - it's beyond most
people), then the IPv4 and IPv6 blocks in the form
afrinic|ZA|ipv4|41.0.0.0|2097152|20071126|allocate d
and
afrinic|ZA|ipv6|2001:4200::|32|20051021|allocated
where the first field is the RIR, the second is the ISO-3166 country code
and the third is the type of record. For IPv4, the fourth field is the
_starting_ IP address, the fifth field is the number of addresses in the
block, the sixth is the date of the record, and the last field is either
'allocated' (assigned to an entity that will sub-assign the addresses) or
'assigned' (assigned to an entity that is an end user). The IPv6 data is
nearly identical, except that the fifth field is the width of the network
mask (here a /32 meaning 'ffff:ffff:0000:0000:0000:0000:0000:0000' which
allows for 79,228,162,514,264,337,593,543,950,336 hosts).
Very truthfully, unless you are experienced or knowledgeable in this type
of information, it's _very_ difficult to use. I've got a roughly 320 line
shell script that converts these files into something I can use, but it's
not very likely to be useful to others. I did see something recently, at
http://ibiblio.org/pub/linux/apps/ww...ountry-0.2.tgz but as
you note this is a single IP lookup tool, and isn't much more useful (and
is less accurate) than a simple whois query.
[compton ~]$ whatis whois
whois (1) - client for the whois directory service
[compton ~]$
>Googling with things like:
>
> ip address by country chart -lookup
>
>Even nixing `lookup' I still get dozens of hits that are really
>nothing more than single IP lookup tools.
Yeah, that's reasonable. And the results are less than perfect. As
an example, my 'work' address is registered in New York state, but if
you were able to traceroute to it, the last address you'd see before
hitting the black hole of the firewall would be a backbone stub a few
miles South of San Francisco - yet I'm really located near Phoenix
Arizona, and the adjacent subnets are in France and Japan (we're a
large company) - but the toy tools for users might report anything.
Visual Traceroute (and several others) say all of these addresses are
in the Boston metro area for some reason. Most network geo-location
programs are absolute bull-droppings, and are totally useless.
>I know I've seen large charts showing large blocks of IP addresses
>assigned to various countries somewhere on line.
If you did, it would be horribly inaccurate, or nearly useless. Let's
look at something like China - people are always complaining about
them. China has 1448 allocations/assignments in IPv4-land and 32 more
in IPv6. I'm purposely ignoring the autonomous districts of Hong Kong
and Macau, and what many consider a separate country (Taiwan). Now just
looking at the first octet of the address, let's see where China is:
[compton ~]$ zgrep CN APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort -n
| uniq -c | column
43 58 36 118 40 125 1 168 41 211
34 59 70 119 1 134 1 169 64 218
38 60 27 120 1 159 4 192 41 219
86 61 43 121 1 161 1 198 16 220
18 114 25 122 1 162 321 202 63 221
49 116 44 123 1 166 95 203 64 222
34 117 68 124 1 167 75 210
[compton ~]$ zgrep CN APNIC.gz | cut -d' ' -f3 | sort | uniq -c | column
4 255.192.0.0 208 255.254.0.0 168 255.255.240.0
4 255.224.0.0 241 255.255.0.0 98 255.255.248.0
14 255.240.0.0 144 255.255.128.0 34 255.255.252.0
56 255.248.0.0 126 255.255.192.0 20 255.255.254.0
129 255.252.0.0 159 255.255.224.0 43 255.255.255.0
[compton ~]$
So, China has address ranges all over the lot, from 58.14.0.0 to
222.249.255.255, and 1446 other blocks, ranging in size from /24s up to
4 /11s and 4 /10s. But before you get out your shotgun and start
blazing away at /8s, let's look at that first /8 (58.x.x.x) and see who
else is there:
[compton ~]$ zgrep ' 58\.' APNIC.gz | cut -d' ' -f1 | sort | uniq -c |
column
1 AF 4 HK 15 KR 5 PK 1 VN
24 AU 3 ID 4 MY 6 SG
5 BD 3 IN 2 NZ 8 TH
43 CN 30 JP 2 PH 4 TW
[compton ~]$
Do you know your ISO-3166 country codes? ;-) There are 124 /8s with
multiple countries - anywhere from 2 countries (currently 11 /8s) to
over 60 countries (5 /8s mainly serving Europe). There are only 50 /8s
allocated or assigned to single countries, and few of those are all
physically located in that given country.
Going to try to block hosts where the domain name is (for example) .cn?
Several problems there - first, there are 23 non-ISO-3166 domains, such
as .com, or .net and so on, and these may be registered/used in ANY
country (so all hosts in .cn may not have a .cn hostname). There are
several two-letter codes that are _not_ ISO-3166 country codes - such as
..ap (Asia-Pacific region) and .eu (European Union region). Second, as
noted above, this merely indicates where the domain is registered. It
says absolutely nothing about where it is physically. Third, all your
systems know about is the IP address, and you need to do a DNS lookup to
find the hostname. It may be of no surprise to learn that the network
administrators at many domains are to freakin' st00pid to know how to
set up the IP to hostname tables (even though it is required by various
RFCs). This is especially true in domains where a lot of abuse comes
from. A simple spam blocking technique used by mail servers is to
simply not accept mail from any host without a IP to hostname record in
the DNS.
Doug McIntyre <merlyn@geeks.org> is providing the same answer I am.
Block _ALL_ addresses that you don't want connecting, not just those
from AD (Andorra) to ZW (Zimbabwe). You do this by 'white-listing'
approved addresses or address ranges. As I said, I allow connections
from just three ranges totalling 1530 addresses. It's a heck of a lot
less work maintaining those firewall rules.
Old guy
How the Chicom got my IP address??? 
Linear Mode
