Do you IP Country Block to Stop attacks?
Question asked by CCWH - 4/2/2015 at 2:58 PM
Unanswered
Admin - Placed this in the SmarterStats section then realised no one goes in there very often so recreated in General ;-)
 
-----------
Hello all,
 
For the last three months or so we have had a 10 fold increase in attacks across our public facing server range.  This includes Web and Email.
 
After going through the logs and SmarterStats info it shows that 90+% of these connections are coming from Chinese IP addresses.
 
One option is to simply import a CIDR country list into the firewall and block the whole lot.  Obviously only after confirming client buy-in.  However, that's pretty heavy handed and I wondered if anyone does block full country IP blocks or if you use a different method?
 
In all honesty the email servers can cope.  In fact all the servers are not being taxed, however it is playing havoc with SEO stats within SmarterStats for clients!
 
Any thoughts?

5 Replies

Reply to Thread
1
Von-Austin See Replied
Employee Post
I've done this temporarily across select server ranges to mitigate similar attacks to our network, no fallout was reported from our userbase.
 
However, each environment is different and this does have the potential to cause some fallout depending on your clients usage.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Scarab Replied
Although it takes more work and effort, we do selective SMTP blocks against countries. Generally we will look at the entire IP range for the provider that is repeatedly spamming and see what their Senderbase score is (http://www.senderbase.org/). If there is not a single Neutral or Good reputation in that entire IP Range (up to a /16) then we block it without hesitation, otherwise we block the smallest IP Range necessary to get rid of the ones with consistent Poor reputations (more often than naught blocking a /24 CIDR Block is sufficient and in some cases will block just an individual IP).
 
Although we get hit a lot by China (more Brute-Force than Spam), we have customers who rely on Chinese manufacturers and distributors to do their business, preventing us from blocking the entire country wholesale. Not everything in China is unwanted, so it's important not to throw the proverbial baby out with the bathwater which is why we selectively block.
 
To be honest, the only times we've had to block an entire country was the Ukraine and India (although at this point I'm pretty sure half of the Netherlands are blocked by our Mail Servers), but if you do block an entire country it's important to consider it a temporary stop-gap measure and periodically audit whether it is still necessary.
1
Steve Reid Replied
We have blocked China and Russia on our firewall. Our entire IT infrastructure and equipment has thanked us for it.
0
Stojan Cergol Replied
Good protection is firewall PALOALTO (threat protection, wildfire and antivirus), against BruteForce, AntiVirus and country "filtering".
 
0
Joe Wolf Replied
You don't need any special firewall, etc. to block countries in SmarterMail.  You can simply use the Spam Eating Monkey Country Block list as an RBL in your antispam administration:
Thanks,
-Joe

Reply to Thread