[geeks] .hk, .cn, .info considered harmful
Mike Meredith
very at zonky.org
Thu Jun 5 12:55:10 CDT 2008
On Thu, 05 Jun 2008 08:32:19 -0400, Phil Stracchino wrote:
> Everyone's probably seen the report by now, citing that in these three
> worst TLDs, as many as one site in ten carries a payload of malware.
> So, since the kids aren't good at paying attention to such things, I
> decided in the interest of safety to block all traffic to and from
> those TLDs at the firewall.
Is this web traffic ?
> Problem: What netblocks to actually block. I managed to find one
> site offering a list of .cn and .hk netblocks; the combined total is
> over 10k, gzipped. There's got to be a better solution than that.
>
> Any suggestions?
(other points have been made by others)
The 'lazy' way of blocking web traffic to .cn/.hk _domains_ is to run
a proxy cache such as Squid and use the facilities in that to block
access to requests to the given names. My squid.conf has :-
acl banned-urls url_regex "/opt/squid/etc/banned-urls"
And the file itself contains regexes which could also include :-
\.cn
\.hk
(You might want to do some more thinking about regexes as I don't block
access to TLDs myself)
This seems like more work (setup a proxy, configure clients
(automatically via dhcp), block unproxied web traffic), but may save
work in the long run. Populating a firewall ruleset with netblocks that
constantly change is a lot of work.
Similarly blocking mail from unsuitable locations is probably better
done in an MTA as most have better ways of blocking that just by IP
address.
As to the 'firewall' route, one hypothetical method would be to obtain
a full BGP feed and route all addresses with an ASN owned by China
to /dev/null. No idea how feasible that would be though.
--
Mike Meredith (http://zonky.org/)
No security outfit ever went broke relying on the stupidity of users.
More information about the geeks
mailing list