 I got a network consulting company, got a bunch of letters after my name, wrote a book and been doing this a while, so a little bit familiar with IP networks. What is GUIP blocking? Just like it sounds, it's taking big chunks of IPs and blocking them from your network indiscriminately for no reason other than where they come from geographically, on your firewall or it works on routers too. Some statistics for you. This is a study done by Spam House of the top spamming countries and I'm not giving you the whole list here, but these are the top three. No surprise, USA is number one. We love to be number one at everything, this is no exception. But right behind us is South Korea, China, Taiwan right behind that. So there's a number of countries that this is concentrated in, adds up to about 21% for just those two. This is just spam, but it's an example of where bad stuff's coming from. Why do this? First reason is it's easy, it's quick. You don't have to buy any new hardware or software, you can just put some entries in your router. Again, no cost, just typing it in. You might have to spend some labor to type in some of the larger blocks, but it's still not a whole lot of investment. It also enables you to sort of blanket, avoid all kinds of attacks, not just spam or viruses or worms. We just drop everything, period, forget it. We're just not going to accept anything in those areas. It's easily reversible, so if you don't like it or it's not working, it's causing problems on your network, take it out and you're back to where you started. So you don't have to un-configure the software or take piece of hardware off your network. First can still get to the websites in those countries. We're blocking inbound connections, we're not necessarily blocking outbound. You can block outbound, that gives you additional benefits, but also some additional potential problems. So the option is there for you. Most companies, let's face it, don't need to have these countries accessing their network. Fortune 500 companies, that's not necessarily the case, but there's a lot of other companies out there that don't necessarily want or need to do business with these countries and there's no reason to accept inbound connections from these locations. And again, even Fortune 500 can use this on a limited basis for certain types of servers, things that, internal intranets, things like that, that aren't, they're not going to be people connecting inbound. You can still open up your website, email server and so forth, so it's not just for small companies, medium-sized companies. More reasons. Over time, more and more stuff will probably move offshore from the U.S. The U.S. is still just a big part of the internet and still generates most of the traffic, but as time goes on, we'll probably see that the problem or the solution would ever get worse or better. It also has the effect similar to spamming blacklists of forcing bad actor countries, as I call them, to take some actions. And this, in fact, has happened with China and spam. They've recently introduced some laws and arrested some people and God knows what in their usual way, but still they're taking action and starting to become more of a good net citizen because of this pressure. What can this help with? Well, as I was saying before, it's sort of a blanket approach, so it can block spam, of course, was our example. Email fraud coming out of those locales, phishing attempts, viruses, worms, automated hacking tools, manual hacking, mostly script kiddies. I know you can spoof the addresses and do all kinds of fun stuff like that. If someone's really concerned about getting to your servers, they can manage to do so, even with this. But as we know, 90% of the stuff out there or more is kind of dumb and doesn't do that. And also, I say prohibited off-site content, porn, gambling, if you block the outbound connections from your network. Why not? Well, one does not make sense. It's not 100% effective, what is. But if you're looking for a silver bullet, whatever, this is not it. This is just yet another tool, another layer to help with your security protections. Some people may have a problem with it in that it goes against the idea of global access to everything all the time. And again, if you're a big company, you probably can't do this on your public servers, your web, your email. Or if you're even a small company, say doing business in Japan or overseas areas, however, you can still block, say China, if you're doing business in Europe or elsewhere, you can still take the effort to block the bad guys. And again, it's going to block emails and things like that as well. So if you're expecting to get legitimate business email, you don't want to block it. Or you want to take a more limited approach. Example, my company, we primarily deal with community banks in Texas. There's very, very, very low possibility of anyone trying to do legitimate business with any of those countries with me. And frankly, if I had one customer who wanted to do business over there, I don't want them. So in my case, it makes a lot of sense. How it works. Let's start at the very top level. Some of y'all may already know this, but IANA assigns out big address blocks to what's called the regional internet registries, or RURs, that handle more regions, continents, what have you, and they handle assigning things regionally. ARIN is the RUR that handles North America. Has anyone ever had to file for IP space with Dennis Swift? Yeah, a lot of fun, right? So you know all about ARIN and how they work. Other RURs that we'll talk about primarily, because ARIN is not part of this talk, we don't want to block ARIN, otherwise we'd be blocking ourselves and most of the other stuff that we want to get to. But some of the other RURs that may be of interest, APNIC, which is Asia, Asia Pacific Network Information Center. RIPE, which is Europe and part of the Middle East and Central Asia. LACNIC, Latin America, and AFRINIC, which is a new RUR that just got assigned for Africa. Talk about some of the RURs specifically and which ones make less or more sense to block APNIC, Asia. As I said, now this takes in several of my top bad actor countries. Number two, number three, Spammers, for example. Just by blocking APNIC, and this is an example that I've proved to myself, you can end up blocking about 20 to 30 percent of your malware headed for your public servers, just from APNIC. So much stuff comes out of that region. However, be careful, if you do a blanket block, Japan, a lot of business gets done over there and some other areas. So you may not want to take a blanket approach. I do, and it hasn't hurt me yet, but you've got to make that determination. Here's the guide piece if you want to take a blanket approach. The good news is it's just not a whole lot of statements, really. It's some big pieces of network, big slash eights and put a statement in your router firewall and drop everything. I have to add here, Cavitemptor, this list not necessarily complete. You want to check with IANA and make sure that this is the latest list. And you don't need to jot this down. I don't see anyone writing down anything anyway, since it's too late in the day. But it's on the CD and on the website, so you can get all the numbers off of there. Here is an example if you say you don't want to take that blanket approach. You just want to block China. You also have to take into account that many organizations, sub-organizations within a region may not necessarily have IP space that's assigned to their rear. They may get it from Aaron. They may have applied. They may have an American parent company or they may have applied a while back or just they may have wanted to get that space for another reason. So if you really want to be 100% accurate, you've got to go out there and find out all the IP addresses associated with that, including the Aaron space. Here's an example of the China-only IP blocking if you want to do that. Don't worry, again, don't write all this down. It's on the CD. It's on the website. And I'm going to show you at the end a way to get this current list automatically, so instead of having to take it all off this presentation. Here's Korea, same kind of thing. Europe, Europe's a little bit more of a mixed bag because you've got a lot of small countries there. There's a lot of governments. There's a lot of multinationals. It's really mixed up over there and it's pretty hard to block the whole thing. I don't recommend it. But you can sort of take a couple of countries that are particularly troublesome, such as Russia, and drop that because a lot of stuff comes out of Russia. And again, a lot of companies aren't necessarily doing business with Russia, needing to provide access to their network from there. But if you do want to take it out, there it is. That's the right address space. Again, not a whole lot of statements in your router, config, type in and go. I'll be giving examples at the end. So LACNIC is Latin America and Caribbean. A lot of these organizations use Aaron space. Again, because they either have a company in the US or they've established their presence there. But if you want to take a rifle approach, Brazil and Argentina are the bad, the worst guys, I should say, over there. And you can take those out. If you're a border company, border state, or you're doing a lot of NAFTA business, you may just want to skip this where I don't block it myself. So it's up to you and how permissive or not you want to be. Pretty small set of blocks for them at any rate, so pretty easy to block, blanket. Here's the, these are just examples. Again, I'm going to give you guys a tool to get the custom list for your network, but there's the list for Brazil. After Nick, this is a new rur and just a lot of bad stuff comes out of here. Not a lot of legitimate commerce being done, unless you're an energy company or maybe a tobacco company. There's just more or less a lot of offers to transfer $20 million into your bank account for a Nigerian general or something. So you may want to just go ahead and block that. It's 1 slash 8 and probably not going to cause you any problems with legitimate commerce. A couple of strategies you can take towards this, as I mentioned, shotgun approach, just block them all, just take them all out. And if there's problems, then you can always go back again. And myself and a lot of companies that I've talked to, they've done it, and it just didn't seem to bother them at all. So you can block the entire rur space and be done with it. It's easy and quick, but you might end up blocking some countries that you do want to do business with. Example, Australia, New Zealand does use some of that space. Some sites do, some sites don't, so you need to be careful. The rifle approach, which is generally what I recommend is taking country by country assignments and saying, I want to take these guys out. Easiest thing to do if you want a quick, quick hit is just those top three China, Taiwan and South Korea and get a 20 or 30% less than the load on your DMZ servers, your mail servers by 20 to 30% without doing a whole lot of harm to anyone wanting to come in legitimately. It is time consuming. You do have to kind of keep up with the configs, but there are some ways to automate that, which I'll show you in a moment to speed up that process. You can also take a little more of a limited approach on a protocol level and say, well, I'm only going to block, I'm going to block everything but mail or everything but mail and web, so the mail server's still function and the web server's still function, but if someone's trying to SSH or Telnet, FTP, that stuff gets dropped. You can also block different segments, so you're going to block anything headed for your private land, but let's leave the DMZ wide open. But you don't really get any spam benefit here or public server exploit benefit. You get zombie stuff and things coming into your network, your land, but you're not going to get the server benefit if you do that. You can decide to go the other way and allow everything, but we're only going to block interactive services, Telnet, SSH, things like this, terminal services where someone could get in and possibly do some damage. You can pick certain servers to block, so you have a VPN server or a database server and you're just going to block it for that specific host or set of hosts, not all your other servers. You might decide to block the entire rur, but leave open certain hotel or ISP web space, sorry, web space, that should be IP space to allow VPN access. If your company has a deal with Hilton and everyone stays at Hilton, you can find out their IPs and not block that. Some examples, and this is not rocket science. You're all probably familiar with IP change, which is a simple deny statement. You do have to enter one of these for every contiguous block, so you can't, at least in IP change and IP tables, there's no easy way to block them all with one quick statement. This is the IP tables example, ignore that it says IP change, sorry, I edited this this morning and was not expecting to have to go on until Sunday, so there may be some typos, but there's the IP tables example. Cisco, if you're into Cisco, there's Cisco example, Sonic wall, and so on, just whatever particular router or firewall that you happen to like, figure out the syntax and enter the numbers. Here's an example on IP tables, I was talking about letting web through, so we're using the not operator to deny everything except it's not web. We're going to deny it if it's not web, if it's web, it comes through, and you could add deports and add additional ports if you want to web mail, whatever. Automation, what makes, all this makes sense. Well, there's a site out there, excellent site, IP.ludos.net, and there's actually a couple of sites, I happen to find this one to be the easiest to use and it's free, and they're not trying to sell you any products. It has a script that'll generate country specific lists and you can import that straight in. Using the script I'll give you in a minute. You just pull a text file, or you can pull their whole file and parse it yourself if you want to do that, if you want to get fancy with your own script. And there's also commercial companies that'll actually generate your configs or your files for you for a fee, if you want to do that. I think one of them is called country, IP to country dot com. It's not on there, but that's an example of one of those. Starting to see some, especially in Europe, some ISPs are doing this. Large website search engines, we're starting to see some of the bigger companies actually use this technique. Kind of interesting on their part that they would do that, but they're obviously, they see the value in avoiding all that bad stuff. Here's a quickie script, again, forgive any syntax errors since I jammed this out this morning, but this basically will grab your text file, you pulled off LUDOS site, and drop it into IP tables, go line by line, and create the entries. So all you have to do is grab the file and run the script, you can automate that in Kron, and it'll get all your IPs updated. That LUDOS site updates daily, so they have pretty current information on them. Resources, this is a good list of blocking the list. This also includes not country specific, but other things like big spammers and so forth. So if you don't want to just do geo, you can also block by types of bad things like spam and so forth. And that's the LUDOS IP to country database. Got a little extra for you guys, since you're having to watch this presentation, so the one you're expecting. We were going to originally, we proposed to do a full session on hacker-related humor. They did not elect to let us do it, but you guys are going to get it anyway, so I have some extra time. A shortened version. I've got a top 10 list for you. It's the top 10 pickup lines overheard at DEFCON 13 in the home office. Number 10, want to go war driving out by the point? Hi, I'm a tech support. Can I have your password? That didn't go over very well. I'm serious. I really need your password. Got the password, but their date. Hosting a private version of the TCPIP drinking game later in my room. Just you and me. Hey, snarf this. Number five, hey, mind if I try to pick the lock on your bra? Try to spot my little federal buddy. Hey, I heard there was a really cool PGP signing over at Caesars. Want to go? Number two, this is for the ladies in the crowd. Figured to give this to you. It's kind of complicated though. You really have to master it. It's difficult. Hi, works. Finally, number one pickup line overheard at DEFCON 13. Hey, did you know I'm a speaker at DEFCON 13? That's it. If you have any questions on this or anything else, my e-mail is thialetnetsecuritiesservices.com and the presentation will be posted to my site as well as it's on the DEFCON site and feel free to email me abuse comments, questions. Any questions right now since we're done pretty early? Yes, I haven't, you said there's, the question was he was blocking Korea and he found legitimate hotmail traffic coming from Korea. Yeah, I've not heard of that. I mean, yeah, I've not seen that at all. Some people might say that blocking hotmail is a lot of companies block hotmail anyways, but I block it and I have hotmail and never had a problem, but it's interesting. I'll have to check that out. Yes, like it kind of like a honey net sort of kind of how do you determine if it's invalid SMTP connections from those I buy IP or okay, so you sort of built a white list of IPs. It's interesting. Yeah, I mean, you can do all kinds of interesting things with your IP table statements about what you do with it and where you send I mean drop deny and you can get really fancy with it and do fun stuff with it in the simplest form. We just drop it but and again, the scripts can get a lot fancier in terms of the importing. You could actually go out to the website. We could build a PHP script to type in what countries you want to block. You know, we haven't done that because we don't need it but someone out there could probably whip it up pretty quickly, I'm sure. You blocked all email addresses except for it. Yeah, so I mean, that would work. You might, you don't get any complaints about that. But good, good for you. Question back here somewhere. Good question. I don't know. Since it's not really a reality yet, I haven't dealt with that. And again, I don't try to oversell this. This may only work for a year or two. But to me, if it takes me 15 minutes and it works and it does something, it's worth doing. But yeah, I mean, IP 6 could throw a wrench in that because I don't think they're going to be assigning things regionally anymore with that. Also, I didn't mention this, but some other fun things you can do with you can do GUIP detection and write some snort rules to detect Chinese IP addresses on your network for some reason. So we've done that too about, well, if it did get through, why, you know, it's on our network now, let's throw up an alert. So there's some other, you know, advanced topics. But again, this is just something down and dirty that you can do that might save you some grief and anything that lowers the percentage chance of me getting exploited and is, you know, that cost is low and the benefit is relatively high is a good thing to me. Any other questions? Great. Thanks for coming. I really appreciate it and have a good show.