21

I have a web app that has no users in the Philippines, but is constantly bombarded by spammers, carders testing cards, and other undesirable activity from there. I can see in the logs that they have IPs in the Philippines and are initially finding my site via google.ph or other .ph sites.

I have pretty good filters and security checks in place, so they don't really cause much damage, but nonetheless, I'm really getting tired of it. They use up bandwidth, fill up my database, abuse logs, and security logs with crap, waste my time terming accounts, etc.

While the vast majority of Philippine citizens aren't spammers, and I can't just block every country that annoys me, at this point, I think the solutions is simply to block all traffic from the Philippines to my webapp. (I know blocking entire countries' IP blocks is not a great practice, and has many problems, but for this country, I want to make an exception.)

(I know they could spoof their IP address, but at least I can make them work for it a bit.)

I know there are a few geoip services out there. Anyone know of any free or inexpensive services? Or any other way to filter out traffic from a specific country?

I'm running PHP on Apache 2, if it matters.

Desperatuss0ccus
  • 252
  • 1
  • 4
  • 9
Eli
  • 741
  • 2
  • 8
  • 16
  • 1
    The Philippines is one of the major English-speaking countries in the world, next to the US, the UK, Canada, and Australia. I'd strongly suggest not banning them, any more than you would ban Australia. Unless of course, your site is country-specific. But if it is, it should have a country-specific TLD, rather than a dot-com, then people would know you don't deal with them, and could go to similarname.com, which does. – Lee B Nov 08 '09 at 09:43
  • So what will you do when the spammers start coming from other countries (or better yet start routing their traffic through the US?) – TheTXI Jun 09 '09 at 10:16
  • 2
    Valid question. – crashmstr Jun 08 '09 at 20:33
  • crashmstr: I would think so. Taking this type of action to try and block off entire countries is only going to cause you to cut off more potential users than you are cutting off potential spammers. And when the spammers start coming from areas that you don't want to block (like your own country), you're going to be in deep doodoo because all your previous methods will have been a waste. – TheTXI Jun 08 '09 at 20:36
  • Probably nothing - my current security handles just fine. Please read the question before responding. –  Jun 08 '09 at 20:54
  • Already look at this? [http://serverfault.com/questions/17067/block-spam-by-using-geoip-filter](http://serverfault.com/questions/17067/block-spam-by-using-geoip-filter) – Kyle Brandt Jun 09 '09 at 11:44
  • My company serves US citizens only. I would think you would be asking us to block all traffic outside the US in order to guard your data. Less surface area is less surface area no matter how you slice it with different knives. -- and to those with an APO address, you don't use our service, it isnt an issue. –  Aug 16 '09 at 03:54

9 Answers9

36

Unlike most of the other posters here, I'm not going to tell you this is a bad idea, that you shouldn't do it, that it won't solve your problem, or that you should do something else. Here's what happened to us:

Individuals from China and Korea (or using proxies in China and Korea, anyway) kept annoying us. Portscanning, crawling our websites looking for vulnerabilities, making login attempts, etc. I tried to ignore them (fail2ban takes care of them usually) but at some points they were hitting us so hard that it effectively turned into a DoS attack. When you have hundreds of connections at once from people trying to use your webserver as a proxy, trying to SSH into your machine, trying random usernames and passwords, it tends to weigh on the site. I eventually got fed up.

We don't get any legitimate traffic from China or Korea; our company doesn't sell there (we're e-commerce) so there was no risk of losing legitimate traffic, so I figured it was easier to block them ahead of time instead of waiting for them to be dicks.

  1. Visited http://ip.ludost.net/ and downloaded their IP<->country database.
  2. Extracted all Chinese and Korean IP address ranges.
  3. Installed the ipset module for netfilter
  4. Built ipset dumps for China and Korea (see below)
  5. Added rules to iptables to silently drop any traffic from those sets.

And that's it. Our problem users went away, load on the network and the server was decreased, and we weathered the Christmas season without difficulty.

Note 1: you can do this with regular iptables (i.e. without ipset) but it's more computationally expensive than using ipset.

Note 2: This is how the dumps look (ipset will generate these for you if you want):

# Generated by ipset 2.3.3 on Sat Oct  4 18:02:57 2008
-N china nethash --hashsize 5184 --probes 4 --resize 50
-A china 203.207.128.0/17
-A china 221.176.0.0/13
-A china 58.154.0.0/15
-A china 114.54.0.0/15
...etc...

Note 3: We use a nethash because all of our ranges are stored as CIDR blocks. If you don't want to convert them to CIDR, you can use an iptreemap instead, but I imagine that might be less efficient if you're getting a lot of traffic.

Dan Udey
  • 1,460
  • 12
  • 17
  • 2
    The point I want to make is that the idea of blocking a country like China or Korea or anywhere for that matter isn't just blocking out a bunch of people that speak a different language than you. I'm a United States citizen and if I wanted to purchase something from your company you lost me as a customer because I'm serving in South Korea. So yea, there *is* legitimate traffic there. – GNUix Jun 10 '09 at 03:04
  • 19
    Right, except that since we don't ship to South Korea, we can't sell you anything anyway, so there's no point in you going on our website. We'd never had anyone from China or Korea buy anything and ship it to the US either, so the number of sales lost might possibly hit ten in a year based on our analysis. – Dan Udey Jun 12 '09 at 01:28
8

You could do this based on IP address using a free IP Locatin API like IPInfoDB http://ipinfodb.com/index.php.

2

First, I would strongly suggest not doing this.

As others have far more eloquently put, blocking a specific country doesn't fix the problem , it just defers it slightly. Also, when users from that country see you've blocked them specifically, it will only motivate them to cause you more problems.

That said, if you really want to do this, IPinfoDB provide a free IP geolocation database,

First, would be to locate a IP simply by country.

You would search this way :

SELECT * FROM `ip_group_country` where `ip_start` <= INET_ATON('74.125.45.100') order by ip_start desc limit 1;

Or

SELECT * FROM `ip_group_country` where `ip_start` <= 1249717504 order by ip_start desc limit 1;

Second, you might want to get the IP of a specific country to generate a blocklist with iptable, htaccess file or whatever you use. It would be done like this :

SELECT `ip_cidr` FROM `ip_group_country` WHERE `country_code` = 'AF' order by ip_start;

which would give you :

63.243.149.0/24
67.212.160.0/24
dbr
  • 1,538
  • 3
  • 16
  • 18
0

How do you fix a bug in code?

Like so?

Bug: Add(2,2) returns 0, should return 4.

Fixed code:

int Add(int x, int y)
{
   if (x == 2 && y == 2)
      { return 4; }
   return 0;
}

Obviously not. You don't just create a teetering monstrosity of special cases, that's enormously fragile and a recipe for disaster. You also don't just patch TODAY'S symptom of the underlying problem.

Instead, figure out the root cause, and fix that. This is far more robust than any hacky special-case patch you could implement.

Why is your web app vulnerable to spam? What characteristics make it vulnerable? What characteristics make it a valuable target? Are there ways you can change those characteristics to make your app more robust against spam and less of a tempting target? Almost certainly the answer to these questions is yes. Add validation chains to your forms, use a captcha intelligently, randomize urls and/or parameter names to make them unfriendly to bots. There are millions of ways to approach this problem, I'm sorry to say you have chosen one of the least valuable, least useful, and most fragile solutions out there.

Wedge
  • 1,597
  • 11
  • 16
  • 16
    I have all those, thanks. Did you actually read the post before formulating your answer? – Eli Jun 09 '09 at 18:38
  • 1
    @Eli, obviously you have. That's why you are falling back to radical measures. Because your previous efforts were so effective. – Wedge Jun 10 '09 at 09:47
0

You should use products like fail2ban to key off errors you throw in your web application indicating a spamming attempt is underway. This will block the IP for a period of time, making your site resistant, but not blanket blocking entire IP blocks.

Kevin Kuphal
  • 9,064
  • 1
  • 34
  • 41
  • 3
    As I said in the post, which appearance nobody read, I have a perfectly fine system of blocking and preventing spam. I am looking to lighten the workload it has to do, and the time I have to spend monitoring it. – Eli Jun 09 '09 at 18:37
  • Which is why I suggested fail2ban. It automatically bans problem IPs for you without brute force blocking large IP blocks. – Kevin Kuphal Jun 09 '09 at 19:06
0

A couple of solutions:

These solutions are pretty easy and quick to put in place, and free.

A longer term solution would be to detect the spam from your web application, log the IP and feed your iptables to block them automatically.

Julien
  • 1,028
  • 1
  • 12
  • 24
0

I would opt for a Snort + OSSEC solution that could maintain something like this dynamically.

EEAA
  • 108,414
  • 18
  • 172
  • 242
GNUix
  • 480
  • 1
  • 5
  • 13
0

Did you consider finding who is operating the networks you are being attacked from ? Find the "abuse" contact using whois and report to them. Of course it may come from several networks, but it also may worth it if you see some recurring addresses / network blocks.

MatthieuP
  • 123
  • 4
  • 4
    If you've ever tried to deal with ISPs in Asia (especially China, Korea, etc), you'll find that the one thing they never do is care about some foreigners complaining about something. It's not worth their time to do things properly so they don't. Reporting abuse becomes a waste of your time. – Dan Udey Jun 10 '09 at 01:17
  • I'm based in Korea and I have had nothing but a pleasant experience with Korean ISPs. – GNUix Jun 10 '09 at 03:01
0

You have every right to block IP addresses from whatever reason you can justify for yourself. It is you that provides a service and it is you who decides who can have it or not. It is perhaps questionable if this is moral but that is something you can only decide for yourself.

However blocking an IP segment because it has some geographic aspects to it sounds to me a more or less like a panic approach.

What I have done in the past is having a crawler going through my most recent logs and based on that ban individual IP's that are annoying for a period of 24 hours. If that specific IP is misbehaving again it is banned for 2 days, then 3 days, etc. etc. you get the drift.

IP's that are banned for more then a week will be mailed to me and I send an abuse mail to that service provider (who know it might even help).