<<< Date Index >>>     <<< Thread Index >>>

Country by Country ISA Computer Sets



Recently, David Litchfield asked me to help him out a bit with a research 
project he was working on by having me set up a network capture in my DMZ to 
log SQL Slammer attacks.  I don't publish any services here at my Santa Cruz 
facility (meaning there are no required inbound protocols and no references in 
DNS anywhere) so I figured it would be nice "quiet" circuit to use for 
testing.  I basically port-forwarded UDP 1434 to a laptop in my DMZ running 
NetMon3 also filtering for UDP 1434.  After about 4 days of running NetMon, I 
had captured almost 30 (verified) random SQL Slammer attacks.  What I found 
interesting was that every single one of them was sourced in China (all from 
different addresses). 
 
Now, it's not my intent to start some geopolitical debate here, but I've long 
heard about how some people would block entire countries at the border in order 
to obviate issues with malicious traffic.  There are obviously some issues with 
this (both from a technical and potential customer standpoint) so I set out to 
do a bit of research on my own.  First thing I found out was that if one does 
decide to block entire countries, that it's going to be a bit of work from a 
rule standpoint.  Sure, if I wanted to block all of China I could block APNIC, 
but that would block WAY more than I would want.  So I set about finding a good 
resource for country-by-country IP ranges.  Fortunately, Wade Alcorn, one of my 
colleagues at NGSSoftware turned me on to one that seemed pretty decent (there 
are a few around, though).  But finding the resource was just the beginning...  
The list I got included 234 countries, comprised by almost 100,000 records of 
IP ranges.   

Making a firewall rule to block China, for instance, would require entering in 
almost 600 IP ranges - so the "manual" route was clearly out.  The thing is, I 
just didn't want to block countries without more research, so I needed a way to 
gather some statistics first.  Enter ISA Server - as many of you know, I'm a 
big fan of ISA - it's a true enterprise security product with great scripting 
capabilities, so I set to work creating an automated method by which to create 
computer sets in ISA for each country.   Basically, I created a SQL database 
and loaded all the records into it - I then wrote a little COM app to reach out 
and grab the data by countries, create the sets in ISA, and loop through the 
different ranges of IP's to add them to the set.  It worked great.
  
This accomplished two things - one, I now have full detailed computer sets for 
each country to do with as I please.  Secondly, I have an excellent way of 
producing detailed reports for traffic analysis in ISA- this was key.  With 
data collection points set up at different places around the world, I was able 
to capture 3.1 million inbound connection attempts.  The results were quite 
interesting.  While China still led with connection attempts overall, it was 
interesting to see that Canada was a close second.  However, while China's 
traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, 
almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208).  The 
world leader for HTTP was Brazil, strangely enough.  Now, all of this will 
change based on who and where you are, and the types of services being 
offered.  For example, I only got 5 SMTP connection attempts to my cable modem 
in a week, but my ISP in BM got hundreds of thousands (understandably) in the 
same time period.  I'll whip up some cool reports for what I found and post 
them once I get some more data in from different collection points, but the 
valuable outcome of the project was the creation of these individual 
country-by-country Computer Sets for ISA.

Beforehand, I had no real way of easily and effectively reporting on traffic 
patterns by source country.   Whether you can or can't block entire countries 
is your business, but at least this affords someone an easy way of doing 
research.  You may not be able to (or even want) to block HTTP from China, but 
you very well may want to block SMTP - with ISA and computer sets, you can 
easily do this.  Even if you don't block anything at all, you can use the sets 
to get rich reports of what kind of traffic your are getting from a particular 
country.  While the validity of the practice of blocking entire countries (or 
particular protocols for that matter) may be up for debate, you now at least 
have the option to make your own decision based on factual information - to be 
sure, you've always been able to do this obviously, it's just been my 
experience that maintaining rule lists by country/protocol has been quite 
difficult and time consuming. 
I've exported every countries entire list to ISA 2006 .XML format, and have 
posted them on the HoG site for community use.  Since I've automated the Set 
creation process, I'll be updating the sets each month or so to ensure that 
changes are processed correctly.   I would like to thank NGSSoftware for 
purchasing the required business services to receive the updates - their 
donation makes it possible for me to give you updated sets for free. 

A full list of all countries' ISA .xml for ISA 2006 is available here:
http://hammerofgod.com/download/ISASets/

The first file is a zip of all countries is you want that one.  Go nuts!

t