I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.
Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.
Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.
It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.
Blocking those nasty IPs
I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.
I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 18.104.22.168 -j DROP
DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.
I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.
So there’s this one guy
There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.
I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.
This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.
In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.
IP addresses and ranges I’m blocking
Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
Here are a few other ranges I’m blocking for various reasons:
- Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage):
- MediaLand BPH IP range (generally just horrible):
- EE-GIGAHOSTINGSERVICES (constant email relay attempts):