Life SlashBoot The Internet Unices Web Development
This article last updated: Wednesday, 23 August 2006

Those pesky Chinese hackers

Mainly due to the large amount of comment spam that wings its way here from Chinese IP addresses, I've been pondering what to do, if anything, about it and them. I've been tempted for a while, to write an article on the subject but didn't want to appear xenophobic. Thanks to a Register article on the subject, I'm inspired to jot down my own thoughts.

Firstly, I notice that the vast majorities of questionable requests come from China, waves of spam from Japan, Brazil and then some of the countries in the old Soviet Union, mainly the Ukraine. Don't get me wrong, my server is also hassled by machines from the US and even around the UK, but to lesser extents. It has brought me close to the point where I was going to start indiscriminately blocking whole blocks of IP addresses and doing GeoIP lookups to solve the problems, but after more thought, I decided not to.

Whilst I don't want the dodgy requests coming in at all, I don't see much point in blocking IP address ranges or even particular ISPs. I prefer to restrict particular site features in some cases, where the bilk of the traffic from that direction is trying to spam the site, or otherwise abuse certain facilities on here. I'm still not happy about that situation, to be honest. Use of the abuse@ mailboxes is generally pointless and it is not something that I want to waste my time doing, or exposing an email address to.

Who's that and who cares?

I've come to the conclusion that it isn't right to deny many for the actions of a few and because the point of blame is nigh on impossible to find, it is also wrong to deny access on the basis of general dodgy activity. A lot of the stuff that comes this way is likely to be from compromised computers, where the owner probably doesn't realise that their machine is up to no good. I also take the stance that this sort of thing could happen at any time and from any source and that it can actually serve a purpose for me. The variety of activity that it generates is certainly useful as it can teach much about what needs to be protected against. It forces the hand towards creating systems that are simple and have low resource overheads, as will as being well thought out and secure against the range of attack vectors that I see prodded for.

I also have a sneaking suspicion that in the case of China, some of the activity that is targeted at the rest of the world, could be politically motivated. Their government is always trying to stop their citizens from reading anything too western and what better way than to get the rest of the world guarding against and denying access from China? Obviously that's just my own suspicious mind working there, but I think it could have some merit. Where I see suspicious activity going on on my sites, I usually use it to create functions to monitor and make subtle changes to the system, when that activity is going on. For instance, I start getting too many dodgy requests from a set source, I temporarily block that source until it subsides. It usually does the trick. Occasionally, I will make the system refuse to issue tokens in its forms, to browsers with certain ACCEPT_LANGUAGE headers, which stops them from posting anything through my form based mechanisms. This can be expanded to cover IP blocks if necessary, but it is only temporary and is reversed when the problem goes away.

It is an ever changing battle

The measures I put in place are only ever done on demand and as soon as the activity stops, I put it all back to normal. This way of doing it serves me well and doesn't block legitimate activity, or at least not for long. There is great diversity in this world and that is reflected in the black hat and spammer communities, via the techniques and targets they go for. As webmasters we need to be flexible in how we deal with it, in the mechanisms we create for the job and in how and when we actually impliment them. What is a problem this afternoon, will likely have moved on tomorrow, if you deal with it properly today. Monitor for it at all times, then bring up the shield when it happens, dropping them again when the attacker sees that he's being blocked and moves on to the next victim in the range of millions out there. If we try too hard, too often, to block everything that isn't right, we're going to strain our systems, deny legitimate traffic and ruin our sites.

By using some common sense and some level of intelligence in how we implement our systems, we can make good use of resources and still stay secure. If we fail to do this we will end up with no sites, or sites that are virtually unusable or so bogged down with workloads that they might as well not be used. Of course, governments and ISPs could be doing us all a favour and get really tough on those who are playing silly buggers, but that won't happen until some boiling point has been passed.

Where we go from here, nobody really knows and unless there is more unity in the Internet arena, nobody will ever know. In the meantime we can only try to cover our own backs and keep our own sites, services and systems going as best we can. But then, that's what we've always done, isn't it? We're so busy fighting our own individual fires that nobody has the time or inclination to build that fireproof city where we can all live. Still, it's not an ideal world and at the rate things are going, is never likely to be. We just need to keep remembering that not everybody from China, or other countries where hacking activity comes out of, is out to get us, without allowing ourselves to be open to compromise we just have to guard against the real problems, not where the problems come from.

Update

I've brought this article back online after a good long while of being hidden away, because I've noticed a lot of SSH connection attempts originating from, or at least appearing to originate from, China. There is also a lot of malware being pumped out in drive-by style attacks from there, so I've now put a blanket block on every IP address block (3,413 IP blocks) I can find. Russia and Ukraine have also got the same treatment, as it is these countries that I've seen the most suspicious activity coming from.

Post a comment:




No HTML allowed except for plain <b>, <i>, <s>, <u> & <p> tags. NO uBB code ([b] ... [/b] style tags) are allowed and comments containing [URL] ... [/URL] tags are automatically rejected as spam.
|
URL and email address are optional, email address is never displayed.
Like this page? Furl it | del.icio.us | Spurl it
GeoLocator Contact Sitemap
Standards for a better web Valid XHTML Strict CSS inside Valid RSS2.0 feeds used on this site
Hosted by BristolGeek