mcblockd, the firewall automation I created 5 years ago, continues to work.
However, it’s interesting to note how things have changed. Looking at just the addresses I block from accessing port 22…
While China remains at the top of my list of total number of blocked IP addresses, the US is now in 2nd place. In 2017, the US wasn’t even in the top 20. What has changed?
Most of the change here is driven by my automation seeing more and more attacks originating from cloud hosted services. Amazon EC2, Google, Microsoft, DigitalOcean, Linode, Oracle, et. al. While my automation policy won’t go wider than a /24 for a probe from a known US entity, over time I see probes from entire swaths of contiguous /24 networks from the same address space allocation, which will be coalesced to reduce firewall table size. Two adjacent /24 networks become a single /23. Two adjacent /23 networks become a single /22. All the way up to a possible /8 (the automation stops there).
So today, the last of 2022, I see some very large blocks owned by our cloud providers being blocked by my automation due to receiving ssh probes from large contiguous swaths of their address space.
I am very appreciative of the good things from big tech. But I’m starting to see the current cloud computing companies as the arms dealers of cyberspace.
My top 2 countries:
However, it’s interesting to note how things have changed. Looking at just the addresses I block from accessing port 22…
While China remains at the top of my list of total number of blocked IP addresses, the US is now in 2nd place. In 2017, the US wasn’t even in the top 20. What has changed?
Most of the change here is driven by my automation seeing more and more attacks originating from cloud hosted services. Amazon EC2, Google, Microsoft, DigitalOcean, Linode, Oracle, et. al. While my automation policy won’t go wider than a /24 for a probe from a known US entity, over time I see probes from entire swaths of contiguous /24 networks from the same address space allocation, which will be coalesced to reduce firewall table size. Two adjacent /24 networks become a single /23. Two adjacent /23 networks become a single /22. All the way up to a possible /8 (the automation stops there).
So today, the last of 2022, I see some very large blocks owned by our cloud providers being blocked by my automation due to receiving ssh probes from large contiguous swaths of their address space.
I am very appreciative of the good things from big tech. But I’m starting to see the current cloud computing companies as the arms dealers of cyberspace.
My top 2 countries:
CN 131,560,960 addresses
/9 networks: 1 (8,388,608 addresses)
/10 networks: 10 (41,943,040 addresses)
/11 networks: 12 (25,165,824 addresses)
/12 networks: 18 (18,874,368 addresses)
/13 networks: 29 (15,204,352 addresses)
/14 networks: 48 (12,582,912 addresses)
/15 networks: 48 (6,291,456 addresses)
/16 networks: 37 (2,424,832 addresses)
/17 networks: 14 (458,752 addresses)
/18 networks: 7 (114,688 addresses)
/19 networks: 10 (81,920 addresses)
/20 networks: 5 (20,480 addresses)
/21 networks: 3 (6,144 addresses)
/22 networks: 3 (3,072 addresses)
/23 networks: 1 (512 addresses)
US 92,199,996 addresses
/9 networks: 3 (25,165,824 addresses)
/10 networks: 5 (20,971,520 addresses)
/11 networks: 10 (20,971,520 addresses)
/12 networks: 9 (9,437,184 addresses)
/13 networks: 16 (8,388,608 addresses)
/14 networks: 10 (2,621,440 addresses)
/15 networks: 8 (1,048,576 addresses)
/16 networks: 42 (2,752,512 addresses)
/17 networks: 10 (327,680 addresses)
/18 networks: 11 (180,224 addresses)
/19 networks: 8 (65,536 addresses)
/20 networks: 10 (40,960 addresses)
/21 networks: 2 (4,096 addresses)
/22 networks: 9 (9,216 addresses)
/23 networks: 9 (4,608 addresses)
/24 networks: 818 (209,408 addresses)
/25 networks: 4 (512 addresses)
/26 networks: 5 (320 addresses)
/27 networks: 5 (160 addresses)
/28 networks: 2 (32 addresses)
/29 networks: 7 (56 addresses)
/30 networks: 1 (4 addresses)
You can clearly see the effect of my automation policy for the US. Lots of /24 networks get added, most of them with a 30 to 35 day expiration. Note that expirations increase for repeat offenses. But over time, as contiguous /24 networks are added due to sending probes at my firewall, aggregation will lead to wider net masks (shorter prefix lengths). Since I’m sorting countries based on the total number of addresses I’m blocking, obviously shorter prefixes have a much more profound effect than long prefixes.