COVID-19 Isn’t the only virus coming out of China

Press Release: March 24, 2020.

Coronavirus has been in the news since January. The virus, allegedly originating out of China, has caused a global pandemic. But COVID-19 is not the only virus originating out of China.

During the past two weeks Country IP Blocks has been monitoring large scale cyber attacks also allegedly originating from China. These attacks are centered around compromising email servers, so large-scale influxes of Ransomware and other virus, trojans, etc., can be released into the wild. The attacks are also looking for server vulnerabilities so malicious files can be stored on your servers.

Country IP blocks is issuing the following alert: If you are not doing business in or with China at this time, we recommend that you quarantine your network and systems by blocking all cyber traffic from China for a limited time. If you are doing business with China, we recommend you take steps to carefully examine all cyber traffic from China.

We realize this is an unprecedented step, but the danger is great. As a courtesy, we are releasing a free, aggregated list, in CIDR format, of all China networks. This ACL is available for download at https://www.countryipblocks.net/downloads/china_aggregated.txt.

This ACL list may be used in your hardware or software firewalls until further notice.

Responding to Iranian Cybersecurity Threats

We have been monitoring a high level of malicious traffic originating from Iranian controlled networks. Due to tensions in the Middle East we expect attacks originating from Iran to not only continue, but to increase.

The United States Department of Homeland Security through Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs has released a statement in response to the recent rise in malicious cyber activity—including spear phishing and brute force attacks—by Iranian regime actors and proxies.

The CISA Statement on Iranian Cybersecurity Threats offers some relevant tips for mitigating Iranian security incidences.

Country IP Blocks, in an effort to be proactive, has created Access Control Lists containing all IPv4 and IPv6 Networks assigned to Iran. Iran’s IPv4 networks have been aggregated and their IPv6 networks have been produced in IPv6 compressed format.

As Iran is also on OFAC’s sanctioned countries list, we believe it is important for all businesses and financial institutions operating in the United States to stay on top of their network traffic and avoid commercial dealings with any OFAC sanctioned countries.

Our Iran ACLs will allow you to block or monitor traffic specifically from Iran.

Specific ongoing Iranian threats include spear-phishing attacks, brute force attacks and possible DDos attacks, as well as others.

Top 10 Most Malicious Countries for Cyberthreats; May 2019

Brazil, China, Germany, Iran, Italy, Netherlands, Russia, Thailand, Ukraine, Viet Nam are expected to be the ten most prevalent countries involved with cyber security threats for May 2019.

The countries above are given in alphabetical order, not by threat level.

China, Russia, Ukraine top our list with Brazil rapidly rising into the top four. The cyberthreats originating from our top ten are as different as the countries themselves. China, Russia and Ukraine appear to be active in a wide variety of hack attempts, including root kits, ransomware, brute force attacks and a wide variety of malware.

Attacks from Brazil, Germany, Iran, Italy, Netherlands, Thailand and Viet Nam are primarily against email servers including high volume spammers and a smattering of other threats.

Country IP Blocks strongly suggests taking control of your network assets to eliminate or at least mitigate many of these threats. For example, if you are not doing business with any of the above countries, why allow them access into your network? Consider blocking them using a Country IP Blocks Access Control List. Those who purchase a license get access control list data updated every four hours.

You may not be able to predict all incoming threats. But you can drastically reduce the level of malicious attacks, spam, ransomware and other threats by limiting traffic to countries where you do business.

IPv6 Bogons in Compressed and Decompressed CIDR format

IN addition to our IPv6 network by country ACLs, we are now also offering IPv6 bogon lists. These lists will include all IPv6 reserved and available networks (not allocated or assigned).

The IPv6 bogons are available as compressed or decompressed in CIDR format. These lists are updated every four hours and made available to you currently free of charge.

You may access all of our bogon lists on our Download an Access Control List to Block or Allow Bogons page.

While using our free data, why not consider purchasing a monthly or annual license? A licensed version will get you the most accurate data.

IPv6 Networks in Access Control Lists

Country IP Blocks has just released our beta version of IPv6 by country database. As IPv4 addresses are technically exhausted, IPv6 addressing is coming in to vogue.

We are currently in phase one of our IPv6 ACL release. While the data is accurate, we still consider phase one as a testing phase. In phase one we are offering IPv6 addresses that are updated every four hours. This data will initially be offered as a free service to our licensed and unlicensed website users.

Initially, our IPv6 data will only be offered in three formats: Apache .htaccess Deny, Apache .htaccess Allow and CIDR.

We look forward to hearing your comments.

Aggregating IP Networks for More Efficient Access Control Lists

When it comes to network security and specifically the use of Access Control Lists, Network Managers, IT Managers and those managing inbound access can have their hands full when they create ACLs containing large amounts of data. For example, if you created an ACL to allow only the US and Canada the list may contain close to 80,000 networks. This requires 80,000 lines in your ACL.

Large ACLs may become unruly, cumbersome and difficult to manage. They also can be a drain on hardware and software resources, taxing memory while overloading some firewalls. Aggregation is the solution.

Aggregating these IP ranges offers an excellent remedy to this problem. Aggregation is an excellent solution to reducing the size of large Access Control Lists.

Network Aggregation is not a summary of networks within your ACL. Network Aggregation is a method used to consolidate your Access Control Lists. It accomplishes this by combining contiguous networks within your Access Control Lists into as many larger network ranges as possible. After consolidation, the result is then converted into valid IP networks.

For example, if you had the following two networks: 192.168.0.0/24 and 192.168.1.0/24 you could aggregate them and the result would be 192.168.0.0/23.

Aggregating the US and Canadian networks currently reduces the size of your Access Control Lists by 71%, while still maintaining the exact same number of IP addresses.

Another excellent example of the power of aggregation is the networks assigned to Italy. As of today, April 10, 2019, Italy has 171,995 networks assigned (more if you look at network reassignments and further subnetting). Imagine working with an Access Control List containing this many lines. If you aggregate these networks you can reduce the size of your ACL by 96.9% or to 5,325 lines. An incredible improvement.

Currently, Country IP Blocks includes our Aggregation Module with new license purchases.

Make your network security more efficient by using aggregation.

OFAC Access Control Lists

We are pleased to announce that we are offering free OFAC Access Control Lists, based on OFAC’s Sanctions Programs and Country Information. Unlicensed users will have access to data that is at least 90 days old. Our licensed users will have access to data that is no more than four hours old.

While we are currently offering this data free for licensed and unlicensed users, the data will eventually require a separate license and may be removed from unlicensed access. This is due to additional staff hours to complete the extra work involved in maintaining the OFAC lists.

OFAC list users will be able to select lists including countries with comprehensive sanction, related sanctions or both. The free selections are located here: Create an Access Control List to Block OFAC Sanctioned Countries. Licensed users will find the webform in their control l=panel under the Access Control Lists navigation.

We will base our country selections on OFAC’s page:
Sanctions Programs and Country Information

We will maintain our OFAC ACLs based on OFACs regular updates to their sanctions programs. We recommend you check back often for changes.

Country IP Blocks updates their Country Network database at least every four hours for licensed users. Therefore, data is subject to change frequently. You may purchase your licenses on our website.

OFAC Countries with Comprehensive and Related Sanctions

OFAC stands for the Office of Foreign Asset Control.

Country IP Blocks has been working for years to develop an effective OFAC sanctions list. There are several hurdles we faced in order to be as comprehensive as possible. There are several issues related to the problem.

The first question we asked is “Where is OFAC’s Country List.” Here, according to their website, is the answer:

Where is OFAC’s Country List? What countries do I need to worry about in terms of U.S. sanctions?

The Office of Foreign Assets Control (OFAC) does not maintain a specific list of countries that U.S. persons cannot do business with. 

Here’s why:

U.S. sanctions programs vary in scope.  Some are broad-based and oriented geographically (i.e. Cuba, Iran).  Others are “targeted” (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities.  These programs may encompass broad prohibitions at the country level as well as targeted sanctions.  Due to the diversity among sanctions, we advise visiting the “Sanctions Programs and Country Information” page for information on a specific program.

OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) has approximately 6,300 names connected with sanctions targets.  OFAC also maintains other sanctions lists which have different associated prohibitions.

Many individuals and entities often move internationally and end up in locations where they would be least expected.  Accordingly, U.S. persons are prohibited from dealing with SDNs regardless of location and all SDN assets are blocked.  Entities that an SDN owns (defined as a direct or indirect ownership interest of 50% or more) are also blocked, regardless of whether that entity is separately named on the SDN List.

Because OFAC’s programs are dynamic, it is very important to check OFAC’s website regularly.  Ensuring that your sanctions lists are current and you have complete information regarding the latest relevant program restrictions is both a best practice and a critical part of your due diligence responsibility.

For additional information about sanctions and OFAC, please take a look at our Frequently Asked Questions

As a courtesy, Country IP Blocks is temporarily offering free OFAC ACLs.

Identifying the Network and Broadcast Address of a Subnet

In this lesson we will attempt to simplify the identification of the Network and Broadcast address using a known IP address, within the network or subnet, and the CIDR or Netmask. In this lesson we will walk you through the terms you need to know, the basic math and some examples.

Terms you need to know:

CIDR: Classless Inter-Domain Routing. Think of it as a replacement for a
Netmask. The CIDR Value is equivalent to the number of on bits in a 32 bit
address going left to right. For example: the CIDR value of 24 means the first
24 bits are turned on and the last 8 bits are turned off:
11111111.11111111.11111111.00000000. (See RFC’s: 1519, 1817, 4632).

Network Address (or Network ID): This is the address that identifies the
subnet of a host.

Broadcast Address: An IP Address that allows information to be sent to all
machines on a given subnet rather than a specific machine. (See RFCs: 826, 919,
922, 947, 1027, 1770, 3021).

Binary: A base 2 numbering system (machine language).

Bitwise AND Operator: Represented by the “&” symbol, the Bitwise AND
Operator returns a one in each bit position if both corresponding bits are one.
Example: x & y = z.

Binary Inversion: In a Binary CIDR or Netmask we are inverting the ones to
zeros and the zeros to ones.

Bitwise OR Operator: Represented by the “|” symbol, the Bitwise OR Operator
returns a 1 in each bit position if one or both corresponding bits are one.

The Steps to identify the Network and Broadcast Address of a Subnet

Convert the IP Address and CIDR (or Netmask) to binary.  If you need
additional help you can try our handy
Converting IPv4 to
Decimal and Binary IP Conversion Calculators
.

Use a Bitwise AND (IP & CIDR) Operator to return the corresponding
values of the IP and CIDR addresses. This gives you the Network Address
(Network ID)  A simple way to use the Bitwise AND Operator in Binary is
show in the following example:

IP Address: 192.168.1.15

CIDR: 24 (Netmask: 255.255.255.0)

Binary IP Address: 11000000.10101000.00000001.00001111

Binary CIDR: 11111111.11111111.11111111.00000000

Using the Bitwise AND (&) Operator, compare the Binary IP Address to the
Binary CIDR Address. The result will be the Network Address of the IP Address
we are using:

Binary IP:
11000000.10101000.00000001.00001111

Binary CIDR:
11111111.11111111.11111111.00000000

Binary Network:
11000000.10101000.00000001.00000000

The resultant Network Address is 11000000.10101000.00000001.00000000.
Converting this back to the format of an IPv4 Address gives us 192.168.1.0.
This is our Network Address. Therefore, 192.168.1.15 belongs to the
192.168.1.0/24 network.

To get the Broadcast Address we need to do a Binary inversion of the CIDR or
Netmask Address.

The inversion of the CIDR Address of 11111111.11111111.11111111.00000000
becomes: 00000000.00000000.00000000.11111111.

Now we use the Bitwise OR Operator on the Binary Network Address and the
inverted CIDR Address to get the Broadcast address.

Binary Network Address:
11000000.10101000.00000001.00000000

Inverted Binary CIDR:
00000000.00000000.00000000.11111111

Binary Broadcast Address:       11000000.10101000.00000001.11111111

We now convert 11000000.10101000.00000001.11111111 to IPv4 Decimal octet:
192.168.1.255.

The Broadcast Address for the 192.168.1.0/24 Subnet is 192.168.1.255.

Now that you have your feet wet, let’s try a few more.

Identify the Network and Broadcast Addresses for each of the following
examples:

10.10.1.97/23
192.168.0.3/25
172.16.5.34/26
192.168.11.17/28

Example one: Convert 10.10.1.97/23 to Binary.

IP Address: 00001010.00001010.00000001.01100001

CIDR Address: 11111111.11111111.11111110.00000000

Use Bitwise AND Operator (IP & CIDR):

IP Address:
00001010.00001010.00000001.01100001

CIDR Address:
11111111.11111111.11111110.00000000

Network Address: 00001010.00001010.00000000.00000000

Network Address: 10.10.0.0

Binary Inversion of CIDR:

Binary CIDR:
11111111.11111111.11111110.00000000

Inverted Binary CIDR:   00000000.00000000.00000001.11111111

Use Bitwise OR Operator to get the Broadcast Address:

Binary Network:    00001010.00001010.00000000.00000000

Inverted Binary CIDR:    00000000.00000000.00000001.11111111

Binary Broadcast:    00001010.00001010.00000001.11111111

Broadcast Address:    10.10.1.255

IP Address 10.10.1.97/23 belongs to the 10.10.0.0/23 Network. The network
Address is 10.10.0.0 and the Broadcast Address is 10.10.1.255.

Example two: Convert 192.168.0.3/25 to Binary.

IP Address: 11000000.10101000.00000000.00000011

CIDR Address: 11111111.11111111.11111111.10000000

Use Bitwise AND Operator (IP & CIDR):

IP:
11000000.10101000.00000000.00000011

CIDR:
11111111.11111111.11111111.10000000

Network:     11000000.10101000.00000000.00000000

Network Address: 192.168.0.0

Binary Inversion of CIDR:

Binary CIDR:
11111111.11111111.11111111.10000000

Inverted Binary CIDR:   00000000.00000000.00000000.01111111

Use Bitwise OR Operator to get the Broadcast Address:

Binary Network:    11000000.10101000.00000000.00000000

Inverted Binary CIDR:    00000000.00000000.00000000.01111111

Binary Broadcast:    11000000.10101000.00000000.01111111

Broadcast Address:    192.168.0.127

IP Address 192.168.0.3/25 belongs to the 192.168.0.0/25 Network. The network
Address is 192.168.0.0 and the Broadcast Address is 192.168.0.127.

Example three: Convert 172.16.5.34/26 to Binary.

IP Address: 11000000.10101000.00000000.00000011

CIDR Address: 11111111.11111111.11111111.10000000

Use Bitwise AND Operator (IP & CIDR):

IP:
10101100.00010000.00000101.00100010

CIDR:
11111111.11111111.11111111.11000000

Network:     10101100.00010000.00000101.00000000

Network Address: 172.16.5.0

Binary Inversion of CIDR:

Binary CIDR:
11111111.11111111.11111111.11000000

Inverted Binary CIDR:   00000000.00000000.00000000.00111111

Use Bitwise OR Operator to get the Broadcast Address:

Binary Network:    10101100.00010000.00000101.00000000

Inverted Binary CIDR:    00000000.00000000.00000000.00111111

Binary Broadcast:    10101100.00010000.00000101.00111111

Broadcast Address:    172.16.5.63

IP Address 172.16.5.34/26 belongs to the 172.16.5.0/26 Network. The network
Address is 172.16.5.0 and the Broadcast Address is 172.16.5.63.

Example four: Convert 192.168.11.17/28 to Binary.

IP Address: 11000000.10101000.00001011.00010001

CIDR Address: 11111111.11111111.11111111.11110000

Use Bitwise AND Operator (IP & CIDR):

IP:
11000000.10101000.00001011.00010001

CIDR:
11111111.11111111.11111111.11110000

Network:     11000000.10101000.00001011.00010000

Network Address: 192.168.11.16

Binary Inversion of CIDR:

Binary CIDR:
11111111.11111111.11111111.11110000

Inverted Binary CIDR:   00000000.00000000.00000000.00001111

Use Bitwise OR Operator to get the Broadcast Address:

Binary Network:    11000000.10101000.00001011.00010000

Inverted Binary CIDR:    00000000.00000000.00000000.00001111

Binary Broadcast:    11000000.10101000.00001011.00011111

Broadcast Address:    192.168.11.31

IP Address 192.168.11.17/28 belongs to the 192.168.11.16/28 Network.

The network Address is 192.168.11.16 and the Broadcast Address is 192.168.11.31.