Every morning I review a report on internet traffic coming through my servers. I am usually checking to ensure Google is indexing my sites properly, identifying potential prospects from web hits, verifying the spam and anti-virus filters are doing their jobs, and reviewing any new attack vectors that might compromise my perimeter security. The last brought an interesting point to the fore.
Much, if not all, the undesired traffic to my open internet servers originated from Korea and China. This actually accounted for quite a large percentage of my traffic overall. Taking a closer look at the profile, it became obvious that eliminating traffic from these countries would reduce overall bandwidth requirements and improve general serviceability of the public facing network. Since we have no intention of pursuing business in China or Korea, this strategy on the surface provides better focus of network resources to address the needs of our current and target client base.
Achieving this was relatively simple, however there were some challenges. We needed to ensure that legitimate clients travelling abroad still had access to critical services and we could not block responses from those countries as certain software update sites are hosted in those geographies. We adopted a script initially created by Vivek Gite and posted at his blog site to block traffic by country using iptables in Linux and modified it accordingly to allow for the above capabilities. We also tuned the initial script for better run time performance profiling and reduced the demand on the network of the service provider hosting the list of international IP mappings by country.
The end result of implementing this strategy is generally more reliable network performance and a large reduction in network based attacks on our infrastructure. The reduction in the attack level has reduced the overhead of verifying security has held up against each attack as well since these costs increase linearly with the number of attacks against the network. We implemented the firewall as a hierarchical tree and have an optional configuration to allow for use of ipsets if they are identified as supported in the target system.