[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] OT:rumors of Chinese attacks

On Fri, May 04, 2001 at 04:31:08PM -0400, Thompson Freeman wrote:
> On Fri, 4 May 2001, Michael H. Warfield wrote:

> > On Fri, May 04, 2001 at 02:25:19PM -0400, Sage wrote:
> > 
> <<snip>>
> > some of this (for the record, CN has 67 netblocks, the largest of which is
> > a /11.  HK has 170 netblocks, the largest of which is a /15 - all of this
> > is public information if you know where to look).

> Please forgive my ignorance, but what is a netblock? and what has this to
> do with a cyber war (I assume it does, but I'm fishing for more background
> to stuff into the black hole of my ignorance.

	A "netblock" is simply an aligned block of allocated addresses.
Classically (pun very intended) a "Class A" network is a /8 netblock under
CIDR (Classless InterDomain Routing).  That simply means that there are 8
bits in the network field of the address and 24 bits in the host field.
What use to be a "Class B" network would be a /16 netblock under CIDR, while
a "Class C" network would be a /24 netblock.  Under CIDR, the old classfull
networks are subneted or agregated (supernetted) into blocks of varying
sizes and then allocated.  Actually, a true "Class A", "Class B", "Class C",
and "Class D" are also restricted in their range of network addresses
as well as their size but the size is what significant here.  When people
now talk about "Class A", "Class B", and "Class C" networks they are
refering to an old system of allocation which really no longer operates
in the core Internet itself.  There are some subtle "boundry conditions"
regarding host addresses with 255 or 0 in the low order octet where there
are some differences, but, for all intent and purposes, the old classfull
system of network/subnetwork/host addressing no longer exists.

	The size number in the netblock represents the number of bits
in the network field.  The larger the number, the larger the netmask and,
consequently, the fewer the number of addresses in the block.  A /24
only has 254 host addresses (256 minus 2.  0 and all ones are reserved).
A /16 has 65534 host address.  A "netblock" is simply a block of addresses
of a binary (power of two) size and aligned on a multiple of that size
within the over all address space (all lower bits zero for the lowest
address) assigned by one of the registries to an organization.  That's
the simple definition.

	There are three major registries for these netblocks.  ARIN handles
the western hemisphere.  RIPE handles Europe and Africa, while APNIC
(Asia Pacific Network Information Center) handles Asia and the Pacific
Basin.  All have hugh blocks of addresses allocated to them by IANA
for assignment.

	When an allocation is made, it's often listed as to the country
in which the organization is registered.  Generally (but not always)
knowing a peer address exists within a netblock assigned to a particular
country is a pretty good indication that the connection is within those
geographic boundries.  Obviously, multinational companies (which would
generally NOT be the case for China) and VPNs tend to distort that and
create exceptions, but it's still a good rule of thumb.  Knowing what
netblocks are assigned to what country is a good guideline for determining
if an attack is originating from within their boundries.

	For example...  If I were scanned or attacked from an address,
say like (chosen totaly at random - not a real address AFAIK),
that would be in the netblock of 202.4.252/22 which are all addresses
from to  That "netblock" comprises 1022 host
address (which could be further subnetted) which happen to be assigned
to China.  Chance are real damn good that an attack originating from
any address in that block originates within China so I would be safe in
guessing that's where the attacking system resides.  Not 100% sure, but
it's a safe bet with simple attacks and simple networks.

> Thanks in advance.

>  -- 
> ===========================================
> The harder I work, the luckier I get.
>                     Lee Iacocca
> ===========================================
> Thompson Freeman          tfreeman at intel.digichem.net

 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.