Subject: Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:
> I can’t help but wonder what would happen if US Corporations simply
> blocked all inbound Chinese traffic. Sure it would hurt their business,
> but imagine what the Chinese people would do in response.
Would it hurt their business? Really?
Well, if they’re eBay, probably. If they’re Joe’s Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn’t get to Joe’s web site or Joe’s mail server or especially Joe’s VPN server? Probably not.
Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either.
This is why I’ve been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. 
I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it’s in. I also deny selected networks access to selected services, e.g., Amazon’s cloud doesn’t get access to port 25 because of the non-stop spam and Amazon’s refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic.
This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches.
Read more: here