Malicious Internet Activity The Top 10 Countries
Country IP Blocks is reporting a surge in malicious internet activity over the last six weeks. A sampling of internet activity we monitor shows a 37% increase in malicious traffic since April 1, 2009.
China is currently leading the world in malicious activity and botnets, followed by Brazil, Russia, India, Korea, Viet Nam, Ukraine, Turkey, Italy and Argentina.
The following countries, in ascending order, account for 78.7% of monitored harmful traffic. Country IP Blocks is providing links to specific Access Control List formats for each country. Click on the country format of your choosing use the Country Form on the sidebar to select all 10 countries at once in your format choice.
Top 10 countries with outgoing malicious internet activity:
| Country | CIDR | Netmask | IP Range | .htaccess deny |
|---|---|---|---|---|
| China | CIDR | Netmask | IP Range | .htaccess deny |
| Brazil | CIDR | Netmask | IP Range | .htaccess deny |
| Russia | CIDR | Netmask | IP Range | .htaccess deny |
| India | CIDR | Netmask | IP Range | .htaccess deny |
| Korea | CIDR | Netmask | IP Range | .htaccess deny |
| Viet Nam | CIDR | Netmask | IP Range | .htaccess deny |
| Ukraine | CIDR | Netmask | IP Range | .htaccess deny |
| Turkey | CIDR | Netmask | IP Range | .htaccess deny |
| Italy | CIDR | Netmask | IP Range | .htaccess deny |
| Argentina | CIDR | Netmask | IP Range | .htaccess deny |
Country IP Blocks recommends you monitor your internet traffic often. Use Access Control Lists as needed and filter unwanted traffic.
I’ve used the country IP network tool for deny .htaccess and it’s been very helpful. I also find the top 10 list interesting. My particular issue: the majority of malicious traffic today for me is from the Netherlands. Anyhow, I’ve noticed some issues, primarily in address not falling into country ranges.
For example, I have an IP 80.67.6.226 hitting my site attempting form based attacks. A lookup on ARIN shows this as CIDR: 80.0.0.0/8, Country: NL. I ran this against the current list of IP Networks from Country IP Blocks tool (see list below) and found that it doesn’t fall into any ranges.
To make the .htaccess file a bit cleaner, smaller and faster, is there a possibility to option by masking with /8’s where they are applicable? I’ve notcied quite a few IPs in the same situation as the one I listed above.
Thanks for creating a great tool. -Joe
deny from 80.56.0.0/15
deny from 80.60.0.0/15
deny from 80.64.240.0/20
deny from 80.65.96.0/20
deny from 80.65.112.0/20
deny from 80.69.64.0/20
deny from 80.69.80.0/20
deny from 80.69.160.0/20
deny from 80.73.128.0/20
deny from 80.79.32.0/20
deny from 80.79.96.0/20
deny from 80.79.192.0/20
deny from 80.84.224.0/20
deny from 80.84.240.0/20
deny from 80.85.32.0/20
deny from 80.85.128.0/20
deny from 80.85.160.0/20
deny from 80.89.224.0/20
deny from 80.94.64.0/20
deny from 80.95.160.0/20
deny from 80.100.0.0/15
deny from 80.112.0.0/17
deny from 80.112.128.0/18
deny from 80.112.192.0/18
deny from 80.113.0.0/16
deny from 80.114.0.0/17
deny from 80.114.128.0/18
deny from 80.114.192.0/18
deny from 80.115.0.0/17
deny from 80.115.128.0/18
deny from 80.115.224.0/19
deny from 80.126.0.0/15
deny from 80.242.96.0/20
deny from 80.242.224.0/20
deny from 80.242.240.0/20
deny from 80.246.176.0/20
deny from 80.246.192.0/20
deny from 80.247.128.0/20
deny from 80.247.144.0/20
deny from 80.247.160.0/20
deny from 80.247.192.0/20
deny from 80.247.208.0/20
deny from 80.248.32.0/20
deny from 80.252.80.0/20
deny from 80.255.240.0/20
Joe:
You have asked an excellent question. The answer to your question is yes and no. In the old days you might’ve been able to get away with a clean block on /8. But there is a problem with your request. First, while ARIN does have records pointing to 80.0.0.0/8 as the block for 80.67.6.226, ARIN is not the registrar. The correct registrar is RIPENCC.
If you go to http://www.ripe.net and do a lookup on 80.67.6.226 you will see it actually belongs to 80.67.0.0/20 in Sweden not the Netherlands. It is further subnetted to 80.67.6.224/27.
If we mask networks with /8’s we will end up blocking several different countries with one mask. This is impractical for our current purposes.
However, one of the things we are working on is an aggregated list for each country. This would significantly shorten all the lists. You still won’t end up with /8’s but the list size would shrink. We are also developing “whois” capabilities to allow you to narrow the real troublemaking networks down.
Thanks for your great comments. We hope you continue to use our data and that you will invite friends to check us out. Oh, a backlink is always great!
Thank you for a great response. You are absolutely correct (unfortunately). After I wrote this request, I did some further digging on RIPENCC and Domain Tools. It certainly makes things quite difficult. I think my best answer at the moment is to only allow ‘US’ systems to connect. It’s amazing how many spam form bots are out there.
I really like the idea of aggregated lists and can’t wait for it to come out. You guys have some really powerful tools here. Keep up the great work!
Will definately consider a backlink to this site for other people who are in the same situation that I am.
Thanks
Oh, thanks. This really helped me out. I’ve been having lots and lots of spam visitor from Ukraine, and now I just blocked all the IP span from this region. I hope I’ll never have this intruders again.
This top ten is great.
You need to update your links, as they are still using remotetm.net.
Hi…none of the text links for IP ranges or .htaccess blocks work – can you update them?
All the IP Block text links are accurate. Please check that you are not using a cached page or the older links. Refresh your cache, update the links and try again.
The links are pointing to http://www.remotetm.net/e_country_data/…..
You can get the data by substituting the domain names manually. Still a pain though
@Josh
Josh:
Thank you for addressing the problem. The links have been edited to resolve to the correct location.