I take a few random IP scans using umit. If x samples return no open ports then it's probably DSL, although occasionally I get a false report for a cloud using this technique. NOTE: A single scan on an IP taken from a "security" log is not conclusive as virus-contaminated IPs usually show open unless the computer has been switched off.
Probably a secondary indication for people in the US is that EU-area DSL machines are usually turned off during your "daylight" hours. Not sure how this applies to china - I'm not that good at time zoneds. :)
I've heard it said that IP scans are evil and anti-social but in my book if someone hits my server with a blockable access then fair game.
Some things are pretty obvious, esp. for those that return reverse DNS data.
Guess my real problem is trying to make sense out of some of the APNIC records.
Some countries are pretty easy, others are a real PITA, especially if you don't know some of the local terms and such. Although I've been doing this for many years I still find it a real learning experience and often I find Asian countries the hardest as they don't deliver the data as granular as needed and/or using the terms required to make simple decisions.
I've resorted to blocking entire providers (like a Comcast equivalent) or worse case entire countries just out of frustration.
I take a few random IP scans using umit.
Do you do this via a proxy or directly from your server's IP?
Without using a proxy, I'd be worried about having my IP flagged as a potential security risk for scanning people's IPs.
Bill - are you using linux? If so, umit and select Quick Scan - I find that's adequate.
No, I do not use a proxy even though I have a fixed IP. I do not make that many scans on any given network at any one time and I've never detected a rejection (that I know of!). I suspect that ISPs do not have the time/patience/resources to worry about the odd IP scan when they must be bombarded with botnet/etc scans continually. And servers get a LOT of those!