28

In recent events, a server I've been managing with has been under a few attacks, a risk you take when hosting a web-server.

The firewall has been set up properly to only allow connections through the ports used.

The thing is, there was brief discussion about blacklisting all IP's from certain countries that don't fit into the scope of the website, meaning the idea is to automatically blacklist anyone from several countries where some attacks originate from, but users don't.

Is it practical to auto-blacklist users by Geo-IP from regions that don't normally use the website?

We've been thinking of having this limit for at least back-end ports, meaning only the countries that house authorized people are allowed through.

Lighty
  • 2,368
  • 1
  • 23
  • 36
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/40652/discussion-on-question-by-lighty-is-it-practical-to-pre-blacklist-certain-geoip). – Rory Alsop Jun 02 '16 at 11:36

3 Answers3

42

It's essentially a business decision, rather than a security one. The risks from a business perspective are that you lose users from that country, or who are accessing the site from VPNs located in that country, and that, whilst really unlikely, it's theoretically possible for IP assignments to change, meaning that if you didn't keep these blocks maintained and updated with the latest assignments, you might accidentally block legitimate users from target countries, who happen to have been given IPs from a pool previously assigned to a blocked country.

From a security point of view, it can reduce the volume of attacks, and increase the costs to an attacker of targeting your site (since they need to get machines from specific countries, rather than any machines).

It tends to make sense when you have a regionally restricted product - think of shops where goods are only shipped within a specific country, competitions which only accept entries from people in a given region, or systems which work in conjunction with physical businesses which have a limited range (e.g. deliveries to a national chain store, so there would be no way for a user elsewhere to benefit from the service). In those cases, it tends to be easier to justify the risks, since there is no way people from other countries can use the service (and it wouldn't be hard to include neighbouring countries in case of edge cases - a Portuguese business might include Spanish IP ranges, just in case, say).

It makes less sense when you have an information business, or a digital product. In these cases, you might end up getting more unwanted traffic, as people who want to obtain the product resort to VPNs within allowed countries. Think artificial restrictions such as film releases staggered around the world, TV shows with months of delay before being shown outside the country of origin, or game releases.

You can obtain country specific IP lists from sites such as http://www.ipdeny.com/ipblocks/ and then choose whether to use a whitelist approach ("we only deliver to southern Italy, so will only allow Italian and Vatican City IP addresses") or a blacklist approach ("we see lots of attacks from Australia, so will block all Australian IP addresses").

(Please note, all countries are randomly selected and should not be taken as approval or disapproval of given countries.)

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • 1
    I did say "_really_ unlikely"! You get the odd situation where a block splits following war, but I would suspect that there were more pressing matters to deal with in those cases. – Matthew Jun 01 '16 at 13:33
  • 1
    Any concerns about IP blocks changing nationality can be put to bed if you use something like the MaxMind GeoLite2 database, and keep it up-to-date. IP blocks *do* regularly get transferred from one country to another, but keeping an up-to-date GeoIP database will mitigate virtually all risk of false positives. – Simba Jun 01 '16 at 15:17
  • 11
    Counter-example: ordering flowers to be delivered on Mother's day from the country you happen to be visiting at the time. Just because the delivery range is small does not mean that orders cannot be placed from elsewhere. – Matthieu M. Jun 01 '16 at 15:19
  • 4
    Good point, but that's why it's a business choice, rather than something that security teams should be ramming through. Does the company consider the potential loss of business from people who order whilst outside the country worth accepting in order to reduce attacks? If they have data showing that it would cost them a handful of orders a year, but save more than that in reduced bandwidth costs, they might go for it. If the data shows remote orders are worth more than the bandwidth costs from attacks, they might decide to avoid it. – Matthew Jun 01 '16 at 15:24
  • 3
    @Matthew I think you're underestimating the problem people from disintegrated countries face with geolocation. I myself spent quite a while using an IP address assigned to my country four countries ago. The non-updated databases are actually quite an issue in this case. Many still point to the country that stopped existing more than 10 years ago, some point to the country that stopped existing ~15 years ago. Few still show the original allocation from time to time. – AndrejaKo Jun 01 '16 at 15:34
  • @Matthew So while it is unlikely to among all the IP addresses stumble upon an IP address that is in databases allocated to a non-existing country, among the IP addresses assigned to countries that do not exist any more, it's not so uncommon to actually find a big number of them that are still listed to a previous incarnation. This combined with integration of geolocation with other services, such as shipping cost calculations or automatic language redirection (especially if website makers don't know the difference between country code and language code) can cause quite big issues. – AndrejaKo Jun 01 '16 at 15:38
  • 1
    @AndrejaKo They can cause big issues, but, depending on the business, they may only be big issues for low numbers of users. My first paragraph does mention that it is important to keep these lists up-to-date - in that case, there shouldn't be problems, but it is very common for this kind of solution to be put in place and forgotten until someone is on holiday and tries to log in (usually during an emergency) and gets blocked. – Matthew Jun 01 '16 at 15:48
  • 1
    @Philipp while the country geolocation is _usually_ right, I have seen enough errors not to trust that it will always be correct. Adding some hurdles (eg. captchas) to a legit customer may be acceptable, denying him access (even worse, claiming he is not in the country he is in), would be very bad. OTOH blacklisting only very specific countries may not be too intrusive. – Ángel Jun 01 '16 at 21:32
  • How practical it is depends on how many countries you're trying to block, how actively you want to maintain those blocks, and the purpose of enforcing those blocks. If the reason is simple, such as "we don't do business in X, and we're seeing many attacks originate from X, then yes. For example, my ventrillo servers block Turkey by default because of the amount of freeloaders from that region, and the online community is US/English based. By default, you should avoid this practice, as the consequences are generally blocking legitimate traffic. – IceMage Jun 02 '16 at 15:13
  • "It's essentially a business decision, rather than a security one." – mostlyinformed Jun 02 '16 at 16:56
  • With the ever-tightening IPv4 shortage expect to see IPs getting moved around a lot more than they used to be. – Peter Green Nov 28 '18 at 05:16
  • It makes absolute sense to geo lock down specific ports, i.e. SSH, RDP, FTP, etc. Leave the smtp, http and https ports open but block all the other ports via geo ip. If you don't care to get email or web traffic from the countries, you can just block all ports. – jjxtra May 20 '19 at 16:19
18

Banning ranges of IPs is generally not a good idea. You should only do this if a range is consistently a big problem for you. Here's why:

  • Many people use VPNs or anonymizing networks such as TOR, meaning valid users may appear to have an IP from a country you don't consider to be part of your target audience. Users of such networks may not use your service if they have difficulty connecting.
  • It is difficult, if not impossible, to truly ban by location when talking about IP addresses. In your case, it might be easier, as you are looking at whole countries and regions rather than more specific places.
  • A dedicated attacker can easily circumvent IP-based bans. You'll only be stopping script kiddies. Annoyances like this can be dealt with using well-set-up firewalls; resilient, well-configured server software; and secure backend code.

As for only allowing certain IP ranges on backend/administrative ports: go for it. This is absolutely a good idea, as you can have certain expectations of your sysadmins (that they don't need to log in with a VPN or other anonymizing network, that they live in an area with a certain IP range, etc) that you can't have of your customers.

Rogue
  • 289
  • 1
  • 5
  • 8
    +1 for the point about admin services; indeed here the target population is so small that a white-list is practical. – Matthieu M. Jun 01 '16 at 15:21
  • 5
    Blocking script kiddies is often worth it: it clears up your log files so the real attacks stand out. – Mark Jun 01 '16 at 23:02
8

Don't waste your time trying to maintain GeoIP blacklists. It's a kneejerk response, and is shortsighted and ineffective in practice.

Think of it like terrorism-- Timothy McVeigh detonates a bomb in Oklahoma. You ban all white men from America. Does that really stop the problem?

The majority of actual attacks I've seen come from botnets and/or anonymous proxies. So even if you block China, Chinese attackers are just going to route their traffic through compromised hosts in the US or Europe. Block China, Iraq, Turkey, Russia...they will route around it. It's the very nature of the internet.

Behavioral profiling is much more effective as a countermeasure than dynamic blacklists. Someone hammering at a service should be blocked no matter where their traffic originates.

Instead, depending on what you're trying to protect, consider using a WAF or proxy like Cloudflare-- you can easily block by country if it helps you sleep better at night, but the more important mitigator is that they function as a shared intelligence repository. (You don't have to use them specifically, I've just had good experience with them).

If they detect attackers hammering someone else's site, and those same attackers try to hammer yours, they'll be blocked or hindered by virtue of the fact that they are previously associated with malicious activity-- not the fact that they live in Guangdong or Belarus.

This will not work with SSH and the like, so you'll still need to use something like fail2ban to deter attacks on those services. But for HTTP and the like, it's been great.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • 1
    +1 for Cloudflare. Another advantage is that as part of their service, they provide TLS for all their users, even on the free level. True, it's only TLS until their own servers, but it protects against MitM attacks on unprotected networks. Note that Cloudflare requires you to have an enterprise subscription with them for country-based IP blocking, although you can still block through IP ranges, even on the free level. – Nzall Jun 02 '16 at 11:00
  • 1
    SSL/TLS is a side "bonus;" not PCI-compliant or anything but gives you that nifty https:// header that Google supposedly gives higher pagerank to ;) – Ivan Jun 02 '16 at 14:05
  • 1
    Cloudflare shadow-blocks TOR nodes, which will lose you a lot of support from some communities concerned with anonymity. It's a tradeoff between some extra security and some loss in popularity. – Rogue Jun 03 '16 at 04:20