0

I use a Meraki firewall and want to block outside attack attempts. Is there a list of countries that are known to be malicious? I want to load them into the system and GEO block them. I know that some legitimate sites have hosting in another country. Can this pose an issue? Any suggestions would be highly appreciated. I want to ensure we have a secure outside perimeter.

schroeder
  • 123,438
  • 55
  • 284
  • 319
john_zombie
  • 325
  • 6
  • 14
  • https://blogs.akamai.com/sitr/2018/07/geographic-normalization-of-web-attack-data.html I found this to be a fun look at some of the data out there. – DarkMatter Jan 16 '19 at 21:49
  • Thanks for sharing :) that was informational. I am looking for something like a list of regions or IP's I can plug into the ruling. – john_zombie Jan 16 '19 at 21:52
  • The lists of historically cyber aggressive nations are very, very easy to look up. I'm curious about your approach, though. Why blacklist certain countries? Are you expecting random outside connections to be made through your router? Are you wanting to block outgoing connections? – schroeder Jan 16 '19 at 22:00
  • Like I know China and Russia is an obvious one.. I see no reason why my users data should be beaconing to those countries or weird foreign IP's in general since we only operate within the US. I want to block foreign IP's from performing nmap scans etc.. – john_zombie Jan 16 '19 at 22:04
  • So ... it's a corporate router and you want to block both incoming and outgoing connections to these countries? If so, those are important details. And I believe we have a duplicate already asked. – schroeder Jan 16 '19 at 22:15
  • Yes, this is on a corporate network. – john_zombie Jan 16 '19 at 22:16
  • 1
    So, does this answer your question: https://security.stackexchange.com/questions/72230/is-blocking-a-countrys-access-to-a-website-a-good-measure-to-avoid-hackers-from – schroeder Jan 16 '19 at 22:16
  • That shed some light.. This is something I have to further think about and decide. But the obvious country I should block is China, Russia, etc. – john_zombie Jan 16 '19 at 22:37

1 Answers1

4

Filtering entire countries' IP ranges will significantly cut down on the amount of malicious traffic coming from actors in those countries, but it will almost 100% ENTIRELY block legitimate users from those countries.

Also, while this is a decent approach to cope with automated scans, it does nothing against a human attacker, who will simply VPN their traffic.

IP blocking is best used for time-sensitive operations, like defending against a sudden spike of malicious traffic out of an IP range. Since it can be easily overcome, it's not an actual 'defense'; it's just a roadblock meant to momentarily impede, deter, or annoy.

Angelo Schilling
  • 681
  • 3
  • 11