89

I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.

So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.

Peter Mortensen
  • 877
  • 5
  • 10
Matthew Nichols
  • 751
  • 1
  • 5
  • 8
  • 67
    It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house. – Ghedipunk Sep 16 '19 at 16:41
  • 4
    Possible duplicate of [Is blacklisting IP addresses a waste of time?](https://security.stackexchange.com/questions/82054/is-blacklisting-ip-addresses-a-waste-of-time) – Zaibis Sep 17 '19 at 05:19
  • Or https://security.stackexchange.com/q/146070/56061 – Zaibis Sep 17 '19 at 05:23
  • There are ongoing technical challenges inherent in this: actively maintaining your geo IP list due to new allocation (less relevant in IPv4 now) and redistribution of existing IP blocks between countries in an RIR or between RIRs. You've also got the expansion of new IPv6 blocks, the growing use of carrier NAT, etc – thomasrutter Sep 17 '19 at 07:08
  • 15
    A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for [GDPR's strict guidelines](https://www.lexology.com/library/detail.aspx?g=9b030e4a-d720-497a-88b9-866cf8e22505). IMHO they dodged a bullet there from a legal angle. – user3819867 Sep 17 '19 at 09:10
  • 6
    @user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it. – TripeHound Sep 17 '19 at 10:03
  • 1
    @user3819867: Just because someone connects from Europe does not mean they are an "EU client". GDPR only applies to "EU residents", not to US residents who happen to be in Europe. So an IP block is not necessary for GDPR compliance, it's enough to check people's addresses (presumably you need the address during client signup anyway). – sleske Sep 17 '19 at 10:03
  • @user3819867 has a valid point, because it is not just about "clients" or "customers" but ***visitors*** to the site. If the site has tracking tech that would require a notice to data subjects, then it can make sense to block EU visitors in order to reduce the privacy notice and compliance headache. Lots of US companies block EU visitors for this reason (newspapers are an annoying example right now). – schroeder Sep 17 '19 at 10:12
  • 17
    [“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf). Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step? – user3819867 Sep 17 '19 at 11:07
  • I'm not a security expert either, but shouldn't someone mention DDOS attacks explicitly? It seems that geo-bans could significantly impair worldwide botnets. – Džuris Sep 18 '19 at 14:07
  • @user3819867: *(...) a single US citizen that stays four months in the EU (thus becoming resident) (...)* Staying four months in the EU does not make you a "resident". The EU Resident Card is something one applies for (there are restrictions), and then there is the "Long Term Resident" status you acquire after 5 years. – WoJ Sep 18 '19 at 16:00
  • @user3819867 Your conclusion is not necessarily wrong but the linked document and the quote are not about that. Recital 14 is about the distinction between legal and natural persons, it certainly does not mean that the GDPR applies to everybody everywhere all the time, the processing must still meet the criteria laid out in article 3. If it weren't so, putting a firewall would achieve nothing, the regulation would also cover American citizens who never left the US. – Relaxed Sep 18 '19 at 20:10
  • Meanwhile the paragraph in which you found this quote (and the whole chapter) is about the establishment criteria defined in article 3(1), i.e. “activities of an establishment of a controller or processor in the Union”. Assuming the health care provider is based in the US and does not have any operation or subsidiary in Europe, it would not fall under article 3(1). Data collected by an American processor about an American resident visiting Europe might still fall under the regulation but that would be under article 3(2), not 3(1). – Relaxed Sep 18 '19 at 20:11
  • 1
    @user3819867 if that were the case, a VPN does not solve the issue, and since they explicitly recommended it, they cannot even argue that you bypassed their security systems willingly. – Davidmh Sep 19 '19 at 11:27
  • 2
    @Davidmh They gave advice based on a call, they can argue that they were not *targeting* the EU, the tweak was granted after specific permission granted by the data subject. – user3819867 Sep 19 '19 at 11:32

4 Answers4

167

The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)

For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.

  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
  • Did they? Who knows.
  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 60
    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks. – Matthew Nichols Sep 16 '19 at 17:03
  • 6
    @MatthewNichols you got it – schroeder Sep 16 '19 at 18:37
  • 4
    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack). –  Sep 17 '19 at 01:39
  • 2
    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged? – Gregory Currie Sep 17 '19 at 08:02
  • 6
    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone. – Frank Hopkins Sep 17 '19 at 08:16
  • 2
    @GregoryCurrie The more countries you ban, the greater the chances of inconveniencing real users. In most cases, the countries where people are launching cyber attacks are also countries that have weak or no diplomatic relations with the country you operate in (for a US company, I'd expect Iran to be in the block list, for example), which makes the odds of having customers who are visiting there less likely. – James_pic Sep 17 '19 at 10:56
  • 1
    @GregoryCurrie Well, mostly because it works. There's very little threat from most countries on the planet. A disturbing amount of attacks comes from a very small group of countries. It's a trade-off between inconveniencing your users (and potential users) and excessive expenses in handling the attacks. – Luaan Sep 17 '19 at 11:14
  • 2
    @Luaan I don't think that you understood Greg's comment. OR else you might need to explain what you mean by "it works". – schroeder Sep 17 '19 at 11:18
  • @GregoryCurrie I don't think we have any customers based in France, for example, but I wouldn't be surprised if we had some traffic because of people accessing our site on vacation. –  Sep 17 '19 at 12:48
  • 1
    @Hosch250 'My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well.' This suggests you wait for an attack to happen, and then reactivity ban those countries. If the strategy is sound, why do you have to wait? What if somebody attacks you from France for instance. Do you then block France. What about the people on vacation? – Gregory Currie Sep 17 '19 at 13:07
  • 2
    This wasn't just "somebody", it was hundreds or thousands of pings per day. –  Sep 17 '19 at 13:17
  • @Hosch250, how many strange ping do you have from your very legitimate countries? If it's not about DDoS your service, what is the reason to drop off the traffic? Is your sales department informed you've ruined your company presence in that countries? – Yury Schkatula Sep 17 '19 at 17:48
  • 1
    We don't have sales team in those countries; we aren't actively trying to sell anywhere outside the US. You can't just buy our product without calling us and us manually setting up a website for you. And I don't know if we know how many strange pings we have from the US. We occasionally have sporadic pings (maybe a couple a month) from western Europe, which we assume are from people traveling. We only noticed the ones we blocked because there is no reason for any traffic from there, much less hundreds/thousands of hits. –  Sep 17 '19 at 18:06
  • And it wasn't my choice--I just happen to know about it. I don't know if sales was informed, but I do know the CEO knows. –  Sep 17 '19 at 18:06
  • 1
    We did geo-blocks a couple of times for my association's website. It's not a perfect solution, but cuts out a lot of random attempts, which is something I really value, since all the IT stuff is taken care by me in my free time. – frollo Sep 18 '19 at 12:05
  • 1
    @schroeder I assume he means if 90+% of the attack traffic comes from less than 10 countries (which from all the statistics I've seen is entirely possible), introducing bans for the over hundred that aren't a problem increases the chance of inconveniencing your actual users with little benefit. – Voo Sep 19 '19 at 08:44
  • 1
    If the answer is formulated right - and the geo-block reduced overall traffic on the page by 80% by blocking illegitimate access that is a cost factor as well. Even without thinking about security, this could save a big company a lot of money, reducing their traffic-costs by 80% – Falco Sep 19 '19 at 12:10
9

One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.

Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.

Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.

Peter Mortensen
  • 877
  • 5
  • 10
Guntram Blohm
  • 1,529
  • 11
  • 13
  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea – lurscher Sep 18 '19 at 02:29
  • 1
    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security. – TylerH Sep 18 '19 at 14:40
  • 4
    *"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic"* You mean like, say, the US and Canada? (Indeed among many others.) – user Sep 19 '19 at 08:28
3

The security benefit is likely small, but real.

My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.

These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.

It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.

As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.

Peter Mortensen
  • 877
  • 5
  • 10
Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 1
    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade. – Rich Sep 17 '19 at 21:31
  • 2
    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them. – Nelson Sep 18 '19 at 04:59
  • 2
    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common? – user2752467 Sep 18 '19 at 08:24
  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though. – Steve Sether Sep 18 '19 at 21:14
  • 1
    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this). – Voo Sep 19 '19 at 08:54
0

The official Apple website blocks IP addresses from Ghana (interestingly enough not from Nigeria though), and they openly state this is because of fraud concerns. Straight away, the fact a big company is doing this goes to show there is likely some benefit.

I suppose the logic is that your adversary could still use a proxy, VPN, Tor, or other anonymisation software. However, since those IP addresses are shared by many users they are on IP black lists.

If an IP address has been black listed it will be automatically rejected for suspected fraud during online ecommerce payments, and from experience those annoying CAPTCHAs seem to appear more often with significantly more annoying puzzles to solve. This is a significant hurdle for a malicious threat actor in a third world country, with limited resources and time.

questioner
  • 171
  • 2
  • 11