44

I am located in Venezuela right now, and for the whole weekend have been unable to access grubhub.com and seamless.com.

Finally, I tried using the Tor Browser and got access. The same thing happened in January when I tried to access the police department's website in a New York State county when I was abroad.

Is this a measure to avoid hackers? Or do they do it to avoid spending bandwidth in countries where the website doesn't serve the population?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
Luis Arriojas
  • 548
  • 1
  • 4
  • 9
  • 5
    Your question might need to be reworded. It's difficult to answer why those particular sites have done this. – schroeder Nov 03 '14 at 16:11
  • 6
    Your examples and the remainder of the question might not be related at all. Have you e.g. tried checking your IP address with various CBLs / DNSBLs if it's perchance blacklisted? Some countries' ISPs tend to cycle between DHCP assigned IP addresses rather fast (India is one known example), and at that time you might have been assigned an IP that was blacklisted. Either case, a single IP being blacklisted in public CBLs that some websites (like your example ones) might use isn't indicative of a country-based blocking. Use e.g. http://www.ipvoid.com/ to check through many public CBLs / DNSBLs. – TildalWave Nov 03 '14 at 18:40
  • As long as they're not smart enough to use VPN and proxies. Often as effective as the Maginot Line was at keeping the Germans out of France in WWII. There's always a way around. – Fiasco Labs Nov 03 '14 at 23:33
  • 4
    Note that when blocking a whole country, only legitemate users will be blocked, because your "hackers" never use their own IP address, but work through either others, or via proxy's/VPN's, which could be based anywhere but their own country – Lighty Nov 04 '14 at 08:14
  • Consider the fact that restricting access by country means you're harming the concept of the Internet. Just imagine a world where all non-American IPs are blocked on Stackexchange because American advertisers make up 99% of their profits. – JonathanReez Nov 04 '14 at 15:15
  • To be a little blunt, are you certain that these sites are actually blocking Venezuela, as opposed to something causing problems a little closer to your location? I'm not sure about the current state of affairs, but Venezuela has certainly had issues in the past. A friend of mine used to teach computer science in the _capital_, and they had rolling blackouts, making her job rather difficult... – Brian S Nov 04 '14 at 17:18
  • This could be a (botched) attempt by the Venezuelan powers that be to implement a "Great Firewall of China" type thing. (Though more likely that someone didn't pay the rent on the trunk line or some such.) – Hot Licks Nov 04 '14 at 19:10
  • Any hacker worth worrying about can spoof his country of origin. – chepner Nov 05 '14 at 20:41

5 Answers5

77

Country-based blocking is usually put in place as a result of some organisational policy whose intention is indeed to "block hackers". This sort of things fail on three points:

  1. Such a policy assumes that malicious people can be categorized by nationality. This is old-style, World-War-I type of thinking.

  2. Geographical position is immaterial for computers; a firewall can only see IP addresses. Inferring geography from IP addresses relies on big tables that are never completely up-to-date.

  3. As you observed, working around these blocking systems is trivial for attackers; it suffices to use a relay host outside of the blocked country, and this happens "naturally" when using Tor. Most attackers will use such relays anyway, to cover their tracks.

So the usual net effect of such a blocking is to irritate a few normal users (who might have been customers, but will not now that they are angry), without actually impeding the efforts of competent attackers.


On the bright side, though, "country"-based blocking is sometimes put in place to prevent thousands of mindless drones from spamming the connection logs. For instance, the sysadmin might have noticed a surge of dummy connections from some botnet, most machines of which being located in Venezuela. In that case, blocking Venezuela altogether may help prevent the clogging of log files, while implying only minor impact on business (assuming that the server in question has very few honest Venezuela-based customers). Thus, it is conceivable that a risk/cost analysis has determined that such a large blocking would improve things.

However, in most cases, the "country blocking" is there for the show: a whole-country blocking helps sysadmins demonstrate to managers that they are doing something for security, in a way that managers readily understand. This is the usual predicament of security: when all things work well, security is invisible. It is unfortunately hard to negotiate budgets for activities that don't imply any visible result. Even though the whole point of security is to avoid having visible results, e.g. a defaced Web site or a list of 16 millions of user passwords leaked and hitting the news.

In the case of media distribution, some distributors enforce country-based blocking because they did not have whole-World retransmission rights, and by doing a modicus of blocking effort they fulfil their legal obligations. Arguably, this case is also "for the show".

Ry-
  • 254
  • 1
  • 10
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 15
    The intention may not necessarily be security, so much as noise reduction. If you never get any legitimate traffic from a location, and your logs are filling up with errors caused by bots, blocking the whole country just makes an annoying problem go away. – barbecue Nov 03 '14 at 17:33
  • 17
    Country-based blocking is the Maginot Line of policies, because I can just proxy though neutral Belgium. –  Nov 03 '14 at 18:13
  • 3
    +1. Since "blocked" in the question is vague, country-specific blocking is used to licensing issues as well. TV sites in the US, for example, block access to the videos (not the entire site) based on the viewer country. It's not necessarily to block bots or anything - it's just the legal issues with licensing. – AKS Nov 03 '14 at 18:17
  • 3
    I think the ease of bypassing this filter is a boon to the strategy, not a pitfall. It allows persistent legitimate users to continue using the site. This is like running a service on a non-default port. It won't stop any real person at a keyboard with an attention span of more than 10 seconds, but it will cut down on 99% of automated breakin attempts. – Wug Nov 03 '14 at 20:25
  • 6
    Why does everyone assume it's to "block hackers"? Given the example of GrubHub.com, a US-based site that offers online ordering for US-based restaurants, what legitimate use would a person from VZ have to visit the site? Chances are, the sales loss of the 0.5% of actual legitimate users that get blocked is offset by the resource savings of not having to serve the whole site to a country where the site is generally not useful (and thus from which most traffic is likely spammers/hackers/etc). – Doktor J Nov 03 '14 at 23:08
  • 1
    Regarding your first point - if a certain percent of attacks come from a given geographic area (e.g. country), then blocking that area blocks (superficially, without counter-counter measures) that percentage of attacks. Whether you like it or not, and whether or not it's PC. – HorseHair Nov 04 '14 at 01:01
  • 1
    I worked for a place that blocked all of Russia and China. Since our customers didn't have operations in those states, there really wasn't a legitimate reason to allow traffic. It was blocked though in response to the Chinese state search engine behaving very badly, and since China had no use for the info, they got blocked. – Andy Nov 04 '14 at 02:16
  • About #2, that's not entirely true. IPs are assigned to countries before they can be used (and, all legal IPv4 addresses have been assigned to countries, there's literally zero available to any country, so the database is complete). Also, IPv6 ranges must be assigned before use, and companies that provide this information do so far enough in advance that a developer that wanted to provide over 99.999% accuracy based on IP could do so. Unless, of course, tunneling/VPN, etc. But #2 is definitely not accurate on its own merit. – phyrfox Nov 04 '14 at 05:31
  • phyrfox - if you have a read of this little table, you'll see a very large number assigned by company, not country. And where is a .com, or a .me actually located? And who owns/runs it? All very independent of each other. http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks – Rory Alsop Nov 04 '14 at 08:37
  • @Rory Alsop .me would of course be Montenegro :) – AndrejaKo Nov 06 '14 at 08:57
  • Very true Andre - and my website ends in .me, but I have never been there and probably never will. My point is that country location is possibly orthogonal to security. – Rory Alsop Nov 06 '14 at 11:26
  • @DoktorJ: "what legitimate use would a person from VZ have to visit the site?" - I'm not specifically from VZ, but I have, on some occasions, helped non IT-savvy acquaintances in other countries to order things online by essentially going through the process for them. Yes, it's a corner case, but certainly a legitimate use the website owner could have an actual interest in. (Another legitimate use, that the website owner however draws no direct benefit from, is simply looking at the website and its capabilities, e.g. to name it as a real-world example of something in a research paper.) – O. R. Mapper Nov 06 '14 at 13:23
  • @O.R.Mapper for a site like GrubHub, why on earth would someone in another country legitimately order lunch from a US restaurant? It may simply be a cost-cutting measure -- if you are not a potential customer, why waste their bandwidth (and ultimately money) serving you high-res graphics and the like? – Doktor J Nov 06 '14 at 17:15
  • @DoktorJ: I just explained. If I have a non-tech-savvy acquaintance in the U.S., I (outside of the U.S.) would be more than happy to quickly go through the "complicated process" of ordering their food for them, if they ask me (the, you know, "guy who does something with computers and thus knows how such things work") to give them a (virtual) hand. I have done it for instant messenging accounts and the like, why shouldn't I do it for restaurant orders? – O. R. Mapper Nov 06 '14 at 17:18
  • @DoktorJ: And, to name yet one more legitimate use case: Someone in the U.S. might be having technical trouble displaying a site like GrubHub, which might be solved by some simple browser settings. Why should I be banned from finding out what settings the site works with just because I'm not physically in the same country as the GrubHub customer who is struggling with the website? – O. R. Mapper Nov 06 '14 at 17:59
26

In my case, our expected customers come from predictable countries, and so to limit the "threat surface", other countries are blocked.

This has limited value as any determined person can do what you did and simply re-route their traffic. The side benefit, though, is that the countries we permit are those with stringent cyber-laws and we can get law enforcement help if an attack happens. So, if an attacker from an non-allowed country routes their traffic through an allowed country, we can get the police involved. It's a small thing, but it does lower the risk without any impact to business and at no cost (except for the time to enter the allowed country into the firewall's whitelist).

When I did this, the bad traffic load on our web servers dropped 90%, which is significant in terms of resource cost-savings, if nothing else.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 6
    Exactly this. It's not perfect, but if your target audience is highly country-specific, then why leave the front door wide open for attackers from other countries? Sure some will find windows, garage doors, and the like, but 95+% will just move on to other targets. – Doktor J Nov 03 '14 at 23:12
  • How would "stringent cyber-laws" help if the actual attacker is far away from that country? – JonathanReez Nov 04 '14 at 15:12
  • The attacker, then, is not the issue, but the pivot point is. – schroeder Nov 04 '14 at 15:30
  • @schroeder I still don't follow how would the police help you out after the fact – JonathanReez Nov 04 '14 at 17:21
  • 1
    If there is an active attack, it is easier to have the attack traced and dealt with by the ISP, because the ISP has some legal responsibilities. After the fact, it is possible to have that pivot point remedied. There are some countries where ISPs simply don't respond to my calls for help, and I know their police force do not follow up on attacks. American, Canadian, and UK ISPs and police forces do respond and can escalate. – schroeder Nov 04 '14 at 18:11
3

It's true, if a hacker would like to get access to your page, it will not help, he can simply use a vpn or proxy.

But if you think about all the bots out there which attack every page they find to test exploits and/or passwords, you will be able to block a lot of them. This will also help you against ddos attacks, if you block every country except the one you live in, you are able to block the most of the traffic. OF course, there are more effective methods against ddos attacks but a filter is a reasonable and simple one.

Ka Rl
  • 141
  • 3
2

Some websites block countries for business reasons. Traffic from some countries doesn't generate enough revenue to warrant the resources to serve them. Sometimes companies don't want to expand into a country until they can "do it right."

It's likely not a security issue. This can be circumventing by using TOR and VPNs. Of course, they can also block traffic from TOR and VPNs, or at least monitor more closely.

This is a business or political decision, not technical.

Gabriel
  • 21
  • 1
0

In the case of a site like Grubhub, the reason for blocking certain countries is likely not hacking (technical interference) but rather an effort to thwart fake reviews and similar unwanted content. It is relatively common nowadays that people in poor countries are hired for posting spam, or spam-like things like fake reviews for a few pennies a pop.

Sure anyone could bypass this block, but that could then be detected in a different way, as these users would then likely connect through a proxy server that can be detected through a proxy blacklist. The point here is to set up roadblocks, rather than absolute security. Unlike a security vulnerability, fake reviews on a restaurant rating are not an immediately fatal threat to the site.

If this is done in a judicious way and targeting an actual problem that has been identified, it can absolutely an effective of stopping unwanted posts. To name an example, for a site I run, I found that I was consistently getting spam from Bangladesh, Pakistan and Cameroon (of all places) and zero useful traffic from those same places. I blocked, to the best of my ability, those countries from posting content, but not from reading the site. Users from these countries are now greeted with a polite message asking them to contact an e-mail address that was set up just for this purpose, if they were legitimate users. This has been effective in blocking this particular class of spam, and is an example of what I would call a well-informed and judicious use of blocking a certain country.

nitro2k01
  • 111
  • 2