Relatively easy way to block all traffic from a specific country?

Question

I have a web app that has no users in the Philippines, but is constantly bombarded by spammers, carders testing cards, and other undesirable activity from there. I can see in the logs that they have IPs in the Philippines and are initially finding my site via google.ph or other .ph sites.

I have pretty good filters and security checks in place, so they don't really cause much damage, but nonetheless, I'm really getting tired of it. They use up bandwidth, fill up my database, abuse logs, and security logs with crap, waste my time terming accounts, etc.

While the vast majority of Philippine citizens aren't spammers, and I can't just block every country that annoys me, at this point, I think the solutions is simply to block all traffic from the Philippines to my webapp. (I know blocking entire countries' IP blocks is not a great practice, and has many problems, but for this country, I want to make an exception.)

(I know they could spoof their IP address, but at least I can make them work for it a bit.)

I know there are a few geoip services out there. Anyone know of any free or inexpensive services? Or any other way to filter out traffic from a specific country?

I'm running PHP on Apache 2, if it matters.

Answer 1

Unlike most of the other posters here, I'm not going to tell you this is a bad idea, that you shouldn't do it, that it won't solve your problem, or that you should do something else. Here's what happened to us:

Individuals from China and Korea (or using proxies in China and Korea, anyway) kept annoying us. Portscanning, crawling our websites looking for vulnerabilities, making login attempts, etc. I tried to ignore them (fail2ban takes care of them usually) but at some points they were hitting us so hard that it effectively turned into a DoS attack. When you have hundreds of connections at once from people trying to use your webserver as a proxy, trying to SSH into your machine, trying random usernames and passwords, it tends to weigh on the site. I eventually got fed up.

We don't get any legitimate traffic from China or Korea; our company doesn't sell there (we're e-commerce) so there was no risk of losing legitimate traffic, so I figured it was easier to block them ahead of time instead of waiting for them to be dicks.

1. Visited http://ip.ludost.net/ and downloaded their IP<->country database.
2. Extracted all Chinese and Korean IP address ranges.
3. Installed the ipset module for netfilter
4. Built ipset dumps for China and Korea (see below)
5. Added rules to iptables to silently drop any traffic from those sets.

And that's it. Our problem users went away, load on the network and the server was decreased, and we weathered the Christmas season without difficulty.

Note 1: you can do this with regular iptables (i.e. without ipset) but it's more computationally expensive than using ipset.

Note 2: This is how the dumps look (ipset will generate these for you if you want):

# Generated by ipset 2.3.3 on Sat Oct  4 18:02:57 2008
-N china nethash --hashsize 5184 --probes 4 --resize 50
-A china 203.207.128.0/17
-A china 221.176.0.0/13
-A china 58.154.0.0/15
-A china 114.54.0.0/15
...etc...

Note 3: We use a nethash because all of our ranges are stored as CIDR blocks. If you don't want to convert them to CIDR, you can use an iptreemap instead, but I imagine that might be less efficient if you're getting a lot of traffic.

Answer 2

You could do this based on IP address using a free IP Locatin API like IPInfoDB http://ipinfodb.com/index.php.

Answer 3

First, I would strongly suggest not doing this.

As others have far more eloquently put, blocking a specific country doesn't fix the problem , it just defers it slightly. Also, when users from that country see you've blocked them specifically, it will only motivate them to cause you more problems.

That said, if you really want to do this, IPinfoDB provide a free IP geolocation database,

First, would be to locate a IP simply by country.

You would search this way :

SELECT * FROM `ip_group_country` where `ip_start` <= INET_ATON('74.125.45.100') order by ip_start desc limit 1;

Or

SELECT * FROM `ip_group_country` where `ip_start` <= 1249717504 order by ip_start desc limit 1;

Second, you might want to get the IP of a specific country to generate a blocklist with iptable, htaccess file or whatever you use. It would be done like this :

SELECT `ip_cidr` FROM `ip_group_country` WHERE `country_code` = 'AF' order by ip_start;

which would give you :

63.243.149.0/24
67.212.160.0/24

Answer 4

How do you fix a bug in code?

Like so?

Bug: Add(2,2) returns 0, should return 4.

Fixed code:

int Add(int x, int y)
{
   if (x == 2 && y == 2)
      { return 4; }
   return 0;
}

Obviously not. You don't just create a teetering monstrosity of special cases, that's enormously fragile and a recipe for disaster. You also don't just patch TODAY'S symptom of the underlying problem.

Instead, figure out the root cause, and fix that. This is far more robust than any hacky special-case patch you could implement.

Why is your web app vulnerable to spam? What characteristics make it vulnerable? What characteristics make it a valuable target? Are there ways you can change those characteristics to make your app more robust against spam and less of a tempting target? Almost certainly the answer to these questions is yes. Add validation chains to your forms, use a captcha intelligently, randomize urls and/or parameter names to make them unfriendly to bots. There are millions of ways to approach this problem, I'm sorry to say you have chosen one of the least valuable, least useful, and most fragile solutions out there.

Answer 5

You should use products like fail2ban to key off errors you throw in your web application indicating a spamming attempt is underway. This will block the IP for a period of time, making your site resistant, but not blanket blocking entire IP blocks.

Answer 6

A couple of solutions:

• exclude some IPs in Apache configuration with mod_access
• use GeoIp directly from Apache: http://www.maxmind.com/app/mod_geoip
• Exclude some IPs from Linux iptables directly. This is more risky if you have remote access only, you could lock yourself ou of the machine
• geoip + iptables

These solutions are pretty easy and quick to put in place, and free.

A longer term solution would be to detect the spam from your web application, log the IP and feed your iptables to block them automatically.

Answer 7

I would opt for a Snort + OSSEC solution that could maintain something like this dynamically.

Answer 8

Did you consider finding who is operating the networks you are being attacked from ? Find the "abuse" contact using whois and report to them. Of course it may come from several networks, but it also may worth it if you see some recurring addresses / network blocks.

Answer 9

You have every right to block IP addresses from whatever reason you can justify for yourself. It is you that provides a service and it is you who decides who can have it or not. It is perhaps questionable if this is moral but that is something you can only decide for yourself.

However blocking an IP segment because it has some geographic aspects to it sounds to me a more or less like a panic approach.

What I have done in the past is having a crawler going through my most recent logs and based on that ban individual IP's that are annoying for a period of 24 hours. If that specific IP is misbehaving again it is banned for 2 days, then 3 days, etc. etc. you get the drift.

IP's that are banned for more then a week will be mailed to me and I send an abuse mail to that service provider (who know it might even help).