Am I paranoid, or are corporate firewalls censoring entire countries?

Recently, in the last year or so, I have noticed that it seems more and more difficult to reach certain kinds of sites, especially those in non-favored nations like Iran or Russia.

For example, just now I tried to reach the web site of the Russian Ministry of Defense (http://eng.mil.ru/en/index.htm), a site that I have legitimate business-related reasons for visiting, and it timed out. I tried the same site via a European proxy and had no problem connecting. I then tried a tracert and this was the result:

My interpretation of this is that the IP is being blocked by the company firewall. I asked our IT department what is the IP blocking policy for the network and was told that the policy is not determined by our company, but by the firewall service provider and that it is "secret and proprietary" to the provider and that they (meaning IT) had no control over that policy.

What is the story here? Are firewall product vendors just blanket blocking entire countries?

Just for giggles I decided to try different countries to see what would happen:

Finland       ok
Poland        ok
Russia        blocked
Ukraine       blocked
Estonia       blocked
Turkey        blocked
Saudi Arabia  blocked
Afghanistan   ok
Iraq          blocked
Georgia       ok
Armenia       blocked
Uzbekistan    ok

Alright, so I can visit web sites in Uzbekistan and Georgia, but not those in Armenia or the Ukraine? Who is making up this logic?

Tyler Durden

Posted 2016-12-28T23:38:23.867

Reputation: 4 710

1What does a intrusion detection system have to do with content filtering? Your IT departments response is complete nonsense. A IDS and a firewall are not the samething – Ramhound – 2016-12-28T23:51:46.570

@Ramhound Ok, fill me in then, I am trying to understand why and how certain countries seem to be blocked and others are not. – Tyler Durden – 2016-12-28T23:59:46.767

Sounds like your company uses content filtering and top of something like a SonicWall and how it works would be proprietary – Ramhound – 2016-12-28T23:59:55.043

Most content filtering systems can block content by country of origin. The specific reason you can't entirely depends how the configuration your company uses – Ramhound – 2016-12-29T00:04:28.100

7This is all really arbitrary and based on idiosyncratic needs. But I will say this: I work in the U.S. and have done work for U.S. companies whose web properties have utterly no value to anyone outside of the U.S. and it’s commonly been requested that some server-level filtering happens to block whole countries and IP ranges not because of censorship, but rather pragmatic needs based on the fact that their site would be consistently probed—and often have malware infections on them—that can be traced to specific countries or IP ranges. So this is really the state of the modern Internet world. – JakeGould – 2016-12-29T02:16:45.953

2I've implemented regional blocking myself using selective blackholing in order to mitigate the effect of DDoS flooding when I knew for sure that the vast majority of the customer base was geographically limited anyways. Very effective but probably won't help if you draw the wrath of something like mirai – Dmitri DB – 2016-12-29T03:36:33.347

That said most malware attacks tend to come from China or USA - which makes this method much less effective if you're within those two zones https://www.reddit.com/r/sysadmin/comments/3sadc9/those_of_you_who_block_countries_which_ones_are/

– Dmitri DB – 2016-12-29T03:37:52.863

https://www.statista.com/statistics/440582/ddos-attack-traffic-by-originating-country/ as with DDoS traffic – Dmitri DB – 2016-12-29T03:43:20.713

@DmitriDB It's not about where most attacks are from, it's about the ratio of illegitimate to legitimate traffic for a given country. If you are serving users primarily in the USA, that means you have a lot of traffic originating in the USA that you can't block. If you have zero users in Ukraine and are seeing many attacks coming from Ukraine (a very common scenario), then you have every reason to just block Ukraine entirely. – Todd Wilcox – 2016-12-29T04:36:17.187

Yes, my point was that these methods will not work if the attackers are determined enough to source all their attacks to your local region in order to bypass your regional blocking countermeasures - a very real possibility in a post-mirai world for DDoS, and always has been the case if you're looking to block malicious traffic such as targeted attacks using methods best left to a WAF or RASP (portscans, bruteforces, etc vs. modsecurity, fail2ban, or cloudflare/incapsula for example) – Dmitri DB – 2016-12-29T05:41:38.600

1It's a standard part of a layered defense plan to block like that. It obviously has limitations, but is part of a larger overall plan. Even going back to the late '90's when places I'd worked at only had 56k lease lines (or occasionally the super fast T-1!). You'd not be likely to see it for global companies of course, but has been standard for quite some time for smaller, regional type companies. – Brian Knoblauch – 2016-12-29T12:23:33.770

2It's rather interesting why there is Estonia in that list. – Display Name – 2016-12-29T16:04:43.260

I've had to block large regions of China from accessing my server in the past due to spamming. No, this is not an unusual practice. – bwDraco – 2016-12-29T18:50:26.873

Answers

I've seen a variety of vendors doing content filtering based on country of origin. China and Russia are usually the ones with filtering turned on by default, or at least have some kind of alerting set up. This is because those are often sources of malware attacks. I don't buy line that your IT department has no control over it. Any vendor worth its salt would let you modify the default settings on its products.

Charles Burge

Posted 2016-12-28T23:38:23.867

Reputation: 1 792

1I know for sure that if I got better things to do than listen to some lower-level employee go off and I'm the BOFH, I'll spit some technobabble at them to make them get outta my face so I can get back to doing what I gotta do – Dmitri DB – 2016-12-29T03:30:00.143

1Yeah, I definitely hear you. I hate having to explain things to users when they ask for a reason why something is the way it is, because the line between watering it down to terms that they can understand vs. talking down to them is impossibly thin. – Charles Burge – 2016-12-29T06:42:18.500

This is likely not done at the level of the IDS/IPS, but rather at the firewall level (Via IP list blocking, sort of less effective) or the routing level with a method known as selective blackholing (Strongly effective and blocks the route from even coming through to your router at all).

The rationale behind this is unclear - probably because the countries you listed are often sources of attacks, though really not more than the US, and determined attackers would just go ahead and circumvent anyways in that case... Could be that if you're working in a large enough organization that -they're paranoid- somehow themselves about threats from IPs originating from there. Either way it's kind of a stopgap security measure for many intents and purposes, and you have nothing to be noid about yourself. Tunnel or proxy out!

Dmitri DB

Posted 2016-12-28T23:38:23.867

Reputation: 323

3That's a strange solution, though - you're basically encouraging someone to bypass the firewall when the firewall is supposed to be doing its job. If the firewall isn't working correctly and can't be corrected, sounds like it's time to chuck it. – oldmud0 – 2016-12-29T03:20:07.413

That'd be great for him to do that, but it's pretty obvious if you read what this person said that they don't work in a decision-making capacity for making an effect to the end of what you suggested, and it sounds like he needs to do his job, so... – Dmitri DB – 2016-12-29T03:27:55.467

1My network at my last job had both geo blocking and application blocking turned on to prevent using onion routers or VPNs, etc, among many other banned services. One of the rationales is that yes, some countries are home to large numbers of bad actors in less regulated environments while also not being places where we would ever send legitimate traffic, so banning them entirely has a positive effect on security with almost detriment to usability. You can email your Ukrainian family members from your smartphone. – Todd Wilcox – 2016-12-29T04:32:14.123

4"Could be that if you're working in a large enough organization that they're paranoid somehow themselves about threats from IPs originating from there." Or it could be cargo cult security. – jpmc26 – 2016-12-29T09:09:06.210

It's perfectly possible to use IP geo-location to block IP address ranges associated with certain countries. There's a lot of debate about how effective it is and I certainly wouldn't suggest blindly turning it on to anyone, but it's up to a business to determine for itself whether or not it has legitimate business with companies originating from a particular area and therefore what the risks are of blocking address ranges associated with that area are vs. the risks of not blocking those addresses.

While geo-blocking won't stop determined attackers, it does increase the complexity of attacking your network from this location (and keep in mind this might mean botnet members from that location) and this might also reduce the amount of "background noise" from casual attackers & script kiddies, making it easier to see the more determined attacks.

This example is from a Sonicwall Knowledge Base article on how to set these kinds of filters up.

In any case, if you have a business need to connect to a business in a blocked country, I don't suggest trying to sneak around the firewall as suggested in other answers, but rather to make this a management issue: talk to your manager, get them to speak to the IT department manager and make it clear that there's a business requirement to allow such access. It's highly unlikely that there's no way to configure these kinds of blocks, and on the off-chance that there is some kind of security incident and your attempts to work around blocks that are part of the corporate IT policy are detected, you're highly likely to be left holding the blame for the security breach.

Rob Moir

Posted 2016-12-28T23:38:23.867

Reputation: 647

1Agreed with what you say. At least IT should be able to whitelist the Russian Ministry of Defense or other site that OP needs access to – chue x – 2016-12-29T15:20:25.080

I can count most megacorps I've worked in as that kind of request being the kind of thing that gives you a hard time from management and may never happen, and in smaller orgs to be something that's more tenable. Let's just count the time they blocked facebook at one of the bigger companies I worked for and it led to management not even checking the facebook profile of this dude who was messing everything up - he was clearly high on ecstasy in MOST of his public pics – Dmitri DB – 2016-12-29T16:11:53.960

Well it's your decision @DmitriDB, obviously. I wouldn't demand that my manager "get IT to unblock x". I would however say, in a written memo, "In order to accomplish assignment foo, I need to access site bar which is currently blocked in accordance with corporate policy. How do you suggest we proceed?". After all (and putting aside the debate on effectiveness of geo-blocking for now) the business might well decide that the risk of unblocking a country is greater than the risks of not getting the task done. Your manager is being paid to take the heat on that. Let them. – Rob Moir – 2016-12-29T16:32:22.313

1I just remember getting yelled at for suggesting things like that. Probably why I've never worked in a megacorp for years now – Dmitri DB – 2016-12-29T16:54:11.557