Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Risks associated with blocking countries in firewall?

[diesel12]

We've started blocking countries like China in CongigServer, but recall reading something a ways back that somehow, American IP addresses may be blocked as well when blocking China ... something regarding subnets or something else that I didn't quite follow regarding how IP addresses are set up.

Are there risks like this involved when blocking an entire country via a firewall? We're only concerned about US and Canadian traffic ....

[centauricw]

The IP blocks given out to the various registries are by no means contiguous blocks. They are all over the place as IP blocks were carved out, returned and reassigned. It's possible to block entire countries at the firewall, but I've long since given up. It's more important to be sure the underlying security of your web site/server is good.

And if your primary concern is blocking botnets from trying to break in, just blocking a country won't help since all countries are affected.

[SysAssist]

You can use geoip to download recent lists of ip blocks for countries and block according to that in iptables.

[diesel12]

We're using country codes in configserver firewall's deny list, I take country codes aren't comprehensive?

[ServerOrigin]

GeoIP is incredibly unreliable.

For example, if you tried to block all of China with APNIC's actual assignments, you would also knock out the larger part of AU.

Blocking any country should be absolute last resort because impact can be far reaching.

[diesel12]

@serverorigin: So there might be the possibility of inadvertently blocking parts of the United States by blocking whole countries via their country codes? (India, China, Korea, etc.....) The only traffic we don't want to block is the US / Cananda....

[ServerOrigin]

Quote:

Originally Posted by diesel12

@serverorigin: So there might be the possibility of inadvertently blocking parts of the United States by blocking whole countries via their country codes? (India, China, Korea, etc.....) The only traffic we don't want to block is the US / Cananda....

Very large risk of blocking US/CA traffic by blocking all other countries. The registries do not keep up very well. Many companies also announce IP's from other regions. (Not supposed to but it happens)

The other issue is reassignments that occur. We have blocked the UK (per customer request) and saw all traffic drop from Comcast (in and around Chicago). Why? No clue. It's not recommended.

*Edit: Just to add : This is why you will also see so many people complaining about GeoIP DNS services. Even the better ones (paid services) who actively track things better than ARIN/APNIC/RIPE, etc. Still don't always get it right.

[diesel12]

That's exactly what I needed to know.... if there's an outside chance of inadvertently blocking US traffic then it's definitely NOT worth ... thank you so much for the feedback.

[dwulff]

The latest Q2, 2012 Attack Report by Prolexic shows 91% of DDoS attacks originate in countries outside the United States. The decision to block traffic that offers no business value is an easy choice. There are two big problems with configuring ACLs in routers and firewalls to block countries:

1. Adding 12,000 IP ranges to block countries can substantively increase latency, decrease TCP throughput, and must be updated daily to keep up with new IP configurations eating up to 15 minutes a day

2. If you had an 'allow only' US traffic, you are still open to botnets and malware originating from infected machines in the US as another poster pointed out.

We solved the problem with an actual appliance that sits between the border router and firewall that blocks traffic by country with a click on a map, block millions of known botnets and spammers using the EmergingThreats IP reputation list of threats in the US, and is all automatically updated in the appliance...with no noticeable impact on network performance. The appliance is called PoliWall by TechGuard. We cut the bulk of the noise before it ever reaches systems deeper inside the network.

[dwulff]

Here is the whitepaper on impact of ACLs on firewall and router just FYI

[znetindia]

Hi,

This following small script will automatically read the lines in Country IP range files from here and add them to your firewall

Create a file called zoneblock using the following text, then 'chmod +x zoneblock' to make it executable

Just download the zone file you want for the country you want (you can do this using wget), then run Code:

./zoneblock /var/tmp/af.zone eth1

replacing af.zone with whatever file you are using and eth1 with what ever interface your WAN is.

The changes are only temporary till reboot, or until 'service firewall restart'. You could add the command to /etc/rc.d/rc.local to make it run on every bootup

Now you can block whole countries with the click of a button!
Code:

#!/bin/bash
# Zoneblock script
# usage: # zoneblock [file] [interface]
while read line
do
iptables -I INPUT -s $line -i $2 -j DROP
echo "adding...$line"
done <$1
exit 0

Just FYI, Hope it will help you.

[cloudsafe365]

Are there any alternatives to GEOIP for increased accuracy ?