Is there any actual security benefit to restricting foreign IP addresses?Is blacklisting IP addresses a waste of time?Blacklisting of a block of IP addresses - Why?Will my company’s VPN work internationally, and will it alert them or display as a security threat?Is there any added security benefit to username complexity requirements?Exploits inevitably “cost of doing business on the Internet”?Are there any web application security standards?Locking IP addresses to try and improve securityIs it a real security benefit if a host uses static IP Addresses for authentication?What benefit is there to Craigslist's phone number masking?Is there any security reason to not post your IP address somewhere?Is there any security benefit to not using cookies?Is there any security threat of using 'curl https://ipinfo.io/ip' to find our IP?Is there any benefit to requiring authorisation to access static assets in a web application?

If I have an Earth-like world with Earth-like fauna, and I want brightly-colored mammals, what would be a realistic way of causing that to evolve?

Why did we never simplify key signatures?

Is the worst version of the accusations against President Trump impeachable?

What does "teleport anywhere in the world" mean?

How can 16th-level characters mitigate damage from a lethal (long) fall?

Cheap and safe way to dim 100+ 60W Incandescent bulbs

Dual wielding two +1 Longswords, do they stack?

How to help a male-presenting person shop for women's clothes?

In the sentence "der hatte doch eine Brille", why do we use 'der' instead of 'er'?

Is a manifold paracompact? Should it be?

DS 160 Have you traveled to any countries/regions within the last five years?

Plane ticket price went down by 40% two weeks after I booked it. Is there anything I can do to get a refund?

Messed up my .bash_profile remotely, can't ssh back in

Why aren't flights continued after losing a tire on rotation?

4 Attempts to Guess a Number Between 1-15

Why the translation is not linear transformation?

Minimum path sum in a triangle (Project Euler 18 and 67) with Python

Why can I solve an impossible equation using linear algebra?

Do solvers use GUB/SOS1 branching?

How to create electric light with 1300s technology

Best fighting style for a pacifist

What was Jeremy Corbyn’s involvement in the Northern Ireland peace process?

What was the first operating system called DOS?

Did Russia's economy boom between 1999 and 2013?



Is there any actual security benefit to restricting foreign IP addresses?


Is blacklisting IP addresses a waste of time?Blacklisting of a block of IP addresses - Why?Will my company’s VPN work internationally, and will it alert them or display as a security threat?Is there any added security benefit to username complexity requirements?Exploits inevitably “cost of doing business on the Internet”?Are there any web application security standards?Locking IP addresses to try and improve securityIs it a real security benefit if a host uses static IP Addresses for authentication?What benefit is there to Craigslist's phone number masking?Is there any security reason to not post your IP address somewhere?Is there any security benefit to not using cookies?Is there any security threat of using 'curl https://ipinfo.io/ip' to find our IP?Is there any benefit to requiring authorisation to access static assets in a web application?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









88


















I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.



So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.










share|improve this question






















  • 67





    It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

    – Ghedipunk
    Sep 16 at 16:41






  • 4





    Possible duplicate of Is blacklisting IP addresses a waste of time?

    – Zaibis
    Sep 17 at 5:19






  • 15





    A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

    – user3819867
    Sep 17 at 9:10






  • 6





    @user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

    – TripeHound
    Sep 17 at 10:03






  • 17





    “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

    – user3819867
    Sep 17 at 11:07


















88


















I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.



So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.










share|improve this question






















  • 67





    It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

    – Ghedipunk
    Sep 16 at 16:41






  • 4





    Possible duplicate of Is blacklisting IP addresses a waste of time?

    – Zaibis
    Sep 17 at 5:19






  • 15





    A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

    – user3819867
    Sep 17 at 9:10






  • 6





    @user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

    – TripeHound
    Sep 17 at 10:03






  • 17





    “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

    – user3819867
    Sep 17 at 11:07














88













88









88


7






I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.



So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.










share|improve this question
















I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.



So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.







web-application ip geolocation






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 19 at 10:20









Peter Mortensen

7564 silver badges9 bronze badges




7564 silver badges9 bronze badges










asked Sep 16 at 16:33









Matthew NicholsMatthew Nichols

7411 gold badge5 silver badges8 bronze badges




7411 gold badge5 silver badges8 bronze badges










  • 67





    It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

    – Ghedipunk
    Sep 16 at 16:41






  • 4





    Possible duplicate of Is blacklisting IP addresses a waste of time?

    – Zaibis
    Sep 17 at 5:19






  • 15





    A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

    – user3819867
    Sep 17 at 9:10






  • 6





    @user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

    – TripeHound
    Sep 17 at 10:03






  • 17





    “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

    – user3819867
    Sep 17 at 11:07













  • 67





    It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

    – Ghedipunk
    Sep 16 at 16:41






  • 4





    Possible duplicate of Is blacklisting IP addresses a waste of time?

    – Zaibis
    Sep 17 at 5:19






  • 15





    A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

    – user3819867
    Sep 17 at 9:10






  • 6





    @user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

    – TripeHound
    Sep 17 at 10:03






  • 17





    “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

    – user3819867
    Sep 17 at 11:07








67




67





It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

– Ghedipunk
Sep 16 at 16:41





It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.

– Ghedipunk
Sep 16 at 16:41




4




4





Possible duplicate of Is blacklisting IP addresses a waste of time?

– Zaibis
Sep 17 at 5:19





Possible duplicate of Is blacklisting IP addresses a waste of time?

– Zaibis
Sep 17 at 5:19




15




15





A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

– user3819867
Sep 17 at 9:10





A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.

– user3819867
Sep 17 at 9:10




6




6





@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

– TripeHound
Sep 17 at 10:03





@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.

– TripeHound
Sep 17 at 10:03




17




17





“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

– user3819867
Sep 17 at 11:07






“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?

– user3819867
Sep 17 at 11:07











4 Answers
4






active

oldest

votes


















164



















The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)



For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.



  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.

  • Did they? Who knows.

  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.






share|improve this answer






















  • 60





    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

    – Matthew Nichols
    Sep 16 at 17:03






  • 6





    @MatthewNichols you got it

    – schroeder
    Sep 16 at 18:37






  • 4





    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

    – Hosch250
    Sep 17 at 1:39






  • 2





    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

    – Gregory Currie
    Sep 17 at 8:02






  • 6





    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

    – Frank Hopkins
    Sep 17 at 8:16


















9



















One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.



Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.



Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.






share|improve this answer



























  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

    – lurscher
    Sep 18 at 2:29






  • 1





    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

    – TylerH
    Sep 18 at 14:40






  • 4





    "there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

    – a CVn
    Sep 19 at 8:28


















3



















The security benefit is likely small, but real.



My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.



These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.



It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.



As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.






share|improve this answer






















  • 1





    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

    – Rich
    Sep 17 at 21:31






  • 2





    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

    – Nelson
    Sep 18 at 4:59






  • 2





    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

    – Justin Lardinois
    Sep 18 at 8:24











  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

    – Steve Sether
    Sep 18 at 21:14







  • 1





    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

    – Voo
    Sep 19 at 8:54


















-5



















If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.



Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:



  • For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.

  • Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.

Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.






share|improve this answer






















  • 15





    "Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

    – Alfred Armstrong
    Sep 18 at 9:01






  • 3





    Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

    – Ben Aveling
    Sep 18 at 12:51






  • 6





    Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

    – schroeder
    Sep 18 at 15:59






  • 5





    'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

    – Jeff K
    Sep 18 at 18:43












  • Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

    – Yury Schkatula
    Sep 24 at 12:15












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218098%2fis-there-any-actual-security-benefit-to-restricting-foreign-ip-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes









164



















The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)



For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.



  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.

  • Did they? Who knows.

  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.






share|improve this answer






















  • 60





    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

    – Matthew Nichols
    Sep 16 at 17:03






  • 6





    @MatthewNichols you got it

    – schroeder
    Sep 16 at 18:37






  • 4





    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

    – Hosch250
    Sep 17 at 1:39






  • 2





    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

    – Gregory Currie
    Sep 17 at 8:02






  • 6





    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

    – Frank Hopkins
    Sep 17 at 8:16















164



















The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)



For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.



  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.

  • Did they? Who knows.

  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.






share|improve this answer






















  • 60





    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

    – Matthew Nichols
    Sep 16 at 17:03






  • 6





    @MatthewNichols you got it

    – schroeder
    Sep 16 at 18:37






  • 4





    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

    – Hosch250
    Sep 17 at 1:39






  • 2





    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

    – Gregory Currie
    Sep 17 at 8:02






  • 6





    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

    – Frank Hopkins
    Sep 17 at 8:16













164















164











164









The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)



For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.



  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.

  • Did they? Who knows.

  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.






share|improve this answer
















The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)



For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.



  • Could attackers use proxies/VPNs to attack from an allowed IP? You bet.

  • Did they? Who knows.

  • Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.

We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 17 at 10:08

























answered Sep 16 at 16:42









schroederschroeder

90.3k37 gold badges202 silver badges238 bronze badges




90.3k37 gold badges202 silver badges238 bronze badges










  • 60





    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

    – Matthew Nichols
    Sep 16 at 17:03






  • 6





    @MatthewNichols you got it

    – schroeder
    Sep 16 at 18:37






  • 4





    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

    – Hosch250
    Sep 17 at 1:39






  • 2





    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

    – Gregory Currie
    Sep 17 at 8:02






  • 6





    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

    – Frank Hopkins
    Sep 17 at 8:16












  • 60





    OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

    – Matthew Nichols
    Sep 16 at 17:03






  • 6





    @MatthewNichols you got it

    – schroeder
    Sep 16 at 18:37






  • 4





    My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

    – Hosch250
    Sep 17 at 1:39






  • 2





    @Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

    – Gregory Currie
    Sep 17 at 8:02






  • 6





    @Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

    – Frank Hopkins
    Sep 17 at 8:16







60




60





OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

– Matthew Nichols
Sep 16 at 17:03





OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.

– Matthew Nichols
Sep 16 at 17:03




6




6





@MatthewNichols you got it

– schroeder
Sep 16 at 18:37





@MatthewNichols you got it

– schroeder
Sep 16 at 18:37




4




4





My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

– Hosch250
Sep 17 at 1:39





My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).

– Hosch250
Sep 17 at 1:39




2




2





@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

– Gregory Currie
Sep 17 at 8:02





@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?

– Gregory Currie
Sep 17 at 8:02




6




6





@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

– Frank Hopkins
Sep 17 at 8:16





@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.

– Frank Hopkins
Sep 17 at 8:16













9



















One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.



Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.



Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.






share|improve this answer



























  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

    – lurscher
    Sep 18 at 2:29






  • 1





    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

    – TylerH
    Sep 18 at 14:40






  • 4





    "there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

    – a CVn
    Sep 19 at 8:28















9



















One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.



Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.



Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.






share|improve this answer



























  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

    – lurscher
    Sep 18 at 2:29






  • 1





    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

    – TylerH
    Sep 18 at 14:40






  • 4





    "there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

    – a CVn
    Sep 19 at 8:28













9















9











9









One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.



Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.



Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.






share|improve this answer
















One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.



Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.



Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 19 at 11:38









Peter Mortensen

7564 silver badges9 bronze badges




7564 silver badges9 bronze badges










answered Sep 17 at 16:21









Guntram Blohm supports MonicaGuntram Blohm supports Monica

1,4879 silver badges10 bronze badges




1,4879 silver badges10 bronze badges















  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

    – lurscher
    Sep 18 at 2:29






  • 1





    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

    – TylerH
    Sep 18 at 14:40






  • 4





    "there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

    – a CVn
    Sep 19 at 8:28

















  • I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

    – lurscher
    Sep 18 at 2:29






  • 1





    Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

    – TylerH
    Sep 18 at 14:40






  • 4





    "there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

    – a CVn
    Sep 19 at 8:28
















I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

– lurscher
Sep 18 at 2:29





I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea

– lurscher
Sep 18 at 2:29




1




1





Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

– TylerH
Sep 18 at 14:40





Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.

– TylerH
Sep 18 at 14:40




4




4





"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

– a CVn
Sep 19 at 8:28





"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)

– a CVn
Sep 19 at 8:28











3



















The security benefit is likely small, but real.



My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.



These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.



It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.



As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.






share|improve this answer






















  • 1





    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

    – Rich
    Sep 17 at 21:31






  • 2





    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

    – Nelson
    Sep 18 at 4:59






  • 2





    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

    – Justin Lardinois
    Sep 18 at 8:24











  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

    – Steve Sether
    Sep 18 at 21:14







  • 1





    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

    – Voo
    Sep 19 at 8:54















3



















The security benefit is likely small, but real.



My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.



These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.



It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.



As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.






share|improve this answer






















  • 1





    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

    – Rich
    Sep 17 at 21:31






  • 2





    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

    – Nelson
    Sep 18 at 4:59






  • 2





    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

    – Justin Lardinois
    Sep 18 at 8:24











  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

    – Steve Sether
    Sep 18 at 21:14







  • 1





    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

    – Voo
    Sep 19 at 8:54













3















3











3









The security benefit is likely small, but real.



My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.



These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.



It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.



As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.






share|improve this answer
















The security benefit is likely small, but real.



My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.



These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.



It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.



As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 19 at 11:38









Peter Mortensen

7564 silver badges9 bronze badges




7564 silver badges9 bronze badges










answered Sep 17 at 18:28









Steve SetherSteve Sether

20.3k8 gold badges47 silver badges72 bronze badges




20.3k8 gold badges47 silver badges72 bronze badges










  • 1





    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

    – Rich
    Sep 17 at 21:31






  • 2





    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

    – Nelson
    Sep 18 at 4:59






  • 2





    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

    – Justin Lardinois
    Sep 18 at 8:24











  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

    – Steve Sether
    Sep 18 at 21:14







  • 1





    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

    – Voo
    Sep 19 at 8:54












  • 1





    Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

    – Rich
    Sep 17 at 21:31






  • 2





    It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

    – Nelson
    Sep 18 at 4:59






  • 2





    "notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

    – Justin Lardinois
    Sep 18 at 8:24











  • @JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

    – Steve Sether
    Sep 18 at 21:14







  • 1





    @Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

    – Voo
    Sep 19 at 8:54







1




1





Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

– Rich
Sep 17 at 21:31





Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.

– Rich
Sep 17 at 21:31




2




2





It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

– Nelson
Sep 18 at 4:59





It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.

– Nelson
Sep 18 at 4:59




2




2





"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

– Justin Lardinois
Sep 18 at 8:24





"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?

– Justin Lardinois
Sep 18 at 8:24













@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

– Steve Sether
Sep 18 at 21:14






@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.

– Steve Sether
Sep 18 at 21:14





1




1





@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

– Voo
Sep 19 at 8:54





@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).

– Voo
Sep 19 at 8:54











-5



















If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.



Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:



  • For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.

  • Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.

Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.






share|improve this answer






















  • 15





    "Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

    – Alfred Armstrong
    Sep 18 at 9:01






  • 3





    Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

    – Ben Aveling
    Sep 18 at 12:51






  • 6





    Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

    – schroeder
    Sep 18 at 15:59






  • 5





    'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

    – Jeff K
    Sep 18 at 18:43












  • Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

    – Yury Schkatula
    Sep 24 at 12:15















-5



















If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.



Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:



  • For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.

  • Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.

Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.






share|improve this answer






















  • 15





    "Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

    – Alfred Armstrong
    Sep 18 at 9:01






  • 3





    Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

    – Ben Aveling
    Sep 18 at 12:51






  • 6





    Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

    – schroeder
    Sep 18 at 15:59






  • 5





    'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

    – Jeff K
    Sep 18 at 18:43












  • Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

    – Yury Schkatula
    Sep 24 at 12:15













-5















-5











-5









If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.



Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:



  • For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.

  • Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.

Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.






share|improve this answer
















If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.



Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:



  • For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.

  • Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.

Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 19 at 11:38









Peter Mortensen

7564 silver badges9 bronze badges




7564 silver badges9 bronze badges










answered Sep 18 at 3:23









Artimithe55Artimithe55

835 bronze badges




835 bronze badges










  • 15





    "Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

    – Alfred Armstrong
    Sep 18 at 9:01






  • 3





    Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

    – Ben Aveling
    Sep 18 at 12:51






  • 6





    Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

    – schroeder
    Sep 18 at 15:59






  • 5





    'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

    – Jeff K
    Sep 18 at 18:43












  • Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

    – Yury Schkatula
    Sep 24 at 12:15












  • 15





    "Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

    – Alfred Armstrong
    Sep 18 at 9:01






  • 3





    Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

    – Ben Aveling
    Sep 18 at 12:51






  • 6





    Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

    – schroeder
    Sep 18 at 15:59






  • 5





    'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

    – Jeff K
    Sep 18 at 18:43












  • Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

    – Yury Schkatula
    Sep 24 at 12:15







15




15





"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

– Alfred Armstrong
Sep 18 at 9:01





"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.

– Alfred Armstrong
Sep 18 at 9:01




3




3





Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

– Ben Aveling
Sep 18 at 12:51





Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)

– Ben Aveling
Sep 18 at 12:51




6




6





Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

– schroeder
Sep 18 at 15:59





Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.

– schroeder
Sep 18 at 15:59




5




5





'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

– Jeff K
Sep 18 at 18:43






'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.

– Jeff K
Sep 18 at 18:43














Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

– Yury Schkatula
Sep 24 at 12:15





Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".

– Yury Schkatula
Sep 24 at 12:15


















draft saved

draft discarded















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218098%2fis-there-any-actual-security-benefit-to-restricting-foreign-ip-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?