Is there any actual security benefit to restricting foreign IP addresses?Is blacklisting IP addresses a waste of time?Blacklisting of a block of IP addresses - Why?Will my company’s VPN work internationally, and will it alert them or display as a security threat?Is there any added security benefit to username complexity requirements?Exploits inevitably “cost of doing business on the Internet”?Are there any web application security standards?Locking IP addresses to try and improve securityIs it a real security benefit if a host uses static IP Addresses for authentication?What benefit is there to Craigslist's phone number masking?Is there any security reason to not post your IP address somewhere?Is there any security benefit to not using cookies?Is there any security threat of using 'curl https://ipinfo.io/ip' to find our IP?Is there any benefit to requiring authorisation to access static assets in a web application?
If I have an Earth-like world with Earth-like fauna, and I want brightly-colored mammals, what would be a realistic way of causing that to evolve?
Why did we never simplify key signatures?
Is the worst version of the accusations against President Trump impeachable?
What does "teleport anywhere in the world" mean?
How can 16th-level characters mitigate damage from a lethal (long) fall?
Cheap and safe way to dim 100+ 60W Incandescent bulbs
Dual wielding two +1 Longswords, do they stack?
How to help a male-presenting person shop for women's clothes?
In the sentence "der hatte doch eine Brille", why do we use 'der' instead of 'er'?
Is a manifold paracompact? Should it be?
DS 160 Have you traveled to any countries/regions within the last five years?
Plane ticket price went down by 40% two weeks after I booked it. Is there anything I can do to get a refund?
Messed up my .bash_profile remotely, can't ssh back in
Why aren't flights continued after losing a tire on rotation?
4 Attempts to Guess a Number Between 1-15
Why the translation is not linear transformation?
Minimum path sum in a triangle (Project Euler 18 and 67) with Python
Why can I solve an impossible equation using linear algebra?
Do solvers use GUB/SOS1 branching?
How to create electric light with 1300s technology
Best fighting style for a pacifist
What was Jeremy Corbyn’s involvement in the Northern Ireland peace process?
What was the first operating system called DOS?
Did Russia's economy boom between 1999 and 2013?
Is there any actual security benefit to restricting foreign IP addresses?
Is blacklisting IP addresses a waste of time?Blacklisting of a block of IP addresses - Why?Will my company’s VPN work internationally, and will it alert them or display as a security threat?Is there any added security benefit to username complexity requirements?Exploits inevitably “cost of doing business on the Internet”?Are there any web application security standards?Locking IP addresses to try and improve securityIs it a real security benefit if a host uses static IP Addresses for authentication?What benefit is there to Craigslist's phone number masking?Is there any security reason to not post your IP address somewhere?Is there any security benefit to not using cookies?Is there any security threat of using 'curl https://ipinfo.io/ip' to find our IP?Is there any benefit to requiring authorisation to access static assets in a web application?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.
So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.
web-application ip geolocation
|
show 10 more comments
I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.
So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.
web-application ip geolocation
67
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
4
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
15
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
6
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
17
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07
|
show 10 more comments
I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.
So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.
web-application ip geolocation
I am currently outside the US trying to log in to my health care provider's website and the connection just times out. I reached out to them on Twitter and they told me that as a security measure they block connections from outside of the US and suggest I use a VPN.
So great, I can use a VPN to solve my problem. But I am curious, is there any real security advantage to this sort of IP address blocking? I am a geek (web developer), but not a security specialist so I am sure I am missing something, but it seems to me that if I can use a VPN to connect from Europe then any reasonable hacker would just do the same thing.
web-application ip geolocation
web-application ip geolocation
edited Sep 19 at 10:20
Peter Mortensen
7564 silver badges9 bronze badges
7564 silver badges9 bronze badges
asked Sep 16 at 16:33
Matthew NicholsMatthew Nichols
7411 gold badge5 silver badges8 bronze badges
7411 gold badge5 silver badges8 bronze badges
67
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
4
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
15
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
6
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
17
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07
|
show 10 more comments
67
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
4
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
15
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
6
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
17
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07
67
67
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
4
4
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
15
15
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
6
6
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
17
17
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07
|
show 10 more comments
4 Answers
4
active
oldest
votes
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
|
show 12 more comments
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
add a comment
|
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
add a comment
|
If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.
Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:
- For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.
- Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.
Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218098%2fis-there-any-actual-security-benefit-to-restricting-foreign-ip-addresses%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
|
show 12 more comments
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
|
show 12 more comments
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
edited Sep 17 at 10:08
answered Sep 16 at 16:42
schroeder♦schroeder
90.3k37 gold badges202 silver badges238 bronze badges
90.3k37 gold badges202 silver badges238 bronze badges
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
|
show 12 more comments
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
60
60
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
OK great so there is at least some utility. Whether it is worth the inconvenience to actual customers is as you acknowledge a separate issue.Thanks.
– Matthew Nichols
Sep 16 at 17:03
6
6
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
@MatthewNichols you got it
– schroeder♦
Sep 16 at 18:37
4
4
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
My company kept getting pings by random overseas "users" where we didn't have any clients, so we banned those countries as well. Basically, it makes it harder to be picked up by a random pickpocket, but it's not going to stop a targeted attack (the cynic in me says nothing has been found yet to stop a targeted attack).
– Hosch250
Sep 17 at 1:39
2
2
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
@Hosch250 Seems like a strange way to operate. Why not get on the front foot and just ban all countries where you don't have users? Why do you have to wait to be pinged?
– Gregory Currie
Sep 17 at 8:02
6
6
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
@Hosch250 It can also increase the cost of a targeted attack, now the attackers need to make sure they get IPs in the target country. Not that hard, but takes effort, likely more than setting the block up. And it reduces the fallback-IPs they can use once you block the ones they have in the country. As most of security, it's a numbers game of how much you want to invest and how costly you want to make attacks to someone.
– Frank Hopkins
Sep 17 at 8:16
|
show 12 more comments
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
add a comment
|
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
add a comment
|
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
edited Sep 19 at 11:38
Peter Mortensen
7564 silver badges9 bronze badges
7564 silver badges9 bronze badges
answered Sep 17 at 16:21
Guntram Blohm supports MonicaGuntram Blohm supports Monica
1,4879 silver badges10 bronze badges
1,4879 silver badges10 bronze badges
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
add a comment
|
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
I think you have to insert compromised HTTPS certificates in the OS for that kind of snooping to work, which can work on places like North Korea
– lurscher
Sep 18 at 2:29
1
1
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
Most companies blocking IPs by geolocation probably aren't concerned for the end user's sake but rather their own data/network security.
– TylerH
Sep 18 at 14:40
4
4
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
"there are many countries in which the state, or maybe shady internet providers, snoop on internet traffic" You mean like, say, the US and Canada? (Indeed among many others.)
– a CVn
Sep 19 at 8:28
add a comment
|
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
add a comment
|
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
add a comment
|
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.
edited Sep 19 at 11:38
Peter Mortensen
7564 silver badges9 bronze badges
7564 silver badges9 bronze badges
answered Sep 17 at 18:28
Steve SetherSteve Sether
20.3k8 gold badges47 silver badges72 bronze badges
20.3k8 gold badges47 silver badges72 bronze badges
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
add a comment
|
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
1
1
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
Geo-blockers are trivial to circumvent, but there is a population who don't bother and run their scripts from their home IP. Blocking certain countries saves the noise (and work checking the noise) of these "intrusions". Some sites also block known VPNs and hosting services, but for many this is turning away valuable trade.
– Rich
Sep 17 at 21:31
2
2
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
It's always a balance. I would say most doors are trivial to defeat (one swift kick with some heavy boots), but I still wouldn't recommend removing them.
– Nelson
Sep 18 at 4:59
2
2
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
"notorious places like Palestine"? I hear about scans and attacks from Russia and China all the time, but Palestine? Is that actually common?
– Justin Lardinois
Sep 18 at 8:24
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
@JustinLardinois For us it is. Oddly we don't get scanned by China. I don't think I've seen one scan from that country. Quite a lot of other countries however. I'd be curious to know more than my limited scope on where scans come from though.
– Steve Sether
Sep 18 at 21:14
1
1
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
@Rich They are trivial to circumvent for single users. But if you're running a botnet with infected PCs from China, it's far from trivial to mask all those IPs I imagine (at least I'm not aware of a simple way to do this).
– Voo
Sep 19 at 8:54
add a comment
|
If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.
Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:
- For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.
- Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.
Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
add a comment
|
If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.
Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:
- For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.
- Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.
Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
add a comment
|
If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.
Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:
- For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.
- Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.
Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.
If you have an incompetent or lazy security team, and a limited amount of time in which to plug security holes, it will help. The alternative is to ask your security team to implement real solutions rather than ad-hoc stopgaps. If, as per the premise, your security team is incompetent or lazy they will never succeed in implementing those and the security hole will remain. Thus IP address bans are a quick-and-dirty solution for organization that won't or can't do the correct solution.
Of course, as a matter of principle, IP address blocking is a very clumsy approach. It is not hard to change IP addresses, proxy traffic through a certain country, or use any number of countermeasures. However:
- For certain countries, the ratio of actual attacks reduced to the amount of business lost (from customers in that area) is huge.
- Although defeating IP address bans is not hard, the attacker is still likely to prefer other organizations with fewer barriers to successfully hacking them.
Because of this, it has emerged as a popular measure for organizations that care more about the path of least resistance than doing it right.
edited Sep 19 at 11:38
Peter Mortensen
7564 silver badges9 bronze badges
7564 silver badges9 bronze badges
answered Sep 18 at 3:23
Artimithe55Artimithe55
835 bronze badges
835 bronze badges
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
add a comment
|
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
15
15
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
"Incompetent or lazy"? A website run by one person can still get hosed by a flood of requests from a botnet. Don't be judgemental about people you don't know - suggest the "real solutions" instead.
– Alfred Armstrong
Sep 18 at 9:01
3
3
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
Geo-blocking is a numbers game. It makes it harder for you to be attacked. It doesn't make it impossible. Is that worth the cost to legitimate customers? Sometimes it is, sometimes it isn't. It's not always the right thing to do, but sometimes it is. It certainly is not an automatic sign of incompetence or laziness. (Besides, Lazy is good. See: threevirtues.com)
– Ben Aveling
Sep 18 at 12:51
6
6
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
Geo-IP blocking is a standard, legitimate control and is not an indication of incompetence, laziness, or weakness in any other control.
– schroeder♦
Sep 18 at 15:59
5
5
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
'incompetent or lazy' ... compared to what? A nation state? Security balances the value of what is being protected against the cost of protecting it for a time period. In the long run, all security fails.
– Jeff K
Sep 18 at 18:43
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
Using a geo-blocking is the same as "Iron Curtain" approach used at USSR times. Easy to maliciously sneak-in, useless for the actual control. Good to spread fear across loyal people. Sad thing to see that idiom living nova days, now as "Internet edition".
– Yury Schkatula
Sep 24 at 12:15
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218098%2fis-there-any-actual-security-benefit-to-restricting-foreign-ip-addresses%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
67
It may mitigate the random port scans that come from botnets. It's like a picket fence; kids aren't going to run into your yard, but it's not going to stop a burglar who has targeted your house.
– Ghedipunk
Sep 16 at 16:41
4
Possible duplicate of Is blacklisting IP addresses a waste of time?
– Zaibis
Sep 17 at 5:19
15
A health care provider typically handles sensitive data. If they open up to EU clients, they need to cover for GDPR's strict guidelines. IMHO they dodged a bullet there from a legal angle.
– user3819867
Sep 17 at 9:10
6
@user3819867 From what I've seen (but am not an expert) I don't think the GDPR applies to US-held data of a US person who happens to be in Europe when they want to access it.
– TripeHound
Sep 17 at 10:03
17
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”. Even if it weren't so, a single US citizen that stays four months in the EU (thus becoming resident) can potentially cost you up to 4% of your turnover. Would you open that for debate or would you shut it off by a simple technical step?
– user3819867
Sep 17 at 11:07