Block Foreign IP Addresses?

Share it now!

I admit I have considered this same thing. I had even prepared my IP tables and firewalls to cut off all but regional IP traffic. I never implemented it but I was close. In hindsight  I realize it was just a knee-jerk response to constant kicks at my server door. At one point an attacker managed to gain access and setup a fake credit card site. You learn from the past and I learned from that experience. They manged to operate for about 26 hours before we discovered the breach. Since then I have been able to consider the whole picture and I understand that isolating my server to specific IP blocks is actually the lazy way of doing things and it would not guarantee that it would not happen again. Furthermore, there are some major downsides to isolating yourself from the World.

The Needs Of The Many Outweigh The Needs Of The Few

According to Wikipedia, List of countries by IPv4 address allocation Article (as of June 21, 2012, 15:41 GMT).  The US has a minority of IP addresses compared to all of the other World countries at just under 36% of allocated IP addresses. That means foreign IP addresses in the IP4 allocation is over 65%. So it makes sense to a webmaster or network security analyst that the majority of attacks come from foreign countries; that is where the majority of World IP addresses are. You would expect that all traffic to your server is from the greatest number of IP blocks, which is foreign countries. This, of course, is not true. If your hosting a site or several sites in the US you will see that most of your hits come from the US, in most cases. It really depends on the type of site and the audience you attract but a large percentage of US Websites receive traffic by a larger percentage of US visitors then foreign; even though the majority of allocated IPs are foreign.

You Mean There Is a World Out There

This highlights the mentality of thinking the US is the World when, in fact, we are just a small piece of the World. With the advent of IP6 it only puts more emphasis on the reality that the US accounts for only a fraction of Internet IP usage compared to the rest of the World. So when you look at your stats and see a lot of foreign traffic keep in mind there are a lot more IP addresses allocated to foreign IPs then to the US. This dosen't mean all those hits are looking to hack or spam your site either.

The percentage of nefarious IPs coming from foreign countries are minuscule compared to the total allocated IPs to foreign countries. This means the majority of foreign traffic is friendly. The US is actually the greatest threat to your network or server according to the latest SANS statistics. We are the greatest target for attacks but we are also the greatest originator of attacks. And according to a recent study by Spamhaus the US is also the number 1 country in the origination of spam.

I think IP blocking plays a part in server security but not whole countries. We have the technology and tools to record and track IP addresses that have a history of doing harm. There are several sites up and running that already do this. It may require a little research and work but it is possible to secure a server without blocking the World.

No Guarantees

Lets face it there is no bullet proof scenario. You can and should have an aggressive security scheme that includes IP tracking and blocking. In the final analysis if the attacker has the zeal and tools they can and will do harm. A prudent back-up policy is necessary in case of a breach. That way if your counter-measures fail you can just restore. Monitoring and tracking are the two greatest tools in server security and should be religiously maintained. There are a number of counter-measures available, too many to list here, that can deter the bad guys, including blocking IP addresses. This shouln't mean, though, that you have to cut yourself off from the World. There are substantially greater good coming from foreign IPs then bad.

Not considering just Dynamic IPs and proxies there are a lot of arguments against blocking ALL foreign IPs. I can see blocking segments or certain blocks of IPs but whole countries? Or the entire World? That's just being lazy.

by Jim Atkins "thedosmann"

Memphis Web Programming