Blocking Foreign IPs From Your Network: An Ethnocentric Approach

Network Administrators play a delicate game of balancing uptime and security. Increased security often comes at the sacrifice of accessibility and/or performance. Steps to increase accessibility and uptime often create security issues. Thus, measures that can potentially bolster performance, uptime, and security are sought out as holy relics in network administration. The Pareto principle suggests that, in a majority of cases, 80% of the problems will arise from 20% of the sources. If it is possible to identify the 20% of countries causing 80% of our security problems, it is possible to ban the complete ip blocks from those countries and effectively eliminate 80% of our problems? Is this a reasonable solution, or just plain overkill?

What do you think? Let us know where you stand in the comments.

I recently came across a server that, over the years, has accumulated quite the iptables definition. A given ip was banned anytime it was identified as performing malicious activity. Sometimes whole ip blocks were banned. Although there was no documentation on a per-ip basis, the assumption is made that any ip or block banned was likely involved in a ddos, unmetered scrape of a website/database, or some other sort of Doofenshmirtz scheme. This particular iptables file ended up over 5,000 lines long. An analysis of the iptables definition conformed to the Pareto principle; a large majority of the problems arose from a small percentage of origin countries. The executive decision was made to block entire countries from accessing the server and its services. Before we delve into whether or not this is good policy, let’s first examine how we attempted to go about this.

First, we utilized a database like countryipblocks.net to gather ip blocks associated with a given country. Then, we ran the these ip blocks through a little Perl magic to format our iptables definitions. Finally, a cross check against the existing iptables definition was performed to make sure any ips not covered in the final group of ip blocks were added back into the list. Our bans are lifetime, baby.

Before launching this ethnocentric network policy, various benchmarks were set and obtained. Geo data from our analytics software, like Google Analytics or Piwik, played a large part in both decisions as to what to exclude from the 20% of problem countries and what benchmarks should be set to monitor. Monitoring these benchmarks is an ongoing process, as variations could force an immediate need to unban a given country.

The internet purist in me cringes at the thought of blocking such a large volume of ips. Even the permanent ban policy mentioned above makes me queasy. However, from a business perspective, this policy makes sense if a target market is not in a given country, and the only noticeable interaction from said country is malicious. This is where the balance between the freedom and openness of the Internet meets the security and profit margin of the businesses that power a large part of the web.