How Practical Is It To Block Specific Countries From Accessing Your Server?

Hackers always were, and will be a big concern among users of the internet – especially owners of publicly available servers, whatever they serve.

Analysing the origins of attacks, one can see that they originate more frequently from countries such as Nigeria, China or Ukraine than from others.

We’ve recently had an in-house discussion about this topic and what our options would be. Many articles already exist, some associated with moral or ethical concerns and flame wars, so we wanted to research this problem to see how practical it would be to implement a solution.

The main thing to consider is the number of networks that are associated with a country. Some countries have only a couple of networks assigned to them, where as some may have over a hundred. However, it is not uncommon for some countries to have between two & four thousand networks – some even exceed 20,000!

Putting such a large number of rules into iptables, which is a standard Linux firewall, raises concerns related to the performance of this as a viable solution – keeping in mind
that every single packet from legitimate traffic would have to be checked against all of them before it can be passed to the system. Another issue is that adding so many rules into iptables will be very time consuming. When testing with a list of approximately 16000 networks it took 14 minutes to insert them.

There are possible workarounds to these problems. Rule segregation, use of ipset patch – or even geoip patch for iptables. There are also other solutions available, courtesy of the open source community, which could be implemented. But this puts us back to the beginning, to the ethics of such a move.

This entry was posted in Web Security. Bookmark the permalink.

Comments are closed.