Risks to Geo Blocking
-
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
IP addresses are fungible.
-
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
IP addresses are fungible.
I'm not sure what you're getting at here. Yes, you can change your IP address to something else, but a large number of attacks and reconnaissance originate from zombies that are not controlled at that level by the attacker because they are cattle (cattle vs pets). Geo IP won't stop a manual or directed attacker. It will eliminate a large chunk of the computers located in a given country that are botted.
-
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
-
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
-
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
How does it possibly lower the load? You're artificially adding additional delays and load on the router to do the additional look up that is required for every connection. Isn't that just the opposite of what you're trying to do?
-
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
How does it possibly lower the load? You're artificially adding additional delays and load on the router to do the additional look up that is required for every connection. Isn't that just the opposite of what you're trying to do?
Those delays are miniscule compared to what they woudl be if the rule didn't drop the traffic.
The traffic is hitting it either way. But if it is dropped with no further action, you are done and have a lighter load.
Any other answer is you smoking crack.
-
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
-
@travisdh1 and @scottalanmiller What @JaredBusch said, but sans the crack crack
-
@jaredbusch said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
When do you want to block some things, but not all, but are okay with false positives? I can't think of any scenario, theoretical or otherwise, where you'd want ANY access (short of a whitelist) but are okay with what that blocks.
Basically, it's blocking at random, instead of blocking fully. But it is more work. So... why?
-
@scottalanmiller said in Firewall rules for outgoing traffic:
@jaredbusch said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
When do you want to block some things, but not all, but are okay with false positives? I can't think of any scenario, theoretical or otherwise, where you'd want ANY access (short of a whitelist) but are okay with what that blocks.
Basically, it's blocking at random, instead of blocking fully. But it is more work. So... why?
@scottalanmiller analogy time. Let's put this other terms. If you have a fence that keeps out dogs, but doesn't stop squirrels why would you use it? It even keeps your dog out. That fence is terrible. Right?
If I am an American business that has products that I cannot export, or I have zero international customers blocking the Geo IP addresses of Iran, Russia, and China will have little, if any impact on my ability to market my product and support my customers. It will not stop every attack against me originating in those countries. It will reduce the automated attacks and scans however.
This isn't an across the board rule. Not every business only does business within the US (or any other country). Obviously it wouldn't work unless you wanted to take that risk. It is a risk. But the gains of blocking key countries by Geo IP is worth the risk in my opinion for many SMBs.
-
@kelly said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@jaredbusch said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
When do you want to block some things, but not all, but are okay with false positives? I can't think of any scenario, theoretical or otherwise, where you'd want ANY access (short of a whitelist) but are okay with what that blocks.
Basically, it's blocking at random, instead of blocking fully. But it is more work. So... why?
@scottalanmiller analogy time. Let's put this other terms. If you have a fence that keeps out dogs, but doesn't stop squirrels why would you use it? It even keeps your dog out. That fence is terrible. Right?
Not a good analogy. Because that's not at all what is happening. It's a gate, not a fence. A gate that randomly lets people in, both the ones you want AND the ones you don't. It doesn't really discriminate. It's essentially random.
Why would you ever put in extra effort to randomly let bad people in and good people out? Either block all bad people, or don't block. Both approaches are easier and more effective.
-
@kelly said in Firewall rules for outgoing traffic:
If I am an American business that has products that I cannot export, or I have zero international customers blocking the Geo IP addresses of Iran, Russia, and China will have little, if any impact on my ability to market my product and support my customers. It will not stop every attack against me originating in those countries. It will reduce the automated attacks and scans however.
Correct, it will reduce automated attacks. It will also block any American customer that happens to be traveling, or just randomly gets mis-marked as being in those countries. Since Geo-blocking isn't reliable, you block a lot of people that are legitimate "would be" customers.
As someone who travels AND as someone who is regularly detected as being in a different country, I can tell you a lot of businesses and websites lose business from potential customers because they either flat out announce that they won't do business with them or, far more likely, simple appear to have an outage that never stops. It makes legitimate customers believe you've gone out of business.
How many businesses want to "reduce automated attacks" in exchange for risking real business?
-
@kelly said in Firewall rules for outgoing traffic:
This isn't an across the board rule. Not every business only does business within the US (or any other country). Obviously it wouldn't work unless you wanted to take that risk. It is a risk. But the gains of blocking key countries by Geo IP is worth the risk in my opinion for many SMBs.
I don't believe that this is true. The risk is trivial from scanning, while losing even one real customer is large.
Put a dollar value on it. Let's say you are a restaurant. And you do this. You will easily lose one custmomer who gets a false positive and can't get to your website (now they think you are closed, or can't determine if you are open, or worse, think your restaurant failed as most do.) You lose a $20 customer.
What's the average risk to scanning a restaurant's website? Restaurants are the "most local" of all businesses (generally.) They ONLY care about people in the direct vicinity. But I'd argue that even for them, Geo-blocking poses a business risk that is far larger than the value in security that it potentially adds. I'd put the value of reducing the scanning at below $20.
-
The who geo blocking thing has zero benefit. Anyone who does it, where it was suddenly turned off without them knowing, would only notice benefits... nobody would notice anything negative.
-
There are days where I question why I even bother trying to persuade...
-
@obsolesce said in Firewall rules for outgoing traffic:
The who geo blocking thing has zero benefit. Anyone who does it, where it was suddenly turned off without them knowing, would only notice benefits... nobody would notice anything negative.
It's tricky, because people who do it have no way to know how much they lose in doing so. It's impossible for the person doing the blocking to know what damage they've done. Companies don't realize the business that they are losing unless a potential customer figures out that the company is still working, but geo-blocking, then takes the time to reach out and explain that they've been snubbed and will refuse to do business with them.
I've done this to a few companies, but I'm the exception. Most people will never realize the company still has a working website, and those few that do will never take the effort to inform someone that they are telling legit customers to go away.
We ran into this same concept at a job I once had. They had HR secretly telling candidates not to accept jobs at the company, but they told them this BEFORE HR recorded them in the system. So departments had no idea that people were turning the company down, rather than the other way around, because it was happening before any metrics were collected. HR got caught when a friend of a friend was asked to take the job and turned it down, and their friend asked them why and they divulged what HR had told them. Then an investigation ensued and they discovered HR sabotaging the company out of spite for something.
Same effect - turn customers away BEFORE you record them as potential customers and there is no metric to show how much damage you've done to the company.
-
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
In this case, this is something that's been discussed a lot, and I firmly believe, for very real business reasons, that geo-blocking is reckless and done out of a misunderstanding.
Because it is not reliable and blocks both legit and non-legit users, and because the value of blocking non-legit users is nominal, and the risk of blocking legit ones is huge, it's very difficult to make a compelling argument for why to do it.
It sounds good, until you examine the risks and costs involved. Then it is hard to understand why it is ever promoted.
Given these facts...
- It is not reliable and allows both bad people in and blocks good people.
- It carries a higher cost to implement than to not implement (even if just in effort.)
- The risk of false positives is generally extremely high.
Try to persuade us while specifically addressing these concerns. Those are things we can prove. Geo-blocking seems great, but all "arguements" for why to do it always seem to ignore these three concerns.
-
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
-
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
So what about the hundreds of people you unintentionally block because the GeoIP service you use put them in Russia instead of eastern Europe? Which is worse, purposely loosing business, or having to block malicious IP addresses (which should be automatic)?
-
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
Sure, but this assumes several things that are not stated...
- That there was no collateral damage from the assumed blocking (any legit customers caught in the sweeping block.)
- That the perps would not have attempted any other trivially easy vector.
- That geo blocking would not flag you as a high profit target.
- That their attacks were successful.
That's a lot of assumptions required to make even that use case valid for wanting to geo block.