Risks to Geo Blocking
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
You. You. You.
No one else.
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
I've unintentionally "hacked" the system. How can it possibly work?
Also, I make at least 2 that we know of.
Generally, it will get the network POP instead of your actual connection, when it's close to accurate.
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
At least in this case, 3 out of 4 are completely wrong. Of the 3 wrong locations, 2 are at least in the same state and one is halfway across the country.
-
Not sure if it is useful, but a study on the accuracy of some services. But it doesn't seem to calculate any "good/bad". Which is tough, because many people want it to the block, or town. But here we are more concerned with country or maybe state. I don't think most people care about that much, but that's mostly what we'd care about.
https://www.caida.org/publications/papers/2011/geocompare-tr/geocompare-tr.pdf
-
No numbers, but a guy in San Fran talking about web hosting and getting detected as Paris.
https://www.webpagetest.org/forums/showthread.php?tid=10450
In his case, CDN based information.
-
ClickMeter support puts country accuracy, as of several weeks ago, at 90-95%. I was overly generous if that's accurate.
https://support.clickmeter.com/hc/en-us/articles/211035626-How-accurate-reliable-is-IP-GeoLocation-
"Rule of thumb: "the more aggregated and generic data you ask for the more precise will be the geo-localization". Country, than region and city are much more precise (normally 90 to 95%) compared to the exact location of the user such as zip code/street address/building number etc"
-
Now MaxMind claims 99.8% for country detection, 90% for state. They are also listed elsewhere as the most accurate database.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
But wasn't your goal, and your complaint, that you were unable to convince us of your point, rather than engaging in a back and forth? It was the back and forth of honest discussion that you were appearing to take issue with.
What if I had said the exact same thing? You'd have taken exception to that, correct?
No one did anything to dissuade you from making points, and you are equally free to point out where our points are incorrect. How has this discussion in any way made you feel that there is a "right way" that is accepted and that counter points can't be made? I see none of that in this thread. There are two sides to the discussion, and multiple people on each side, and both sides attempting to make points. One side doesn't have any automatic advantage, and one hasn't stopped the other from making points any more than the other has.
No, I posted that in frustration because when I get into discussions with you and a few others on here I find that I cannot get engagement on fundamental assumptions. It is at this level that we are disagreeing, but your posts appear to allow for no consideration that your assumptions might be inaccurate or incomplete. This is why I question trying. I have pointed out where your assumptions are incomplete, but those statements get passed over and my replies get nit picked on trivialities or I get castigated for word choice. Yay.
Okay, then correct me. In what way did I not allow for myself to be incorrect, but others have? Find my flaws, point them out. Attack the points, rather than attacking the people.
I think the point that you were upset with was when I said that the protection should have a dollar value on it? That I was agreeing that the value is grey, but saying we needed to figure it out rather than jumping into it.
If that's not it, to which point were you stating the persuasion bit?
How am I attacking you? I did not state anything in the original post in this sub thread. You were the one attacking my use of persuasion.
The persuasion (perhaps poor word choice) was in attempting to discuss the fundamental assumptions that we differ on. Of course our conclusions are different, but if our basic "facts" differ we can never even begin a discussion.
Your facts:
- It is not reliable and allows both bad people in and blocks good people.
- It carries a higher cost to implement than to not implement (even if just in effort.)
- The risk of false positives is generally extremely high.
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
-
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
-
@scottalanmiller said in Risks to Geo Blocking:
Now MaxMind claims 99.8% for country detection, 90% for state. They are also listed elsewhere as the most accurate database.
If you'll check above I referenced them as a source to use for Geo IP. One of my assumptions...
-
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
-
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
Okay, so in that scenario, we would then be limiting risks only to situations that can be discovered? Meaning, an employee goes home, things don't work, they call in to the office and get their IP whitelisted, for example? So the risk is not of loss of customer revenue, but the risk is simply the overhead of "fixing" the situation for a rare employee?
-
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
-
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
MaxMind might be one of the best choices. I've not researched them in detail as I do not geo-block.
But let's look at the results of the site @travisdh1 posted with my current IP address.
Go to https://www.iplocation.net and enter 64.53.188.39If you look at the details returned and compare that with ARIN.net, it is very obvious that these services are using more information purchased from somewhere.
Let's also not ignore that this site is obviously pushing VPN services. This link goes to a page filled with affiliate links to VPN services.
https://www.iplocation.net/hide-ip-with-vpn
Here is what ARIN has about my IP.
https://whois.arin.net/rest/net/NET-64-53-188-0-1/pft?s=64.53.188.39
-
@kelly said in Risks to Geo Blocking:
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
Absolutely, this I get totally. More than anything, the value is in reducing the amount of spurious logs that need to be collected.