First if you block any nation of significance, you're going to have a list of rules a mile long. And I would wager that that list is constantly changing with additions and deletions, so you'll want to stay up to date. Firewall performance issues begin to weigh on you with thousands of IPv4 ranges loaded.
Second, of course, geolocation is notoriously unreliable, so your block list will have false positives and false negatives, and won't do anything to stop someone with the simplest VPN, unless you also strive to block every open proxy and exit node.
Are there data brokers who sell ready-made blocklists for things like this? They exist for adblockers, so do they exist for firewall systems and cloud providers? I would imagine this could cost money, but should be an attractive feature for any enterprise. "Block hostile nation states in one fell swoop!"
It really seems like this would work better at the eBGP level, but unless you run your own autonomous system, this is not a realistic option either.
In cloudflare you can block access by country with just a few clicks.
The point of this article wasn't to completely restrict traffic from one country, but to reduce the vast amount of garbage/bot traffic that is generated by regions outside the US (like russia, for instance). Of course it can't stop simple use by VPN, but that wasn't the point. That would not really be "garbage traffic" unless it was a distributed attack.
> In cloudflare you can block access by country with just a few clicks.
Sure, but what's the mechanism behind it? They advertise the functionality, but everyone knows that geolocation is riddled with errors, so don't be surprised if it's not perfect -- even with "just a few clicks".
First if you block any nation of significance, you're going to have a list of rules a mile long. And I would wager that that list is constantly changing with additions and deletions, so you'll want to stay up to date. Firewall performance issues begin to weigh on you with thousands of IPv4 ranges loaded.
Second, of course, geolocation is notoriously unreliable, so your block list will have false positives and false negatives, and won't do anything to stop someone with the simplest VPN, unless you also strive to block every open proxy and exit node.
Are there data brokers who sell ready-made blocklists for things like this? They exist for adblockers, so do they exist for firewall systems and cloud providers? I would imagine this could cost money, but should be an attractive feature for any enterprise. "Block hostile nation states in one fell swoop!"
It really seems like this would work better at the eBGP level, but unless you run your own autonomous system, this is not a realistic option either.