I am convinced that while harder, there are more intelligent ways to block these DDoS attacks other than blocking entire geographies. I often travel between Africa and US, and there are things like buying furniture (home depot blanket blocks non US customers, but they would simply allow shipping only to US addresses), buying cars (there are large car sites that don't allow browsing from outside US, even if you've already have an account or bought from them in the past), etc.
I feel like geoblocking is the easy way out, because if developing countries suddenly started waving their cards en masse, these merchants would find a way to let them in.
Speaking of card waving, it likely only appears that developing countries are not a large customer base because to merchants, they look like US customers.
Most African countries don't have access to Visa/Master cards, so often they'll have a US account where they can transfer some of their money. Others might earn in the US (like remote workers), and spend considerably in the US.
Then, because most merchants don't ship outside the US, these customers would use shipping forwarders, like myus.com.
So when making the decision to "block Nigeria because we don't really have any customers there", they're likely not considerig this potentially large customer base they're alienating.
Even worse, these are usually customers that do not have access to credit, only debit, so for example, when buying large ticket items (like a car), they tend to pay for it all upfront, so likely great customers.
Then there are the business customers, the ones what want to buy containers full of merchandise. Those too get blocked.
It's not usually a benefit to a business if a customer pays upfront.
Whether my customer pays by debit or credit, I get all of that money upfront before I let the transaction proceed.
Some businesses, like car dealers, actually make more money if the customer buys using debt, because they get incentivized by the loan company.
And lastly, the sheer scale of the US economy means that it's really not worth the hassle. All of Africa would be equal to one of the larger states (Wikipedia says $3T, Texas is 2.1T and Cali is 3.5T).
So it's vastly simpler, cheaper, and easier to deal with say 30m Texans or 40m Californians than literally 1.3 billion people in Africa or India, and you get roughly the same total addressable market and a fraction of the bots & scams.
Hence why many sites simply block non-North American traffic.
I wish we lived in a world that was more fair and open, but a couple of bad actors can really ruin things for everyone.
When I say pay "upfront", I don't mean that the upfront cash is better for business, but that usually, the credit industry is very good at letting people buy things they can't afford. Some one who pays upfront likely can afford and might have higher lifetime value. Someone to advertise to, upsell, or whatever.
Secondly, I also get it, there's only so many things a business can worry about, and supporting geographies with historically high fraud rates is not high on the list, this is why my gripe here is with CF that does not make it easier to improve this even though they know they control such a huge chunk of the web.
> Some one who pays upfront likely can afford and might have higher lifetime value. Someone to advertise to, upsell, or whatever.
100%. Richer people tend to be better customers. But that's another strike in favor of geoblocking non-US visitors.
When I was a kid growing up in Africa, I dreamt of a world where everything was accessible and purchasable and learnable everywhere, all the time, to everyone. Hopefully the internet turns out to be an equalizing factor and we get there someday.
Right now it's not really fair to expect business owners - most of whom are in non-tech businesses that require 100% focus - to keep up with the tidal wave of scams, hackers, and regulators originating from outside their sphere of concern.
> I am convinced that while harder, there are more intelligent ways to block these DDoS attacks other than blocking entire geographies.
Sure. Even by default, Cloudflare won't block entire countries. That's a CHOICE some businesses make if the default blocks aren't enough, and they don't have the time or resources to configure more nuanced WAF rules. (OWASP isn't exactly straightforward). Edit: For example, at that job I was talking about, we had different rulesets for different regions... China and Russia were completely banned, Africa was put behind stricter JS security checks and CAPTCHAs but allowed in, Europe had a medium security level (we did occasionally sell there, but very rarely), while the US had entirely custom WAF rules. It just depends on who we wanted to sell to or not.
It goes the other way around, too, you know. I've seen European and Asian sites that geoblock US customers. It's not out of malice, they just don't want to deal with the edge cases. Even if a foreign customer can access your website and buy stuff, dealing with international customs, consumer laws, credit card fraud, wire transfers, etc. can be a pain that's not worth it for smaller merchants. And if the foreign buyer is using a reshipper anyway, well, the reshipper can just buy the whole thing for them and deal with payments, etc. as an intermediary, like how Tenso/BuyFromJapan/JapanRabbit work.
Big companies have proper international presences, but for small local businesses, the amount of effort it takes to support international buyers just isn't worth the profit they typically bring in. Even on eBay, with its built-in international payment and shipping rules, sellers often won't want to bother.
This isn't really a matter of security rules, really, but just business cost/benefit decisions.
Besides, it helps businesses in each country stay local! Do you really want Amazon taking over everywhere...?
I'm aware of this, CF can be very granular, but businesses do not on average have the know-how or bandwidth to properly setup their rules to not come off like a...holes. So the effect is that most businesses behind CF come off like a...holes. My point is CF does not seem very interested in coming up with a better solution, like maybe a list of CF managed WAF profiles that work well and don't make both the businesses and CF seem like they do not care. Those profiles could be paid.
And yes! it's better to buy local, and Africa can't blame the US because our economy isn't there, and we aren't building all the things we should be building. But that is an entirely different discussion isn't it?
They do offer different profiles! By default the security is pretty sane, and offer many easy to choose default sets. Businesses actually have to go out of their way to make a custom country block via a custom page rule. So when you see a site block you, that's because that specific business chose to customize their rules specifically to block you. That's not Cloudflare's fault.
I work for a not so small company with a large international user base and wish I could have the option to geoblock sometimes. While you're not wrong about there being more intelligent ways to block traffic it's substantially more time consuming to apply and get it right so that you allow legit traffic and actually block what you need to.
We also aren't just talking about blocking DDoS and other common vulnerability scanning. Depending on your business there are other potentially costly fraud and abuse scenarios that you are blocking just by blocking other countries outright. Until there are tools to block all this that are as easy to apply as a geoblock, this will probably remain the unfortunate state of things. A lot of businesses just don't have the time or resources to manage all of this without applying geoblocks.
It does, but depending on your shipping patterns and volume, it can be worth it. For example, some provide storage so you can hold your merchandise until you have a container full, and then ship all at once by ocean freight. Other times, they have deals with shipping companies like DHL that might make it cheaper than dealing with DHL rates by yourself.
I feel like geoblocking is the easy way out, because if developing countries suddenly started waving their cards en masse, these merchants would find a way to let them in.
Speaking of card waving, it likely only appears that developing countries are not a large customer base because to merchants, they look like US customers.
Most African countries don't have access to Visa/Master cards, so often they'll have a US account where they can transfer some of their money. Others might earn in the US (like remote workers), and spend considerably in the US.
Then, because most merchants don't ship outside the US, these customers would use shipping forwarders, like myus.com.
So when making the decision to "block Nigeria because we don't really have any customers there", they're likely not considerig this potentially large customer base they're alienating.
Even worse, these are usually customers that do not have access to credit, only debit, so for example, when buying large ticket items (like a car), they tend to pay for it all upfront, so likely great customers.
Then there are the business customers, the ones what want to buy containers full of merchandise. Those too get blocked.