Geoblocking Set at Your ISP

[Samir]

Generally, geoblocking has been a customer side implementation. But to me, it's never really made sense as a block at the isp level would save the isp bandwidth and also serve the customer better.

So I finally got someone one the phone at Charter/Spectrum that was able to do exactly this by pushing a script to the modem to only allow domestic traffic. Now, you can't even ping the IP from outside the US (in the brief testing that I've been able to do).

Anyone else had something like this set up with their ISP? Who did you talk to that made it happen and which ISP was it? I have 2x other ISP accounts I oversee and am going to see if they can implement the same thing.

I just got off the phone with Charter/Spectrum residential and they couldn't implement the same solution that the business side was able to do, so this may vary even with the type of connection one has.

 

[BlueFox]

No, I don't want to live in a bubble. There are plenty of things I visit on a regular basis that are hosted outside of the US, not to mention people I communicate with.

Not really sure what benefit this affords you?

 

[dswartz]

No, I don't want to live in a bubble. There are plenty of things I visit on a regular basis that are hosted outside of the US, not to mention people I communicate with.

Not really sure what benefit this affords you?

I've found a handful of countries that are constantly port scanning me. I have no interest in those geo ip blocks. Like these:

Netherlands|25|1473
Netherlands|80|1473
Netherlands|143|1473
Netherlands|443|1473
Netherlands|587|1473
Netherlands|8006|1473
China|25|768
China|80|768
China|443|768
Romania|25|262
India|25|143
India|80|143
Brazil|25|42
Brazil|80|42
Bulgaria|25|22
Bulgaria|80|22
Bulgaria|443|22
Russian Federation|25|3
Russian Federation|80|3
Russian Federation|443|3
Russian Federation|587|3

and yes, I'm aware hackers can and do use other IPs, but just eliminating the above helps...

 

[Samir]

Not really sure what benefit this affords you?

Pretty much eliminates 90% of the 'hacker packets' hitting the firewall. They're dropped anyways, but one of the best ways to not get shot is to stay away from stray bullets.

 

[elvisimprsntr]

1. Hang up phone with your ISP
2. Step up your game and switch to pfSense® - World's Most Trusted Open Source Firewall as your firewall
3. Install pfBlockerNG package, enable GeoIP to block inbound traffic from known suspicious countries.
4. Install and enable Suricata IDS/IPS package
5. Sleep well knowing you are in control of your security.

 

[RTM]

The big problem with geoblocking is that in order for it to not cause too many issues, you need to keep track of which countries IP segments currently "belong" to. Due to the limited amount of IPv4 addresses, they are sold across country and event continent borders.

If you really want to improve security, you should implement a whitelist, that determines which systems you want to accept traffic from and allow traffic to.

Anyway pushing rules to the modem, implies that traffic will still travel from the ISP's edge router to your location, so no bandwidth is really saved.
You might as well just implement something like this yourself in your own firewall.

 

[Samir]

The big problem with geoblocking is that in order for it to not cause too many issues, you need to keep track of which countries IP segments currently "belong" to. Due to the limited amount of IPv4 addresses, they are sold across country and event continent borders.

If you really want to improve security, you should implement a whitelist, that determines which systems you want to accept traffic from and allow traffic to.

Anyway pushing rules to the modem, implies that traffic will still travel from the ISP's edge router to your location, so no bandwidth is really saved.
You might as well just implement something like this yourself in your own firewall.

An you mentioned, geoblocking definitely isn't foolproof, but when it's whitelisted at the isp level, then it's 'not your problem' anymore and you have someone to call that should fix an issue versus having to keep on top of it.

I don't know exactly how the isp implements the traffic flow--if the modem just drops it or if it's dropped earlier since the modem config comes from the head-end.

 

[elvisimprsntr]

If you really want to improve security, you should implement a whitelist, that determines which systems you want to accept traffic from and allow traffic to.

Exactly where pfSense® - World's Most Trusted Open Source Firewall shines. You can define an alias list of IP addresses/blocks you can easily add to firewall rules.

 

[Samir]

2. Step up your game and switch to pfSense® - World's Most Trusted Open Source Firewall as your firewall

I already have an enterprise grade piece of kit that has geoblocking, but I was just tired of seeing all the dropped packets even coming over the wire. In this current state of worldwide cyberwarfare with a 'total war' rule set, I think international traffic really needs to be opt-in vs default. I don't need International and probably 99% of places hit with a phishing attempt would probably agree.

 

[Samir]

Exactly where pfSense® - World's Most Trusted Open Source Firewall shines. You can define an alias list of IP addresses/blocks you can easily add to firewall rules.

This is common on almost any platform now.

 

[BlueFox]

I've found a handful of countries that are constantly port scanning me. I have no interest in those geo ip blocks. Like these:

A few countries is a bit different than everything outside the the US (though I still regularly visit sites hosted in countries present on both of the lists that have been posted so far).

 

[elvisimprsntr]

An you mentioned, geoblocking definitely isn't foolproof, but when it's whitelisted at the isp level, then it's 'not your problem' anymore and you have someone to call that should fix an issue versus having to keep on top of it.

Relying on your ISP to provide security is the equivalent to calling the cops when someone is breaking down your door. They will not be there to defend your property or protect your life.

 

[elvisimprsntr]

This is common on almost any platform now.

Then why are you not using it?

 

[Samir]

A few countries is a bit different than everything outside the the US (though I still regularly visit sites hosted in countries present on both of the lists that have been posted so far).

But the reality is that most users don't need traffic outside the domestic US (or whatever country/region you may be in--EU, Asia, etc). For my use case (and probably a good number of US citizens), they will never need any international traffic.

 

[Samir]

Relying on your ISP to provide security is the equivalent to calling the cops when someone is breaking down your door. They will not be there to defend your property or protect your life. You need to make sure you can defend your property and your life should it be necessary.

I disagree. You pay your isp, so they have an incentive to make sure what they say works, does indeed work. I wouldn't rely on it in a 'life and death' way, but it's definitely a nice extra barrier.

 

[Samir]

Then why are you not using it?

Who says I'm not? That's why the packets get dropped, which they would anyways with the firewall rules. But it never hurts to stop a problem at the source, or at least closer to it.

 

[elvisimprsntr]

Who says I'm not? That's why the packets get dropped, which they would anyways with the firewall rules. But it never hurts to stop a problem at the source, or at least closer to it.

So what happens when the modem is rebooted that your ISP pushed some script to?
Do you have to call your ISP to push the script again?

 

[Samir]

So what happens when the modem is rebooted that your ISP pushed some script to?
Do you have to call your ISP to push the script again?

Doesn't sound like it. It was some sort of a change that required a reboot of the modem to take effect, so I'm sure it's in there now. Probably a part of the modem configuration file that is pushed to every modem at every reboot.

 

[svtkobra7]

how to use to block: "Utah facility is sized to store all encrypted (and thereby suspicious) data for safekeeping."

 

[elvisimprsntr]

TOR?