- Apologies ... my post seemed funny in my head (circular reasoning and all).
- Which overlay network would you bet on?
Last edited:
Geoblocking Set at Your ISP
- Thread starter Samir
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Who's to say the they aren't operating their own TOR nodes?
Last edited:
When I worked in telecom, I did this at an ISP level (serving us, multiple ISP clients, and many hosted domains). It worked until we discovered that many US companies were buying blocks in those regions and not updating WHOIS information. So the IP was still technically homed in that country despite being used and routed in a US based DC. Kinda sucks do to an IP lookup, have it marked as RIPE or AFRINIC, with a corresponding address in that region, and find out that the delegated owner is Bank of America or UPS and the route points to AWS-West or other equivalent.
Invest in setting up IDS/IPS and let your firewall generate block lists from that.
Yep, it's definitely not foolproof and very easy to circumvent (hack a US host and use their IP), but it does eliminate most of the low hanging fruit.
I think you answered your own question on why this isn't done
- no real value. any series attempt to scan/hack you will just as easily come from 'on-shore'
- no real protection against phishing or other attacks. a person who is rushing to click on 'you wouldn't believe what she (actress XYZ, whatever) was wearing! spectators were shocked!'
, would continue to click on these things as lemmings.- massive administrative overhead , why is my stuff not working? prove to me that it was not you ,ISP, that broken it, etc.
-against the approach that internet/connectivity is a utility. traffic is traffic same as energy is energy, electricity is electricity - there is no such thing as pink electrons/electricity, green electrons, brown electrons, whatever. power is power. applies very much to 'belief' in "green power" vs whatever power - electric power is electric power, physics does not care about our politics. same as there is no green gravity or pink gravity or blue gravity, it is just gravity.
- lastly, it could be very economically damaging to US if/when other powers would respond in kind. You block traffic between US and anything outside of it? how about we then block anything coming from or passing through US? you had some commerce before - it is gone. payment systems (google, apple, amazon, paypal, whatever) -gone. social networks and their advertisement? all gone. jobs associated with all of the above and with FAANG in particular -gone. Good luck to be limited to serving your 4% of the world population (US population vs global) and 16% (and decreasing YoY) of the worlds GDP. I don't want that for my county, we greatly benefit from being global and much prefer for trade/traffic/communication to be as open and connected as possible..
in short, overall little value for a lot of pain -> thus no movement.
I don't really thing it has no value as it's yet another hoop to jump through. No different than locks on doors.I think you answered your own question on why this isn't done
- no real value. any series attempt to scan/hack you will just as easily come from 'on-shore'
- no real protection against phishing or other attacks. a person who is rushing to click on 'you wouldn't believe what she (actress XYZ, whatever) was wearing! spectators were shocked!'
- massive administrative overhead , why is my stuff not working? prove to me that it was not you ,ISP, that broken it, etc.
-against the approach that internet/connectivity is a utility. traffic is traffic same as energy is energy, electricity is electricity - there is no such thing as pink electrons/electricity, green electrons, brown electrons, whatever. power is power. applies very much to 'belief' in "green power" vs whatever power - electric power is electric power, physics does not care about our politics. same as there is no green gravity or pink gravity or blue gravity, it is just gravity.
- lastly, it could be very economically damaging to US if/when other powers would respond in kind. You block traffic between US and anything outside of it? how about we then block anything coming from or passing through US? you had some commerce before - it is gone. payment systems (google, apple, amazon, paypal, whatever) -gone. social networks and their advertisement? all gone. jobs associated with all of the above and with FAANG in particular -gone. Good luck to be limited to serving your 4% of the world population (US population vs global) and 16% (and decreasing YoY) of the worlds GDP. I don't want that for my county, we greatly benefit from being global and much prefer for trade/traffic/communication to be as open and connected as possible..
in short, overall little value for a lot of pain -> thus no movement.
Phishing could be prevented if you can't access a lot of the 'payload' servers that are used in conjunction with these attacks. Again, won't be 100%, but is yet another strong deterrent. Yes, the user is the biggest problem in these cases, lol.
If the lack of international traffic causes your stuff to break, then it's simple--you need international traffic so opt-in to get it. For the rest of the customers that deal with 'why is my stuff not working' because of problems that originated in international traffic, this helps the problem a lot.
Except that Internet isn't a utility or it would be treated and regulated as one. These are private companies that don't answer to anyone but themselves. Utilities have a lot more regulatory responsibility and controls. The day this changes, things like mitigating cyberwarfare attacks before it gets to the citizens will come within their scope--for the good of the whole nation.
I completely disagree with you. The number of issues with cyber crimes, extortion, etc are climbing each year (even more so in the pandemic), and the absolute dollars is over 1 billion dollars and continues to climb. Where will this plateau? Answer--it won't. Criminals don't stop--they hit you until you're dead and then move on to another target. If cutting the international traffic kills whole systems that are currently being gamed to undermine the structure of the US, I wouldn't have a problem with that because those type of systems are doing more harm than good in the first place. I've seen all those jobs--all our friends that immigrated from India have them, lol. And there's nothing wrong with globalization, but you can't ignore the international problems that come with a international solution.
There's a lot of value imo as another barrier to those that are looking to harm someone. Being so free as you describe would be akin to having houses without doors--which is not a problem when everyone is nice, but there are people that are not nice, not to mention nation-states that are now getting into the game.
few things to say
- greatly respect your opinion, thank you for sharing it
- on the item above, i think we are seeing change going that way. especially now, especially post COVID times. I also think (and could wrong) that we are not far from network connectivity (aka internet) to be treated first as
a) utility (as such it must be provided and can not be easily cut off)
b) then treated towards being a basic (human) right
as for issues you raise - disabling everything and make people opt-in (subject to whos review?) is bad on many angles and to me is just indefensible.
criminal breathe - lets strangle everyone by taking away air and make people 'opt-in' for it. criminals also eat, lets take away all of the food and force people to opt in and beg for it. they drink water, lets control that too and make people opt -in. My background is from former Soviet Union (and I was born and raised while it was around) , it does not work, and never have worked in human history. Criminals arent going to care at all about any restrictions you put in on normal population, that is why they are criminals . Sure you "solve" some (very little) cyber crime part but at what cost? by destroying your own international commerce? that is not a billion dollars you mention, think many thousands of time higher.
you solution is like attempt to solve petty shop theft by shuttering all stores. no stores, no theft, you are indeed 100% successful in preventing it. . or lets prevent car accidents by disabling and later destroying all cars -yes, you succeeded in having no accidents but overall you have failed. such "solutions" are also useless and impractical
cutting ourselves off from the rest of the world is similarly just as impractical.
however, at this point I am not sure we are talking technology anymore so this is my last post on this thread - you asked why this isnt set and the answer is that not enough people think it is a good idea to set it (myself included). that damage to what you are proposing would far outweigh any potential benefits.
however if you are passionate about it, go run for office, get in Congress, propose laws, etc. activism is local. good luck
From a operational point of view, the minuscule bandwidth and processing cost of my firewall handling this automatically, and use dynamically generated block lists based on rules, is a more effective solution, and better use of my time, than trying to coordinate updates to a list that my ISP has to apply to the CPE. And boy ever must that be fun troubleshooting; if the block is happening at my firewall, I can query it with a rule test; if it's happening on the ISP managed CPE, then I have no visibility and would wind up wasting time trying to figure out why it's being black-holed.
And since the block list is being applied at your modem and not upstream in the ISP routers, data is still coming down the pipe to your end point, just not all the way to your firewall, so I question if you are preventing any throughput waste at all. Sure it's not making it to the firewall, but it's still coming down the last mile to the CPE/demarc, unless I misunderstood your original post.
So, having worked at an ISP, and tried doing this before, it generated far more support calls that we had to deal with than problems it solved. Our CPE was secure, past that, it was the customer's responsibility. We started refusing any change requests to the CPE other than IP assignments.
And since the block list is being applied at your modem and not upstream in the ISP routers, data is still coming down the pipe to your end point, just not all the way to your firewall, so I question if you are preventing any throughput waste at all. Sure it's not making it to the firewall, but it's still coming down the last mile to the CPE/demarc, unless I misunderstood your original post.
So, having worked at an ISP, and tried doing this before, it generated far more support calls that we had to deal with than problems it solved. Our CPE was secure, past that, it was the customer's responsibility. We started refusing any change requests to the CPE other than IP assignments.