One possible starting point would be to null route their assigned address space. [1] from the firehol repo [2]. This will not block private proxies and VPN's. A determined person could easily get around this. This does not include ipv6. ttyprintk brings up a good point in that one could also look at header fields to check for Russian language attributes.

[1] - https://github.com/firehol/blocklist-ipsets/blob/master/ipip...

[2] - https://github.com/firehol/blocklist-ipsets.git

Looks like this is trending over in SANS as well:

https://isc.sans.edu/diary/rss/28392

Assuming you don’t want to block Russian-speaking people, but Russian-origin connections, use a firewall that updates its mapping of IP addresses to country. Pfsense has such a plug-in. You will definitely want to log outbound block or ignore events.