[traceroute66]

> I get most of the attacks from US servers. Often times Google cloud or AWS.

Yup.

The block $insert_country IP range "solution" is an outdated mentality that should have died off in the 90's.

These days most attacks originate from US/Western cloud and other rent-a-box providers.

They are a gift to attackers because they can hop around at the click of the button and they know the victims can't block the IP ranges because they're managed by US/Western organisations.

DDOS attacks tend to happen on a Command and Control basis, and again, good luck blocking US/Western ISP IP ranges because their customers won't be able to visit your website.

I have long given up on reporting to Google, AWS and others because nothing gets done, most of the time you get an automated message saying they just forward your Abuse report to the customer ... gee, thanks guys.

[rixrax]

>> The block $insert_country IP range "solution" is an outdated mentality that should have died off in the 90's.

Maybe so. But it works really well. After blocking certain countries IP ranges / ASes, >70% of abuse we had to deal with just vanished.

Also there are other reasons to block: since the russians attacked Ukraine, business I work with no longer does business with russia, belarusia and few other countries as a matter of principle (and because of sanctions).

[traceroute66]

> After blocking certain countries IP ranges

Alright, can we just put this one to bed ?

When RIPE/APNIC/ARIN allocate a range of IPs, there is NOTHING in the terms and conditions that says "you can only use this in this geography". The legal range holder must be in the geography, but where they announce it is nobody's business.

The range is held by a range holder who are listed on the relevant database. But there is nothing stopping them using it outside their geography and there is nothing stopping them allocating it to a customer outside of their geography.

So when people talk about "blocking a country's IP ranges" they are talking about "blocking a random range of IP addresses that may or may not be used at all in a given country".

There is also no real control on the databases. Yes you are supposed to keep them truthful and up to date, but we've all been there looking for abuse contacts and, well ....

So if a Russian range-holder decides to "allocate" a sub-range to a "French" customer and records it as such on the RIPE database what are you going to do ? And if you're buying your "security" data from a third-party, what's your third-party database telling you ? is that sub-range French or Russian ?

Not forgetting of course that IP range != provider. I could foreseeably get an IP range from $bad_country X but announce it over BGP over $isp_from_friendly_country Y, maybe even using their ASN. So that would easily defeat your ASN blocking.

[mc32]

However many exceptions to the rule there may be, if it mitigates the number of rogue activity and you’re not doing business with those geographies, it’s still a net positive to your finances and cybersecurity.

[LinuxBender]

When RIPE/APNIC/ARIN allocate a range of IPs, there is NOTHING in the terms and conditions that says "you can only use this in this geography"

That is not true, at least not any more. RIPE and ARIN specifically will cancel a companies account and remove their ASN if they announce the allocated CIDR blocks in the wrong region. We can very close to it at a former company. It was an honest mistake that someone was unaware of and it was reverted quickly. I can't speak for APNIC. There are probably people that have done this and not been caught for a while but they are much more vigilant now. I assumed because of a shortage of ipv4 blocks but there are probably other reasons.

Of course anyone can announce any networks but that is a good way to get blocked by peers. It has happened. I remember the PSINet debacle and a handful of others.

[commandersaki]

Probably a better way to block IP ranges by geography is to block by address space announced/originating from an ASN.

[5e92cb50239222b]

So you decided to punish average Belarusians (and "a few other countries" -- wtf???) because of actions of another country (whose military they're pretty much occupied by), which were initiated by the decision of one man. Got it.

From your incorrect spelling of the country's name (btw, your use of lowercase to demonstrate your contempt looks pathetic) I infer that you know close to nothing of Belarus and their relations with Russia and other countries.

I think I am beginning to understand what people in many Arab countries have been feeling for the past couple of decades. Your words about rule of law and human rights are cheap and, when it comes to the boogeyman of the day, mean nothing in practice. Have fun driving more people towards Putin and further balkanizing the internet. I know I lost a lot of respect for the West since the beginning of 2022.

[aliqot]

not every american runs the country.

[themoonisachees]

I agree that cloud providers are a blessing to attackers, but blocking russian, chinese and even generally SEA ip space is still a very effective way of stopping the bottom 70% of all attacks. Sure, they're trying such outdated methods that there is very little chance of them suceeding, but honestly when just banning china reduces sshd logs by 50% you wonder why you didn't do it sooner.

[londons_explore]

Are you sure you're blocking 70% of attacks? Or are attackers just starting there, and when they realise their attacks aren't working they go via AWS instead?

I can't imagine many people sufficiently motivated to launch a DDoS attack against you, yet not sufficiently motivated to switch to an attack method that will actually work.

[bliteben]

Most attacks are using a shotgun approach. DDOS generally are targeted but even then just badly behaved scrapers or vulnerability scanners can add up to be like a DDOS.

[BenjiWiebe]

An even quicker way to clean up SSH logs is to listen on a non standard port.