|
|
|
|
|
|
by rixrax
1226 days ago
|
|
|
>> The block $insert_country IP range "solution" is an outdated mentality that should have died off in the 90's. Maybe so. But it works really well. After blocking certain countries IP ranges / ASes, >70% of abuse we had to deal with just vanished. Also there are other reasons to block: since the russians attacked Ukraine, business I work with no longer does business with russia, belarusia and few other countries as a matter of principle (and because of sanctions). |
|
|
Alright, can we just put this one to bed ?
When RIPE/APNIC/ARIN allocate a range of IPs, there is NOTHING in the terms and conditions that says "you can only use this in this geography". The legal range holder must be in the geography, but where they announce it is nobody's business.
The range is held by a range holder who are listed on the relevant database. But there is nothing stopping them using it outside their geography and there is nothing stopping them allocating it to a customer outside of their geography.
So when people talk about "blocking a country's IP ranges" they are talking about "blocking a random range of IP addresses that may or may not be used at all in a given country".
There is also no real control on the databases. Yes you are supposed to keep them truthful and up to date, but we've all been there looking for abuse contacts and, well ....
So if a Russian range-holder decides to "allocate" a sub-range to a "French" customer and records it as such on the RIPE database what are you going to do ? And if you're buying your "security" data from a third-party, what's your third-party database telling you ? is that sub-range French or Russian ?
Not forgetting of course that IP range != provider. I could foreseeably get an IP range from $bad_country X but announce it over BGP over $isp_from_friendly_country Y, maybe even using their ASN. So that would easily defeat your ASN blocking.