[traceroute66]

> After blocking certain countries IP ranges

Alright, can we just put this one to bed ?

When RIPE/APNIC/ARIN allocate a range of IPs, there is NOTHING in the terms and conditions that says "you can only use this in this geography". The legal range holder must be in the geography, but where they announce it is nobody's business.

The range is held by a range holder who are listed on the relevant database. But there is nothing stopping them using it outside their geography and there is nothing stopping them allocating it to a customer outside of their geography.

So when people talk about "blocking a country's IP ranges" they are talking about "blocking a random range of IP addresses that may or may not be used at all in a given country".

There is also no real control on the databases. Yes you are supposed to keep them truthful and up to date, but we've all been there looking for abuse contacts and, well ....

So if a Russian range-holder decides to "allocate" a sub-range to a "French" customer and records it as such on the RIPE database what are you going to do ? And if you're buying your "security" data from a third-party, what's your third-party database telling you ? is that sub-range French or Russian ?

Not forgetting of course that IP range != provider. I could foreseeably get an IP range from $bad_country X but announce it over BGP over $isp_from_friendly_country Y, maybe even using their ASN. So that would easily defeat your ASN blocking.

[mc32]

However many exceptions to the rule there may be, if it mitigates the number of rogue activity and you’re not doing business with those geographies, it’s still a net positive to your finances and cybersecurity.

[LinuxBender]

When RIPE/APNIC/ARIN allocate a range of IPs, there is NOTHING in the terms and conditions that says "you can only use this in this geography"

That is not true, at least not any more. RIPE and ARIN specifically will cancel a companies account and remove their ASN if they announce the allocated CIDR blocks in the wrong region. We can very close to it at a former company. It was an honest mistake that someone was unaware of and it was reverted quickly. I can't speak for APNIC. There are probably people that have done this and not been caught for a while but they are much more vigilant now. I assumed because of a shortage of ipv4 blocks but there are probably other reasons.

Of course anyone can announce any networks but that is a good way to get blocked by peers. It has happened. I remember the PSINet debacle and a handful of others.

[commandersaki]

Probably a better way to block IP ranges by geography is to block by address space announced/originating from an ASN.