Daniel Marks... Developer?

Geo IP Filtering and the Russia-Ukraine conflict

·2 mins

I’ve been seeing this a lot recently, and I wanted to share my thoughts on some of the lazy and useless security practices I see regularly used.

If Geo IP filtering is actually going to help your security posture in any way, you have some terrible security practices.

Geo IP filtering is lazy security #

Let’s think about why you want to perform Geo IP filtering:

  • You don’t want state sponsored criminals to obtain access to your infrastructure
  • You want to block targeted attacks from those countries to your end users
  • “any security is good security”

You don’t want state sponsored criminals to obtain access to your infrastructure #

This is a legitimate concern, and CISA regularly posts updates about State-Sponsored malware and attacks once a month.

As an example, let’s look at the most recent report by CISA AA22-054A about Sandworm:

  • It was created by the Russian intelligence office
  • It was first detected in Ukraine, and spread via exposed servers and firewalls all over the world (meaning Geo IP filtering would have been useless)

You want to block targeted attacks from those countries to your end users #

Let’s look at how most of these “targeted attacks” actually reach end users:

According to a report by the Department of Defense, almost all attacks originate from public VPN services (think NordVPN) and Tor.

The list of IP ranges used by Russia to perform these attacks aren’t actually Russian IPs, they’re American.

“any security is good security” #

GeoIP blocking brings a false sense of security to security teams and sysadmins, while becoming an inconvenience for legitimate users.

At the end of the day, it costs 5 dollars to get an American IP address to use and abuse, and securing anything with IP addresses is a bad practice. An IP address isn’t authentication, you have no idea who is behind an IP address.

What is real security #

As always, I’m a huge proponent of NIST and their recommendations:

NIST Firewall Guidelines

Securing all endpoints with SSO and technologies such as mTLS ensures that it’s cryptographically impossible to access your services without authorization, so blocking at the Geo IP level should never matter.

Stay tuned for a part 2 as I dive into the nitty gritty of real security