Blocking is used in football to prevent the opposing defense from tackling your quarterback or running back. In cybersecurity, blocking can be used to prevent attacks from malicious sources. Today and Friday we will look at several blocking tactics: IP blocking, geo-blocking, sender blocking, and domain blocking.
Every time your computer connects to another computer or web server, there is an exchange of information that happens, including an exchange of IP address information. Blocking is sometimes known as blacklisting. If you block an IP address, you are adding it to a “blacklist” of IP addresses that your computer will refuse to connect with. The most aggressive type of IP blocking would be to block everything, except for identified permitted sites and connections. This is known as “whitelisting.”
It is possible to subscribe to blacklist services for blocking connections to websites or email servers. One of my favorite web site security products, Wordfence, provides automated IP blacklisting based on current observed threats. In a recent blog post, Wordfence discusses the problem with IP blocking. The biggest issue is that attackers tend to cycle through their source IP address rather quickly, with the average active time being 10 hours. Often, the IP address being used by an attacker is the IP address of another innocent victim whose web server or computer is being used to stage an attack. In other situations, an anonymizing proxy service such as TOR is being used, and the IP address you see is just one of several thousand TOR exit nodes. So manual IP address blocking will not help secure your computer, network, or website particularly well.
In the physical world, one of the security practices that we all know is to avoid bad or dangerous neighborhoods. The US State Department issues travel advisories for countries deemed dangerous for travelers. Some of the same countries are dangerous from a cybersecurity standpoint, too.
Geo-blocking is a tactic that basically says if you don’t have a business need to allow connections from or to these countries, then we will block access to those countries. Cyber-crime hotbeds such as Russia, India, North Korea, and Vietnam spring to mind, but there are others. This is usually accomplished by blocking entire IP address ranges or classes that have been assigned by IANA (Internet Assigned Number Authority) to those countries. You can set up security on your website to block access to your website by users (or attackers) in those countries. Again, this is an easy service to subscribe to. Wordfence and other popular website security products will provide geo-blocking. This can be accomplished on most firewalls too. Most modern email systems allow for geo-blocking as well. If you or your staff have no reason to connect to sites in other parts of the world, those countries can be blocked.
Geo-blocking is quite effective, and has become one of the go-to tactics for cybersecurity and network profession to deploy. On Friday we will discuss sender blocking and domain blocking, and how they might fit into your cybersecurity practices.
- Wordfence – IP Blocking
- Wikipedia – Geo-blocking
- Microsoft Outlook – Sender Blocking
- Google G Suite – Sender Blocking
- OpenDNS – Domain Blocking/Web Filtering