In my network days, we did some blocking by country for certain subnets that were not serving web traffic. But for web servers? No.
posted by rachelpapers at 10:12 AM on January 4, 2016

The only context in which I've encountered blocking by country was as part of a quick-and-dirty path to showing compliance with certain legal restrictions; for example, blocking traffic from countries like Cuba and Iran that there are legal embargoes against those countries that applied to the organization.

I have no clue why anybody would block all traffic from Australia.
posted by Tomorrowful at 10:14 AM on January 4, 2016 [1 favorite]

If I were to, say to combat brute force attacks on my WP login page, I would do without an iota of "moral" consideration or "conscience" worry. It would be a practical consideration. IMHO, "believing in the first two W's" isn't a thing. At least it isn't as it relates to this.
posted by humboldt32 at 10:20 AM on January 4, 2016

random anecdote - from chile, the only site that i can remember refusing access is this, yesterday, from a thread here on askme. it was a real shock. i can't think of another site in the last year that has blocked access (people refuse to ship all the time, but still show the page).
posted by andrewcooke at 10:22 AM on January 4, 2016

The only time I've ever run across this (blocking entire netblocks that were from some specific geographic reason) was to limit the effect of a DDOS on something. As in, lots of different IPs but all within the same geographic block. It's just easier and quicker to say "nope!" to whatever country than to try to block individual IPs. (Especially if the data on the page isn't exactly relevant to whatever range it's coming from - the local helpdesk system doesn't really provide a whole helluva lot of use for someone in, say, Kazakhstan.) This was quite some time ago, though; there are probably better ways to do this now.
posted by mrg at 10:39 AM on January 4, 2016 [3 favorites]

Yes. Done this at multiple orgs with a US only customer base. Cuts down on a lot of automated perimeter attacks and other noise impacting intrusion monitoring work.
posted by bfranklin at 10:40 AM on January 4, 2016 [3 favorites]

No, I have never done this. What's the point? Country based blocks are trivial for the bad guys to work around. You could adversely affect a genuine customer who was routing out through e.g a corporate firewall in another country.
posted by paulash at 12:24 PM on January 4, 2016

This seems like a silly thing to do. O've blocked specific IPs (and even IP ranges), but never a whole country.
posted by cjorgensen at 12:27 PM on January 4, 2016

Happens for content reasons all the time (you're hosting content thats illegal in country X, and you also have a presence in country X and thus actually have to care about that). For security reasons its a quick-and-dirty thing, if you've got a good/large security team its not the way they'd do it. But if you're like one or two people with a website, it makes sense to me in some cases.
posted by thefoxgod at 12:34 PM on January 4, 2016

If you want to block by country then you can do it a few ways.

Probably the easiest way to do it is with Incapsula:

https://incapsula.zendesk.com/hc/en-us/articles/200627850-How-to-block-visitors-from-a-certain-country-

One, is with BGP. Each BGP AS that is assigned out gets a country code. You can build a filter in BGP that drops routes by country code. That requires BGP peering and complete BGP tables. That can be quite the technical task to undertake. The other way to do it is via BGP community strings with an upstream provider. Both options require a router and BGP peering.

Another way is with Apache Mod Security. Read down this article to see how to do it:
http://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/

posted by Annika Cicada at 2:15 PM on January 4, 2016

But that said, I don't think blocking australia is doing you any good.
posted by Annika Cicada at 2:18 PM on January 4, 2016

Never done it, never seen it done, unless in direct response to specific attack at a single point in time. Country blocking for security reasons otherwise seems kind of pointless. Wherever you are, it's just easy to break into a computer in the US to hack from as it is a computer in your local country or an unblocked country. Same with a botnet. Just use a US-based or non-blocked botnet.
posted by cnc at 4:09 PM on January 4, 2016

At my old gig, a site for an awards event for our non-profit was getting hammered for a few days with shitloads of traffic from Russia, so I blocked it for that domain only, then unblocked it a couple weeks later, under the theory that the chances that Russians were deeply interested in an LGBT non-profit event in Palm Springs was pretty low, and since they weren't all coming in from any given referrer, it wasn't going to kill us to miss their traffic for a bit. The problem didn't come back, and I assume it had to do with some attempt to game our Wordpress install with comment spam (which had happened on other domains for the same org., but filters caught all of it) but since the comments weren't enabled on that site, it was just shittons of pageviews. Not enough to be a DDoS, but enough to slow the site.
posted by klangklangston at 5:34 PM on January 4, 2016 [1 favorite]

When I lived in Canada I was not able to access the US government page to get the free copy of my credit report. But I was able to access it on the same laptop when I visited NY State. Back in Canada, unable to get it again.
posted by Melsky at 3:28 PM on January 6, 2016

This thread is closed to new comments.