We all want to reduce the level of potentially malicious traffic visiting our domains and arriving in our inboxes, and geographical blocking can seem like an obvious solution.
You don’t have any employees living in Russia? So, block emails from that region.
No clients in North Korea? Block web traffic originating in that area.
However, as always, there are other considerations to take into account, so let’s dive into the detail.
What is website and email blocking?
Website and email blocking, also known as geoblocking, is a security technique based on denying entry to, or quarantining, traffic based on geographic origin or IP address.
The practice leverages threat intelligence – i.e. using information about countries, specific regions or IP addresses that are known for malicious activity to guide what blocks to put in place.
It’s a broadbrush approach; and that’s both good and bad.
Why is it useful?
A significant portion of our cyber risk arrives in our systems over the internet, so it stands to reason that implementing geographical restrictions removes one potential vector, helping businesses reduce their exposure.
Eliminating unwanted emails from specific countries you don’t do business with can both help prevent annoying spam from cluttering up your inbox and – more importantly – reduce phishing emails, which are a major vector for malware, ransomware, and other intrusions.
Blocking traffic from regions that are potentially harmful, or simply irrelevant to your business, can also free up resources for genuine visitors, leading to improved website performance.
What are the potential downsides?
It may sound as though blocking all traffic you’re not actively expecting could be the way to go but, of course, it’s not that simple.
Imagine my disappointment when I was unable to shop in the online sale of a favourite Australian clothing brand because the company had implemented geographical blocking to prevent IP addresses from outside Australia from accessing their website.
Happily, my disappointment was short-lived as all I had to do was fire up a VPN (virtual private network) service to hide my real IP address, and select one in Melbourne instead…
Ah, perhaps you’ve now spotted the main downfall with geographical block-listing? It’s far from infallible.
Attackers can use VPNs, proxies, or leverage compromised systems within allowed locations to circumvent regional blocking restrictions.
There are also ethical considerations; blocking entire nations from your business can be viewed as discrimination, depending how many nations you block and where they are. Is that in line with your brand?
Setting up blocks can also inadvertently impact legitimate users, who are perhaps travelling or using VPNs for their own security reasons.
Similarly, you run the risk of alienating potential new clients, and you may also inadvertently exclude search engine crawlers such as Googlebot, which can negatively impact your website’s search engine rankings.
What cyber risks can it reduce?
In the context of email security, geoblocking can help to reduce several cyber risks:
Malware infections: By limiting the number of spam emails entering inboxes, geoblocking helps prevent malware infections, which often originate in known international cyber threat hotspots.
Ransomware attacks: Phishing is a major vector for ransomware, so blocking these messages will go a long way towards preventing these and similar attacks.
Data theft incidents: Also sometimes linked to social engineering attacks, geoblocking can help prevent them by blocking the initial malicious emails.
Noise from automated bot attacks: While more sophisticated attacks may bypass mitigations by using international botnets, country-based blocking can still help prevent thousands of mindless drones from spamming your connection logs, reducing the bad-traffic load from bots.
DDoS disruption: By preventing access from regions known to be sources of DDoS attacks, businesses can protect their infrastructure from disruption.
Brute-force attacks: Another type of attack often automated and invariably originating in known cyber crime hotspots, geoblocking may also reduce your risk of brute-force attacks.
How do you do it?
Regional blocking is available as a feature in many email filters, firewalls, and spam protection services and is considered an essential part of a layered approach to email filtering.
Web hosting providers often offer broadbrush firewall rules that allow you to block specific countries from accessing or interacting with your website. Meanwhile, security providers such as Cloudflare generally provide more comprehensive and detailed options.
Cloud providers generally provide the ability to block access to applications based on a user’s location, restricting access to specified countries or regions.
Email filtering solutions often offer geoblocking as part of their spam filtering feature, and you can use the blocked top-level domains list to block messages from specific top-level domain or country/region codes.
All in all, regional blocking isn’t a silver bullet and it isn’t foolproof, but it is a valuable tool that can form part of a comprehensive, layered approach to effective cyber security.
Photo by NASA
Nicolas Aristegui
Ray Morrison
Helen Giddings
Andrei Draghiciu