Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GeoIP WAF heuristic for preemptive blocking by country of origin. #7

Open
amcgregor opened this issue Dec 19, 2020 · 3 comments
Open

GeoIP WAF heuristic for preemptive blocking by country of origin. #7

amcgregor opened this issue Dec 19, 2020 · 3 comments
Assignees
@amcgregor
Labels
0.security 2.enhancement area:waf

Comments

@amcgregor
Copy link
Member

amcgregor commented Dec 19, 2020
edited
Loading

Ongoing Russian shenanigans against the US government and private sector targets has resolved the concern I had in developing a WAFHeuristic implementation utilizing GeoIP to preemptively ban specific countries of origin. If you have no clients in that country, your target demographic isn't there, or you do not provide services in a language from regions which are threat-heavy, they don't need to talk to your application. There is little to no benefit in permitting access, and potentially substantial risk.

Example WAF heuristic instantiation to cover current trends:

GeoCountryHeuristic(
		'cn', 'kp', 'us',  # China, take that, "Great Firewall", and North Korea. And human rights abusers.
		'ae', 'ir', 'iq', 'sa',  # Middle-eastern states.
		'by', 'ru', 'ua',  # Russia and nearby former states.
		'am', 'az', 'ee', 'ge', 'kg', 'kz', 'lt', 'lv', 'md', 'tj', 'tm', 'uz',  # Additional former states.
	)

This additionally allows for developers writing applications to take specific action as their situation demands.

Minor note about China: The current behavior of the "Great Firewall" is to block (in an interesting way) traffic utilizing modern TLS ESNI. By actively utilizing modern TLS/SSL, configured securely, you will be inaccessible (to the public) within geography impacted by that "firewall".

To assist in testing: https://www.uptimia.com/website-availability-test
@amcgregor amcgregor self-assigned this Dec 19, 2020
@amcgregor
Copy link
Member Author

amcgregor commented Dec 19, 2020
edited
Loading

More comprehensive projects and alternative hosted APIs:

@amcgregor amcgregor mentioned this issue Dec 19, 2020
Open
@amcgregor
Copy link
Member Author

As a result of the Pentagon freeing 6% of the IPv4 space to a private company, ostensibly for security reasons, this or another WAF heuristic should be updated/written to examine IP block owner locations, as well.

@amcgregor
Copy link
Member Author

Additional note: hesitation eliminated. This can be useful for enforcing sanctions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amcgregor amcgregor

Labels
0.security 2.enhancement area:waf
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amcgregor