Is it practical to pre-blacklist certain GeoIP regions?

It's essentially a business decision, rather than a security one. The risks from a business perspective are that you lose users from that country, or who are accessing the site from VPNs located in that country, and that, whilst really unlikely, it's theoretically possible for IP assignments to change, meaning that if you didn't keep these blocks maintained and updated with the latest assignments, you might accidentally block legitimate users from target countries, who happen to have been given IPs from a pool previously assigned to a blocked country.

From a security point of view, it can reduce the volume of attacks, and increase the costs to an attacker of targeting your site (since they need to get machines from specific countries, rather than any machines).

It tends to make sense when you have a regionally restricted product - think of shops where goods are only shipped within a specific country, competitions which only accept entries from people in a given region, or systems which work in conjunction with physical businesses which have a limited range (e.g. deliveries to a national chain store, so there would be no way for a user elsewhere to benefit from the service). In those cases, it tends to be easier to justify the risks, since there is no way people from other countries can use the service (and it wouldn't be hard to include neighbouring countries in case of edge cases - a Portuguese business might include Spanish IP ranges, just in case, say).

It makes less sense when you have an information business, or a digital product. In these cases, you might end up getting more unwanted traffic, as people who want to obtain the product resort to VPNs within allowed countries. Think artificial restrictions such as film releases staggered around the world, TV shows with months of delay before being shown outside the country of origin, or game releases.

You can obtain country specific IP lists from sites such as http://www.ipdeny.com/ipblocks/ and then choose whether to use a whitelist approach ("we only deliver to southern Italy, so will only allow Italian and Vatican City IP addresses") or a blacklist approach ("we see lots of attacks from Australia, so will block all Australian IP addresses").

(Please note, all countries are randomly selected and should not be taken as approval or disapproval of given countries.)


Banning ranges of IPs is generally not a good idea. You should only do this if a range is consistently a big problem for you. Here's why:

  • Many people use VPNs or anonymizing networks such as TOR, meaning valid users may appear to have an IP from a country you don't consider to be part of your target audience. Users of such networks may not use your service if they have difficulty connecting.
  • It is difficult, if not impossible, to truly ban by location when talking about IP addresses. In your case, it might be easier, as you are looking at whole countries and regions rather than more specific places.
  • A dedicated attacker can easily circumvent IP-based bans. You'll only be stopping script kiddies. Annoyances like this can be dealt with using well-set-up firewalls; resilient, well-configured server software; and secure backend code.

As for only allowing certain IP ranges on backend/administrative ports: go for it. This is absolutely a good idea, as you can have certain expectations of your sysadmins (that they don't need to log in with a VPN or other anonymizing network, that they live in an area with a certain IP range, etc) that you can't have of your customers.


Don't waste your time trying to maintain GeoIP blacklists. It's a kneejerk response, and is shortsighted and ineffective in practice.

Think of it like terrorism-- Timothy McVeigh detonates a bomb in Oklahoma. You ban all white men from America. Does that really stop the problem?

The majority of actual attacks I've seen come from botnets and/or anonymous proxies. So even if you block China, Chinese attackers are just going to route their traffic through compromised hosts in the US or Europe. Block China, Iraq, Turkey, Russia...they will route around it. It's the very nature of the internet.

Behavioral profiling is much more effective as a countermeasure than dynamic blacklists. Someone hammering at a service should be blocked no matter where their traffic originates.

Instead, depending on what you're trying to protect, consider using a WAF or proxy like Cloudflare-- you can easily block by country if it helps you sleep better at night, but the more important mitigator is that they function as a shared intelligence repository. (You don't have to use them specifically, I've just had good experience with them).

If they detect attackers hammering someone else's site, and those same attackers try to hammer yours, they'll be blocked or hindered by virtue of the fact that they are previously associated with malicious activity-- not the fact that they live in Guangdong or Belarus.

This will not work with SSH and the like, so you'll still need to use something like fail2ban to deter attacks on those services. But for HTTP and the like, it's been great.