Blocking network traffic by country / IP address

I’ve been overlooking the first line on my by-country webserver stats for quite some time. If – as it is for me – that top line is from a country which originates only spam and lame hacking attempts, you’ve probably considered blocking the entire country. This is a terrible thing to do and totally against any decent motivation for having an Internet or World Wide Web in the first place. Zàijiàn!

My blog's popular in China!

I don’t think all those visits from China are genuine readers…

I added (parts of) the ip blocking script from this page, which uses country-ip data from ipdeny.com and though it seems to work, it looks as though the data from ipdeny.com is incomplete. Plenty of spam continued to arrive in the apache log and little appeared to be blocked. I can check this quite easily, as I have a trivial IP to country API method at shipping-quote.net which gives me country info. I can see WordPress comment POSTs to an old spam-magnet article of mine from IP addresses like 121.205.212.208, 27.153.209.171, 110.86.167.153 etc. These addresses are not present in ipdeny.com’s data file, so they’re not blocked by iptables.

It should be straightforward to expose the data I use for my IP-to-country API method which I can use in the country-blocking script, so I’m going to try that…[codes furiously]. OK, past my bedtime. Minor epic, required a little rewrite of some code that had been reliably providing IP -> Country Code for a few years. The country-code to IP address block API method is at http://www.shipping-quote.net/about/API.html#countryipaddress and the shell script requires a little tweak because the URL uses a query parameter rather than a ‘filename’.

Seems to be working quite well at the moment – there are far fewer WordPress comment POSTs, and an awful lot of ‘Country Drop’ messages in syslog! The API data is drawn (apparently) from the same source as that of ipdeny.com: the Regional Internet Registries. My country lists seem quite a bit longer than theirs, not sure what is the reason. The data is updated daily at shipping-quote.net with a cron job, I’ll probably update my host firewall weekly or monthly.

I’d be interested to read your views on the API method / the whole country-blocking thing.

Leave a Reply

Your email address will not be published. Required fields are marked *