Should geo-blocking be an option for DDoS prevention?
2016 should have reinforced what security experts have been telling us over the years. Cyberattacks are not a matter of "if" anymore but "when."
Last year, there was no such thing as "too big to fail" as top tech firms like Yahoo!, Dropbox, and LinkedIn all reported data breaches. Internet services provider Dyn, which is used by Twitter and Spotify, was also hit with traffic-based attacks, affecting uptime of these popular sites. Banks and government institutions also fell victim to attacks that compromised information of millions of users -- a bank in Sri Lanka even lost billions of dollars to spoofed international transactions.
Security expert Bruce Schneier was one of the first to speculate that a nation state may actually be working on taking down key internet infrastructure. To what end, experts have yet to reach a definitive conclusion. The latest controversy on whether or not Russia was actually behind the Democratic National Committee email leak has led to increased concerns over cross-border cybersecurity.
Attacks are now commonplace and costly
Among the common and widespread forms of cyberattacks today are data theft and distributed denial-of-service (DDoS) attacks. These attacks could be carried out for any purpose. For example, an attack could be done by competitors trying to disrupt rivals or seeking competitive advantage by stealing proprietary information. These could also be done by hacktivists who ride on the publicity to push an agenda. Then there are the extortionists seeking to make money from ransom.
The rise in cybercrime-as-a-service also makes it quicker for perpetrators with little technical know-how to have attacks launched on their behalf. Hackers offer their services for as little as $100 a day. For victims, the costs are significant. Downtime caused by DDoS attacks can cost e-commerce websites $40,000 an hour. A Ponemon study also reports that the cost of a data breach now runs up to $4 million.
DDoS attacks use immense amounts of bandwidth to overwhelm a network and render it unusable. 2016 saw DDoS records broken by the Mirai malware botnet. The malware uses a network of compromised systems, which include many unsecure Internet-of-Things devices, to carry out the attacks. A recent report on a possible new botnet that attacked its system. It has a different attack pattern from the Mirai malware and is only known by the embedded signature "Leet" found in its payload. It rivals the Mirai botnet in the traffic it can bring.
Why not just geo-block?
With respect to the origin of attacks, majority of DDoS traffic originates from these four countries: China, Taiwan, South Korea, and Vietnam, according to Incapsula’s analysis of customer traffic. The most attacked countries are the US, UK, Netherlands, Japan, and Germany.
The argument behind geo-blocking is simple: Just deny all traffic coming from countries where DDoS attacks usually come from. For those managing websites or networks that have experienced spam attacks and aggressive bot traffic from crawlers, geo-blocking might be a fast and easy way to deal with these issues. Website owners can simply avail of geo-blocking from hosting providers. Even popular CMS such as WordPress have plugins that can perform geo-blocking.
For many small-scale and locally oriented websites, this may actually be a viable option. If your target audience is mainly from a concentrated locale such as a city or state, then blocking all traffic from other parts of the globe can significantly lower the odds of your infrastructure being hit by attacks. Site activity analytics can tell from which countries a site’s regular traffic originates. A website may do well to just focus on high value traffic.
However, the argument against geo-blocking is this: Security should not fall back to a scorched earth approach. Some argue that one of the ideals embraced by internet rights is global connectedness. Geo-blocking is sometimes viewed as a form of censorship, and it could be a tad racist. Penalizing innocent web users just because they are situated in a particular time zone or country might be construed as despotic.
For businesses, limiting potential viewership can be restrictive to growth. Content-focused websites also run the risk of not capitalizing on global search engines and the possibility of legitimate traffic spikes from popular content. In a bit of a twist, the fifth country in origin of attack is the US. So should US websites block users from their main audience?
Besides, a determined attacker will look for ways to circumvent geo-blocking. Mirai, for example, can spoof IP addresses in order to circumvent basic geo-blocking protocols.
Securing your systems
But what can organizations do? Unfortunately, many are still left in the dark as to how to prevent and respond to such threats. A Kaspersky survey shows that 40 percent of businesses do not know how to protect themselves from threats such as DDoS attacks. Many SMEs may not have the resources to form dedicated teams and appoint information security officers to focus on security.
A more flexible approach is to avail of security-as-a-service in the form of cloud-based web application firewalls and DDoS prevention services. These services are easy to implement and available on-demand. With complex algorithms to detect and thwart attack behaviors, you will not have to resort to just broadly banning IP addresses from entire countries. Cloud-based security solutions ideally have databases of known compromised IP addresses to blacklist. If needed, they can still allow geo-blocking as a drastic option. This way, there is no need to resort to geo-blocking as the first and only option.
So as for the geo-blocking question, the answer is no. It can be an immediate and quick option to fix DDoS attacks, but it should not be a long-term option. Issues like these may be dealt with through a more finessed approach, which can involve advanced access rules and better security platforms.
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.