This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Companies like Norse and Akamai track the source IP of Internet attack traffic and compile lists showing the top offending regions. According to Akamai, in one recent quarter 84% of the observed attack traffic was generated from within just ten countries.
China, Russia, the United States and various Eastern European countries make the Top Ten list on a regular basis, but malicious Internet traffic patterns do change over time. For example, Akamai says China led the category at the end of 2012, but Indonesia overtook China for the top spot the next quarter. By the second quarter of 2014, China was back on top with 43% of the observed attack traffic. All in all, during the second quarter of 2014, Akamai observed attack traffic originating from source IP addresses in 161 unique countries/regions.
A point to note is the attacker doesn't have to be in the country or region where the traffic originates; it simply means he is running his packets through compromised systems in those countries. An attacker will route traffic through open proxies to multiply his threats. He can make it appear that traffic is coming from numerous sources in order to hide patterns that otherwise might be recognized by various security devices. Thus if traffic from China is blocked, he can direct it through Vietnam, or Estonia, or someplace else. This global presence creates a world of opportunities for hackers and can overwhelm the ability of network security and firewalls to keep up.
If you know a majority of attacks are originating from a handful of countries, why not configure firewalls to reject traffic coming from and going to those specific countries? The fact is, it's not practical to shut off an entire country because there could be a legitimate need to interact with people or systems in those areas. For example, companies like Microsoft and Amazon might have content distribution network (CDN) servers in China, and disallowing content from those nodes could disrupt legitimate business. Therefore a blanket policy to "block all traffic from China" won't do. This has been the biggest drawback of Geo-IP blocking over the years.
New advances in Geo-IP filtering make it more practical to add this layer of screening to in-bound and out-bound traffic. PacketViper, for example, has developed technology that increases the precision of evaluating traffic in order to prevent access to and from high risk geographical areas without excluding potentially valuable customers or businesses.
PacketViper has a series of self-contained hardware appliances that span the needs from small businesses to large enterprises. It recommends you install a device at the edge of your network in front of other security devices, such as firewalls and IDS/IPS, then configure the PacketViper to allow or deny network traffic based on geographical location by network port. It's the innovative filtering technology that allows you to be precise in eliminating unwanted traffic. Here are some filtering techniques that PacketViper makes available:
- Country-based – This is the base level of filtering where you can either block the entire country or set filters at specific ports bi-directionally inbound and outbound. So, for instance, you can say that China can see your web port but not your SSL port or your mail server port.
- Global Network Lists – PacketViper has researched the IP addresses of hundreds of multinational companies and has gathered them into these Global Network Lists, sort of like a series of white lists. The PacketViper device will evaluate traffic on this list before considering what country it's from. For example, traffic from a Microsoft address originating in China will be approved, even though other China traffic is denied.
- Custom rules – Since the Global Networks Lists don't contain every possible company, there is an option to create a custom network or custom rule set. Firewalls offer this capability, of course, but PacketViper can also add the country to the rule set to fine tune it even more.
- Custom rule groups – These groups make it possible to cluster countries together and apply policies to that group. It just makes it easier to manage traffic from multiple countries.
- Per network port – This makes it possible to specify how each country, company or network is allowed to access specific ports, and in which direction.
- Bi-directional per port filtering – Different policies can be set based on the direction of the traffic: inbound or outbound. This type of rule helps prevent hackers from exfiltrating data from the inside out.
The user interface to set these policies is quite user friendly, making it easy to see what countries are being filtered, and how.
Like any good security device, the PacketViper appliances are updated each evening with a daily intelligence feed of known bad IP addresses. The information comes from numerous sources all over the world.
PacketViper claims to have a customer that implemented a Geo-IP filter in order to eliminate malicious and other unwanted traffic to its email system. With the PacketViper filter on, threatening email numbered fewer than 1,000 messages per hour. When the customer turned off the Geo-IP filter for comparison purposes, the amount of threatening email increased by 2,000%. Without the PacketViper filter removing those unwanted messages, the chances of spam and malware getting through to end users clearly increased. What's more, other security solutions such as anti-virus, anti-malware and spam filtering, had to work much harder. With PacketViper, the bad stuff can be dropped before it ever hits the rest of your security infrastructure, so your firewalls and other tools can operate much more efficiently and effectively.
We know that attacks and other malicious traffic is on the increase. We know where much of it originates. By adding this special purpose geo-specific filtering device, a lot of bad traffic can be removed before it enters your network, and you can prevent traffic from going outside your network to places where it just shouldn't go.