Mass Exodus of Sites to Bulgaria or Incorrect Country Blocking?

I cannot say this is the case for you, but I had sites getting blocked by country blocking because they had a quick redirect in them.  The site was US, but got redirected to a analytics site in south america for a second so the country blocking kicked in and stopped it.  I have actually changed some of my stance on country blocking in the last six months as well.  I have From blocked everywhere, but TO I allow to many countries because of this or Microsoft or AWS data centers being all around the world.  I still block many 3rd world ones and China and Russia, etc. etc. etc. nothing personal, I just turned them on and watched the logs on and off for a day or two and did not see any so why not.

In general, I don't recommend blocking "To" or "All."  "From" is the place to start.

Cheers - Bob

BAlfson said:

In general, I don't recommend blocking "To" or "All."  "From" is the place to start.

As a 20+ year security guy, I one billion percent disagree with this statement. It violates the best practice principle of least privilege and is a great way to permit remote command and controller after a successful phishing attack. Practically speaking, unless you are doing business with another country, there is seldom a reason to permit inbound or outbound traffic from/to that country. I myself was surprised that the majority of usual web use never leaves the US.

'All' is the place to start, change to 'From' if necessary.

I do agree with principal of the least privilege and myself did start with blocking ALL for To and From, making exceptions along the way if I deemed it business necessary.

However as I said above my stance has changed somewhat, before 6 months ago I just believed there was no reason for us to even have traffic outside the US unless we specifically had a customer need.  But things they are a changing.

My issue is Microsoft or AWS or other hosted analytic site, etc. etc. keep using servers outside the US causing applications to not update, I have tried to keep up on IP CIDR's for some like Microsoft but I feel like it is never ending, sure the things like Windows Updates work but Office 365 seems to have issues.  What really gets me is a business partner or customer who has their website hosted in the US, but the hosting company is using a analytical company located physically in the US but has their servers around the world, then the redirects fail to load the full page or even the page.

A good example of this was last week, I was out for the day and someone had their Office 365 just break, there are a couple people on site that have enough privileges to run a Office 365 repair, this got hung up, ran for around 3 hours and nothing, finally they gave up restarted and uninstalled all of it.  They went to download Office 365 again and it just hangs there, eventually I just drive in and look, here the installer was being country blocked by the firewall, there was no choice on where to get the installer from, we are a US based company but Microsoft shot us across the globe.  I should also note that I have made exceptions for this occurrence on 3 occasions now as well and the IP range keeps changing.  

Any hoot, got a few years security experience myself figured I would throw in my two cents lol.

I do agree with principal of the least privilege and myself did start with blocking ALL for To and From, making exceptions along the way if I deemed it business necessary.

However as I said above my stance has changed somewhat, before 6 months ago I just believed there was no reason for us to even have traffic outside the US unless we specifically had a customer need.  But things they are a changing.

My issue is Microsoft or AWS or other hosted analytic site, etc. etc. keep using servers outside the US causing applications to not update, I have tried to keep up on IP CIDR's for some like Microsoft but I feel like it is never ending, sure the things like Windows Updates work but Office 365 seems to have issues.  What really gets me is a business partner or customer who has their website hosted in the US, but the hosting company is using a analytical company located physically in the US but has their servers around the world, then the redirects fail to load the full page or even the page.

A good example of this was last week, I was out for the day and someone had their Office 365 just break, there are a couple people on site that have enough privileges to run a Office 365 repair, this got hung up, ran for around 3 hours and nothing, finally they gave up restarted and uninstalled all of it.  They went to download Office 365 again and it just hangs there, eventually I just drive in and look, here the installer was being country blocked by the firewall, there was no choice on where to get the installer from, we are a US based company but Microsoft shot us across the globe.  I should also note that I have made exceptions for this occurrence on 3 occasions now as well and the IP range keeps changing.  

Any hoot, got a few years security experience myself figured I would throw in my two cents lol.