How to block all IP addresses not from the USA>

Posted on 2010-08-17
Last Modified: 2013-11-16
I have  been task with blocking all IP  addresses not from the USA from our system.

I am looking for suggestions on the easiest way to set up our ASA5510s.
Question by:jimmylew52

Assisted Solution

uscshaggy earned 150 total points
ID: 33456387
There isn't a standard block of addresses that will always indicate a US-based device/computer.  There will be hundreds of IP ranges, that are pretty constantly changing.  In order to block non-US IPs effectively, you really need to use geolocation software or service on your Web Server.  See this link for an example:

Accepted Solution

drcheap earned 250 total points
ID: 33456507
This is true, it is not easy to dierctly and accurately correlate geographical location to IP address, much less large blocks of them.

Aesources which may help a lot though:

More specifically:

Assisted Solution

Elysithea earned 100 total points
ID: 33484506
I would love to know the reason for doing this... but anyway

I guess if you need to do it on your routers it would be easier to block all and just allow the usa blocks - at least this would minimise the amount of address blocks you are worried about.

It might be worth a call to your isp as it could be a lot easier for them to do this as they will probably have a gateway for international traffic where they could deny access for your account. I am not sure how this works exactly but the alternative of geolocation or managing address blocks is going to be difficult to say the least - probably worth a try.
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 33484740
Thanks to all of you I have settled on an acceptable solution. I will be blocking the majority of the IP blocks from asia and Europe. So far it has been helpful in blocking the attacks coming from there.

Reason - a couple of our servers, that have been attacked, have problems during the attacks and require us to monitor they constantly to keep them operational. The attacker does not gain entry to the server but it, I believe it is a bot, stalls one of the services during the attack. We are not able to limit the IP that have access because they are constantly changing. The IPs are  all USA IPs.

Expert Comment

ID: 33486052
ok if thats the problem there might be a better solution to this.

Without going realy deep you could put a UTM protecting the servers that will block most or probably all of this type of activity.

We use sonicwall for this type of situation. probably a small device will do eg TZ210 or nsa240. You can configure these in transparent mode so they will sit there inspecting all the traffic in and out of the servers and blocking the attacks, viruses, spyware and intrusion attemps etc. As the unit is in transparent mode it will not affect the ip configuration in any way and will just provide an additional line of defense. We use sonicwall because they inspect (DPI) traffic on the fly and there are no proxies involved, they have a multicore architecture. You can also get a lot of info off the device as it has a lot of cool features including a packet capture facility which is very useful for finding out what is going on.
Another thing is that you can create address objects using FQDN which means you dont have to track the ip´s assotiated with the domain name. I could go on but I guess you get the idea.

I am sure there are other solutions out there and this is not a sales attempt.

Hope this helps

Expert Comment

ID: 34443866
I'm researching the same thing/issue.

I'd just prefer to allow ONLY US IP assignments to my network.

While I recognize all of the caveats, (i.e. they can use proxies, US providers via dial-ups, etc...) that will be "a way" to get around my rules, BUT restricting to USA (only!) IP assignments I know will slow down a good deal of the crap that comes in, mostly from outside the US.

Too, assisting with forensics for/from IPs that originate from the US-Providers will be just that much easier to deal with.

Lastly, I know IPs change all over the place, but it's not likely what was/is an IP originating from one country today will all of a sudden be given to another.

Restricting all traffic BUT USA IP assignments will/can help a good chunk of our hassles go away. On that note, I realize a good deal of it/them will/can probably still happen, but I'm banking there will not be as much.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now