How effective is the addition of the IP list pertaining to banned countries to the block list? Often the IP-blocks change. Any recommendations on the update frequency? Also has anyone noticed performance impact on the routers if the list is long?
Thanks in advance.
I can only speak from my experience. I find it is a short-term solution. The attackers that attack us, once we block their country, compromise a computer in our country and then begin/continue their attack from there. However there still is validity to it, just watch to see if the attack point changes.
I agree, Government alerts, provide watch lists and recommendations from various domains to put in place. But really it is a short term solution, as #CISOScott states the attackers can easily change their IP addresses or switch to another part of their network to redirect the original attack.
"Advantage: Not enough information to speculate. It can provide relief for a temporary attack and help to make the attacker lose interest.
Disadvantage: If the address isn't tied to the person you are trying to block, they may well be able to disconnect from their ISP, reconnect, and hit you from a different IP address. As the IP address blocks gradually shift around for efficiency reasons or as companies disappear and are formed or simply switch providers, you may no longer be blocking the individual you want to block and are instead blocking one or more other parties. Large numbers of rules for blocking IP addresses slow down the webserver or network connection depending on where you block. "
However if the attack is automated, they may give you a temporary relief, and then come at you from another angle.
@2012, further to what's already been stated by here by @Caute_cautim & @CISOScott, let's compile the info...
Thank you all for your responses. Really appreciate your time.
As others point out, maintenance is the big issue. There are organizations that maintain and publish lists of malicious addresses. If your device supports automated import of such a list, I recommend going that route instead of trying to stay on top of it yourself.
Our Palo Alto firewalls and Zscaler proxies both have vendor-maintained lists, which auto-update throughout the day. Overall, I feel such lists help. We have had little bad-impact and our siem has alerted us quite a few times regarding PCs that were prevented from going to a known bad site.
The one bad time was when Office 365 ended up on the list. The good news coming out of it is that by the time we called the vendor, they were already working on a fix because many others had also called them.