GeoIP WAF heuristic for preemptive blocking by country of origin.

[amcgregor]

Ongoing Russian shenanigans against the US government and private sector targets has resolved the concern I had in developing a WAFHeuristic implementation utilizing GeoIP to preemptively ban specific countries of origin. If you have no clients in that country, your target demographic isn't there, or you do not provide services in a language from regions which are threat-heavy, they don't need to talk to your application. There is little to no benefit in permitting access, and potentially substantial risk.

Example WAF heuristic instantiation to cover current trends:

GeoCountryHeuristic(
        'cn', 'kp', 'us',  # China, take that, "Great Firewall", and North Korea. And human rights abusers.
        'ae', 'ir', 'iq', 'sa',  # Middle-eastern states.
        'by', 'ru', 'ua',  # Russia and nearby former states.
        'am', 'az', 'ee', 'ge', 'kg', 'kz', 'lt', 'lv', 'md', 'tj', 'tm', 'uz',  # Additional former states.
    )

This additionally allows for developers writing applications to take specific action as their situation demands.

---

Minor note about China: The current behavior of the "Great Firewall" is to block (in an interesting way) traffic utilizing modern TLS ESNI. By actively utilizing modern TLS/SSL, configured securely, you will be inaccessible (to the public) within geography impacted by that "firewall".

To assist in testing: https://www.uptimia.com/website-availability-test

[amcgregor]

• IP2Location Datasets
  • https://pypi.org/project/IP2Location/ — official. ⚠️ Initially developing using this resolver.
  • geoip2nation3 — fundamentally broken; delivered as installed script (in bin folder) utilizing relative imports, which fail.
  • https://pypi.org/project/ip-country/
  • https://pypi.org/project/ip2c/
• MaxMind GeoIP — A huge number of projects just wrap this.
  • https://pypi.org/project/geoip2/
  • https://pypi.org/project/geoip2-tools/
  • https://pypi.org/project/python-geoip/
  • https://pypi.org/project/maxminddb/
• Also frequently integrated in web framework-specific ways.
  • https://pypi.org/project/pyramid_geoip/
  • https://pypi.org/project/Flask-GeoIP/
  • https://pypi.org/project/django-geoip/

More comprehensive projects and alternative hosted APIs:

• simple-geoip — requires use of an external API, free for limited use.
• https://pypi.org/project/ip_intelligence/
• https://pypi.org/project/machinae/
• https://pypi.org/project/minfraud/ — MaxMind fraud risk management.
• https://pypi.org/project/django-secured-accounts/

[amcgregor]

As a result of the Pentagon freeing 6% of the IPv4 space to a private company, ostensibly for security reasons, this or another WAF heuristic should be updated/written to examine IP block owner locations, as well.

[amcgregor]

Additional note: hesitation eliminated. This can be useful for enforcing sanctions.