How to Block Geographic Traffic
Geographic blocking restricts access based on visitor location. This guide covers implementing country-level blocking and handling legitimate exceptions.
Understanding Geographic Blocking
Geographic blocking uses IP geolocation to determine visitor country and blocks configured regions. Useful for:
- Blocking regions with no legitimate users
- Reducing attack surface from high-risk countries
- Compliance requirements
- Targeted attack mitigation
Geolocation is ~99% accurate but not perfect. VPNs and proxies can bypass geographic restrictions.
Basic Geographic Blocking
Blocking High-Risk Countries
Block countries with no legitimate user base:
Common Scenarios:
Small Business (US only):
Geographic Blocking: Enabled
Blocked Countries:
- All countries except United States
Response: 403 Forbidden
European Business (EU only):
Geographic Blocking: Enabled
Blocked Countries:
- All countries except EU member states
Response: 403 Forbidden
Global Business (specific blocks):
Geographic Blocking: Enabled
Blocked Countries:
- Known high-attack regions
- Countries with no sales/users
Response: 404 Not Found
Choosing Response Type
403 Forbidden: – Clear indication of block – Standard blocking response – Use for general geographic restrictions
404 Not Found: – Stealth blocking – Makes site appear non-existent – Use for reducing visibility to attackers
Drop: – Silent connection termination – No response sent – Wastes attacker resources – May frustrate legitimate users more
Implementation Strategy
Analyze Your Traffic
Before blocking, understand your visitor geography:
Dashboard Analytics: 1. Review access logs for 30 days 2. Note countries of legitimate visitors 3. Identify attack source countries 4. Calculate percentage by country
Example Analysis:
Legitimate Traffic:
United States: 78%
Canada: 12%
United Kingdom: 6%
Germany: 3%
Australia: 1%
Attack Traffic:
Russia: 45%
China: 28%
Romania: 15%
Others: 12%
Progressive Blocking
Start conservatively, expand gradually:
Phase 1: Block Clear Attackers
Block countries with:
- Zero legitimate traffic
- High attack volume
- No business presence
Phase 2: Monitor Impact – Watch for legitimate users affected – Review support requests – Check sales/conversion impact
Phase 3: Expand Blocking
Block additional countries:
- Minimal legitimate traffic (<0.1%)
- Moderate attack traffic
- No current customers
Maintaining Access Lists
Keep whitelist of countries to allow:
Allow List Approach:
Allow:
- United States
- Canada
- United Kingdom
- Germany
- Australia
Block: All others
Block List Approach:
Block:
- [Specific high-attack countries]
Allow: All others
Choose based on user distribution. Concentrated user base: use allow list. Global user base: use block list.
Common Scenarios
US-Only Business
Small business serving only US customers:
Configuration:
Geographic Blocking: Enabled
Allowed Countries: United States
Response: 404 Not Found
Benefits: – Blocks 95%+ of attack traffic – Eliminates most bot traffic – Reduces server load significantly
Considerations: – Blocks traveling US customers – Blocks international partners – May need exceptions
Global E-Commerce
International sales but some problem regions:
Configuration:
Geographic Blocking: Enabled
Blocked Countries:
- Countries with high fraud rates
- Regions with no shipping
- Known attack sources
Response: 403 Forbidden
Testing: Verify legitimate markets remain accessible.
SaaS Application
Global user base with attack problems:
Configuration:
Geographic Blocking: Enabled
Blocked Countries:
- Temporary blocks during active attacks
- Regions with no current customers
Response: Drop
Dynamic Blocking: Enable blocking temporarily during attacks, disable after attack subsides.
Regional Compliance
Compliance requires restricting access:
GDPR Example:
Geographic Blocking: Disabled (GDPR requires serving EU)
Alternative: Geographic-specific features/content
US Government:
Allowed Countries: United States only
Blocked: All others
Response: 403 with compliance message
Handling Exceptions
Traveling Users
Legitimate users travel internationally:
Option 1: VPN – Users connect to VPN in allowed country – VPN provides allowed IP – Transparent to user
Option 2: Whitelist IP – User provides travel IP – Temporarily whitelist specific IP – Remove after travel period
Option 3: Authentication Bypass (application-level) – Authenticated users bypass geographic check – Requires application modification – Not available in WAF alone
International Partners
Business partners in blocked countries:
Solution 1: IP Whitelist
Page Protection:
Whitelist: [partner-office-ip]
Geographic Blocking:
Blocked: [partner-country]
IP whitelist takes precedence over geographic blocking.
Solution 2: Subdomain
Main site: Geographic blocking enabled
Partner portal (partner.example.com): No geographic blocking
API Clients
International API users:
Option 1: Separate Endpoint
Website: Geographic blocking enabled
API (api.example.com): No geographic blocking
Option 2: Authentication
Public endpoints: Geographic blocking enabled
Authenticated API: Bypass geographic restrictions
Search Engine Crawlers
Search engines crawl from multiple countries:
Solution: Legitimate bot detection bypasses geographic blocking automatically.
Verification:
# Test Googlebot
curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \
https://example.com
Expected: Access allowed regardless of IP location.
CDN or Proxy Services
Services like Cloudflare, monitoring tools:
Issue: Service IPs may be in blocked countries.
Solution: – Whitelist known service IPs – Use authenticated access for monitoring – Verify service functionality after enabling blocking
Attack Response
During Active Attack
Attack from specific country:
Immediate Response: 1. Identify attack source country in logs 2. Enable geographic blocking for that country 3. Monitor attack volume reduction 4. Verify legitimate traffic unaffected
Example:
Attack observed from Russia: 10,000 requests/minute
Enable Russia blocking
Attack volume drops to 200 requests/minute (attacks from other sources)
Distributed Attacks
Attacks from multiple countries:
Response: 1. List attack source countries by volume 2. Block top 3-5 source countries 3. Monitor effectiveness 4. Expand blocking if needed
Consideration: Widely distributed attacks may require other mitigation (rate limiting, bot protection).
Post-Attack
After attack subsides:
Option 1: Maintain Blocks
Keep blocking if:
- No legitimate traffic from region
- Ongoing low-level attacks
- Strong security posture desired
Option 2: Remove Blocks
Remove blocking if:
- Legitimate users were affected
- Attack was one-time incident
- Business requires global access
Monitoring Geographic Blocking
Review Blocked Traffic
Dashboard analytics:
Metrics to Track: – Requests blocked by country – Countries generating blocks – Time patterns (attack times) – Attack types by country
Analysis:
Last 7 Days - Blocked by Country:
Russia: 45,234 blocks
China: 28,901 blocks
Romania: 12,456 blocks
Ukraine: 8,234 blocks
Identify Legitimate Blocks
Signs of legitimate users blocked:
- Support tickets from blocked countries
- Sales inquiries from blocked regions
- Analytics showing conversion drop
- Email complaints
Investigation: 1. Review support tickets 2. Check email for complaints 3. Analyze sales data 4. Review security logs
Adjust Configuration
Based on monitoring:
Expand Blocking:
Criteria:
- Country has zero legitimate traffic
- High attack volume
- No business impact
Reduce Blocking:
Criteria:
- Legitimate users affected
- Business opportunity identified
- Compliance requirements
- Attack volume decreased
Compliance Considerations
GDPR (EU)
GDPR prohibits unnecessary blocking of EU residents:
Compliant Approach: – Don’t block EU countries – Use other protections (rate limiting, bot detection) – Block only during active attacks as temporary measure
Non-Compliant: – Permanent block of EU countries – No justification for blocks
Discrimination Concerns
Avoid discriminatory blocking:
Acceptable: – Block countries with no legitimate users – Temporary blocks during attacks – Security-justified restrictions
Problematic: – Block entire regions without justification – Block based on protected characteristics – No legitimate security reason
Export Controls
US government restrictions:
Sanctioned Countries:
Blocked Countries:
- Countries under US sanctions
- As required by OFAC regulations
Documentation: Document compliance reasons for blocking.
Best Practices
Start Conservative: Block only countries with clear attack patterns and no legitimate users.
Monitor Impact: Watch for legitimate users affected.
Document Decisions: Record why each country is blocked.
Plan Exceptions: Have process for legitimate users in blocked countries.
Layer Security: Combine with rate limiting, bot protection, and WAF rules.
Regular Review: Quarterly review of blocked countries and justification.
Business Alignment: Ensure blocking aligns with business goals and compliance.
Communication: Notify team of geographic blocking changes.
Test Access: Verify key markets remain accessible (VPN testing).
Emergency Disable: Have procedure to quickly disable during issues.
Testing Geographic Blocking
VPN Testing
Test access from blocked countries using VPN:
Tools: – Commercial VPN (NordVPN, ExpressVPN) – Cloud servers in target countries – Proxy services
Test Procedure: 1. Connect VPN to blocked country 2. Attempt to access site 3. Verify block response received 4. Test from allowed country 5. Verify access works
Multiple Country Testing
Test comprehensive blocking:
Test Matrix:
Country Expected Actual Status
United States Allow Allow ✓
Russia Block Block ✓
China Block Block ✓
Canada Allow Allow ✓
Germany Allow Allow ✓
Automated Testing
Script to test multiple countries:
#!/bin/bash
# Test geographic blocking via proxy
COUNTRIES=("us" "ru" "cn" "de" "ca")
PROXIES=("us-proxy.example.com" "ru-proxy.example.com" "cn-proxy.example.com" "de-proxy.example.com" "ca-proxy.example.com")
for i in "${!COUNTRIES[@]}"; do
country="${COUNTRIES[$i]}"
proxy="${PROXIES[$i]}"
echo "Testing from $country via $proxy"
response=$(curl -x $proxy -s -o /dev/null -w "%{http_code}" https://example.com)
echo "Response: $response"
echo "---"
done
Troubleshooting
Legitimate Users Blocked
Symptom: Users report access denied, located in blocked country.
Solutions: 1. Whitelist specific user IPs 2. Provide VPN access 3. Remove country from block list 4. Create exception subdomain
Geolocation Inaccuracy
Symptom: IPs geolocated to wrong country, legitimate users blocked.
Diagnosis: Check IP geolocation databases for specific IPs.
Solution: Geolocation is ~99% accurate but not perfect. Use IP whitelist for misclassified IPs.
VPN Bypasses
Symptom: Attackers use VPNs in allowed countries.
Solutions: – Layer geographic blocking with rate limiting – Enable bot protection – Use behavioral analysis – Geographic blocking is one layer, not complete solution
Traveling Users
Symptom: User travels to blocked country, loses access.
Solutions: – Provide company VPN – Temporary IP whitelist – Authentication-based bypass (if supported)
Advanced Techniques
Time-Based Blocking
Block certain countries during specific hours:
Use Case: Block high-attack countries during local night (when no support available).
Implementation: Requires scripting or advanced automation. Contact support for assistance.
Attack-Triggered Blocking
Automatically block countries during attacks:
Concept: Monitor attack volume by country, automatically enable blocking when threshold exceeded.
Implementation: Requires API integration and monitoring system.
Graduated Response
Different response by country:
High-trust countries (US, Canada, EU): No blocking
Medium countries: Rate limiting only
High-risk countries: Geographic blocking
Provides balanced security without excessive blocking.
Geographic blocking is effective when used as part of layered security strategy. Regular monitoring and adjustment ensure it protects without impacting legitimate business.