My open sense is subscribed to Max Mind and updates on a regular interval, but the blocked countries are still able to make connections, rather frequently. Are there any workarounds that can elevate the detection ratio?
How do you even know?
- Are you still getting traffic by IPs that actually are in the Maxmind list? Then your firewall rules are probably incorrect.
- Are you seeing IPs that are from a specific country that you verified using another database that Maxmind does classify otherwise, then Maxmaind obviously is incorrect.
Only in the latter case could you use that other, better, database - that is, iff that is available in a useable form.
The latter. Maxmind misses lots of IPs in the countries that I block.
Hi there, I work at MaxMind. Our team is happy to take a look at any discrepancies or unexpected results. I'd recommend reaching out to our support team (https://support.maxmind.com/hc/en-us/requests/new) with the IPs you believe have an incorrect country designation and we can investigate.
You have net exposed services and want to use GeoIP blocking? Consider fronting it via Cloudflare or similar, then use their GeoIP blocking options.
Blocking by GeoIP is not a fruitful way to block real adversaries. If the target is say in US, adversaries will establish a jump point in the US, thereby making your GeoIP control a bit moot.
GeoIP blocking is a noise control, it's not an adversary control.
Quote from: BrandyWine on July 28, 2025, 08:40:18 PMGeoIP blocking is a noise control, it's not an adversary control.
Agree, yet bringing down the noise from e.g. Korean high schools (is that still a thing?) also helps with the load and with catching real threats.
What's the WAN side of the fw? Is it a modem, or a direct cooper/fiber connection?
If it's a modem, then having a modem that is configurable in some way is ideal, so you can dump blocking ACL's there, to keep that noise from touching your fw. If it's direct copper/fiber connection, then ask your ISP if there's a place you can add such ACL's.
Last resort, stick a basic router between ISP and your fw and put your blocking ACL's there. I forget what the fastest drop method is, is sending the noise to /dev/null a fast way? You might even find some GeoIP software to put on that basic router, this way it's more like what you are wanting,blocking by name and the list gets updated every 4 or 12 or 24hr, etc.
Bit bucket the noise, so the noise is not being processed by the fw iface.
Quote from: MaxMind-dev on July 28, 2025, 08:18:18 PMHi there, I work at MaxMind. Our team is happy to take a look at any discrepancies or unexpected results. I'd recommend reaching out to our support team (https://support.maxmind.com/hc/en-us/requests/new) with the IPs you believe have an incorrect country designation and we can investigate.
Thanks for the thought. Next time there is a misdetection, I'll cycle back. It's been happening rather regularly, about once per week, so not long to wait.
As to Cloudflare, I view them as extortion racket and treat them accordingly. They can go and do whatever.
Quote from: Jyling on July 29, 2025, 03:04:20 PMAs to Cloudflare, I view them as extortion racket and treat them accordingly. They can go and do whatever.
I think you missed the point.
Cloudflare (and many others) already does the GeoIP blocking (without issue), and, you stated you see an issue with your current solution. You're arguing why the better choice is a bad choice.
Maybe MaxMind-dev can ID the issue and provide solution for fix.
Quote from: MaxMind-dev on July 28, 2025, 08:18:18 PMHi there, I work at MaxMind. Our team is happy to take a look at any discrepancies or unexpected results. I'd recommend reaching out to our support team (https://support.maxmind.com/hc/en-us/requests/new) with the IPs you believe have an incorrect country designation and we can investigate.
Example: 173.249.20.0
Your DB places it in France, whereas it is situated in Germany.
MaxMind lookup online says the same, it gives back what's in ARIN, France.
Unless the toolset has IP detection bots all over, via self installed or partnered with ISP's, the exact entry location to the web will be hard to ID.
Does CONTABO run their own ISP service? If so are they backhauling clients into France before that dataflow hits the backbone?
If you have one of those IP's, what does traceroute (or tracert) look like?
Peering and such, France is surely in the mix.
https://iamroot.tech/asndatabase/?search=AS51167
Quote from: BrandyWine on August 01, 2025, 11:12:06 PMMaxMind lookup online says the same, it gives back what's in ARIN, France. [...]
ARIN? Where do you see that? I don't see it in Maxmind's lookup (unless I'm blind, which I am); I see ARIN pointing to RIPE (as expected), which has the RIR record, for Contabo GmbH in Munchen. Same with the origin AS (51167), which seems to be mostly connected through L3 (AS3356). As to where it's actually located...
It's weird, I am certain I did arin.net lookup and it said france, now it says germany. I should have done a screenshot.
This site (https://www.iplocation.net/ip-lookup) pulls the info from many geoip sites, some say France, some say Germany.
Also this about Contabo
Contabo has established a new data center known as "Hub Europe" in Lauterburg, located on the German-French border.
Their Hub Europe datacenter is new and it looks like they physically moved the stuff in Germany datacenter into Hub Europe recently. https://help.contabo.com/en/support/solutions/folders/103000633308/page/2?url_locale=en
Some info:
We're expanding our German quality and great prices! To better serve our European customers, we're building our brand-new Data Center in Lauterbourg
It looks like they migrated a bunch of Germany stuff to the new Hub Europe site, in France, so my guess is, geo IP saying France is correct.
https://www.ipaddress.com/ipv4/173.249.20.2