ThreatSTOP has a simple, effective solution to blocking network communication with Crimea. But we discovered it wasn't really simple at all to block this new addition to the ITAR sanction list, while allowing communication with the rest of Ukraine.
Geo-blocking isn't rocket-science, until it is (or has to be). Looking for a list of IP addresses that represent a country? You're in luck, there are lots of products from MaxMind, Neustar, and dozens of other vendors. But what about an area within a country? And what if the area was annexed by Russia? The question of whether an IP addresses is in Russia, Crimea, or Ukraine is tricky, and not clear at all.
Pick any three of the geo-location vendors and you’ll get three different answers. For a given IP address in Crimea (we tested) one vendor will say “Yalta, Crimea”, one will say “Sadovoye, Respublika Adygeya” (somewhere fairly nearby in Russia) and one will say “Ukraine” and point you to Kiev. Take a different IP address and similar things will happen, only now the answers will change to “Moscow, Russia”, "Makaylolaiv, Ukraine" and the third will come back as “Simferopol, Crimea” etc. Every vendor has a different answer, and consistency is entirely out the window.
When you really dig down, all the IP geo-location services will tell you the results they give are accurate to within a radius of 100-1000km (depending on location, some will give you a specific accuracy per IP). 1000km from Crimea is useless in terms of accuracy, as it includes seven different countries surrounding the Black Sea and possibly over a dozen more. But even 100km accuracy is poor given that Crimea is peninsular, with dimensions of 200km N-S and 300km E-W. 1000k accuracy starts to feel like attempting detailed surgery with a logging axe.
So how do you use any of these commercial services to accurately block access to/from Crimea? Well... It turns out you don't. In fact, there’s a pretty simple alternative solution to blocking these potential indicators of compromise. All internet transit into Crimea is via a specially setup subsidiary of Rostelecom called "Miranda Media" that controls the fiber link across the Kerch Strait. Thus any IP address in Crimea will be advertised to the rest of the world via that ASN (AS 201776). This is of course a dynamic and changing list, and a couple of ISPs are just on the other side of the strait, but ThreatSTOP updates our threat intelligence and data sources continuously, taking the effort and risk out of it for customers.
Get an expert-led overview of ThreatSTOP to see how it instantly blocks attacks on your network:
About ThreatSTOP
ThreatSTOP is a real-time IP Reputation Service that delivers automated block-lists directly to a user's firewalls, DNS servers, and other network and security control points, so they can enforce it. It is a cloud-based service that protects the user's network against the most serious information security problem today —malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure systems to enforce user defined malware blocking policies without requiring the expense, complexity and time of dealing with threat intelligence or new equipment. It can be deployed within an hour and requires no ongoing management. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA.