GeoIP rewite rule?, redirect CHINA users to an error page.
jim at ohlste.in
Mon Feb 15 17:27:24 MSK 2010
On 2/15/10 1:26 AM, CLIFFORD ILKAY wrote:
> On 02/15/2010 12:40 AM, Cliff Wells wrote:
>> Incidentally I'm not trying to lecture you, but I think this
>> conversation is worth having in this public forum as there are many
>> people who will read this at some future date, and without some
>> counter-argument, they might be led into thinking this is a good
>> solution to a security-related problem without considering all the
>> implications first.
> This was not done for reasons related to the security of the server. It
> was done purely to reduce the number of scam emails originating from the
> aforementioned TLDs to the advertisers of the goods on my client's web
> site. If the governments of the countries represented by those TLDs took
> Internet fraud and other Internet-related malfeasance more seriously and
> prosecuted the criminal gangs that are often behind these activities,
> then we wouldn't have to resort to such drastic measures.
While scam emails are a nuisance, and perhaps apropos of nothing, a
great deal of the attempted credit card fraud that we see originates in
the good old United States of America.
We use geographic blocking simply to block unprofitable or nuisance
traffic. For instance, one of the issues we had with our proxies were
requests from Iran consuming huge amounts of bandwidth. While I am
sympathetic to the fact that internet access is restricted there,
advertisers who pay our bills could care less. They don't pay much if
anything for impressions in Iran. Another country created problems with
excessive downloads of large files, again consuming bandwidth at what
seemed like all hours. We didn't want to rate limit everyone because the
issue was really with one country, so we used a redirect to a different
domain. That domain *only* had traffic from that one country, and
requests were rate limited after a couple of megabytes. This had the
effect that smaller files were easy to download but large files went
very s-l-o-w-l-y. Users quickly adapted their usage of our service.
For credit card processing, we pre-screen with MaxMind's paid service. I
think it costs $0.004 per request. It's the best four-tenths of a cent I
can imagine paying. Many if not most of the frauds never even get to our
processor to decline.
We use none of this in "server security". For what it's worth, we see
break in attempts from all corners of the globe. The Western Hemisphere
is well represented.
More information about the nginx