Country Blocks
Country IP Blocks: Network Allocations by Country with Searchable IP Database.
Country IP Blocks helps you take control of your internet traffic!
Country IP Blocks now offers Network Data in 7 Distinct Formats: CIDR, Netmask, .htaccess deny, .htaccess allow, IP Range, Decimal/CIDR* and Hexadecimal/CIDR. You decide who can access your websites and servers. Block a country, allow a country. Now you can take complete control of your website and network traffic. IP Blocks are a simple and effective way to improve security by limiting spammers, hackers, bandwidth wasters or malicious traffic.
The current checksum for each country/format is available on the above pages and we will soon have Country Database and format specific RSS feeds to help you better automate your update processes.
Hi Stewart,
I have a zip file for you guys to check out as requested. You can download it from the following URL.
URL HIDDENFor now I would appreciate if the URL wasn’t posted yet. I’m working on a signup/download section for the host site. From there I’ll make it generally available to the open public.
The version in the zip is time-bombed and dies in March. It only supports blocking 5 countries at a time right now. This isn’t due to performance issues or anything, I’m just hoping to keep the full version under wraps until everything is ready to go. I’ve had a full version running on my machine for the past 3 or 4 weeks with 129 countries (some 24,000 firewall entries) blocked with no performance impact whatsoever on my machine, so I’m feeling really confident it will work well for people.
If you could give it a shot and let me know what you think I would appreciate it. If you would like to try out a fully functional version as well I can put a build together for you guys. Just give me an email or something and I can send it your way.
Todd K
@Todd K
Send us a link to a zip file and we’ll take a look.
Progress goes well. I have an Alpha version running on my server right now. Stewart, if you guys are interested I would be happy to send you a copy to review/try. I would prefer to get a thumbs up from you guys before I share it with anyone else. Currently I have it caching your data by region on a weekly basis. I have some 26,000 CIDR entries saved into Windows Firewall at this time with no noticeable performance impact so far. I’ve gone as far as loading nearly every country (except my own) into the firewall and noticed little performance change with that. There are a number of features I still want to add, but I’m very close to having it beta-ready. Ideally I would want to get a handful of beta testers in place to try it out prior to any general release. I am additionally working on a website for it. I’ll let you know when I have that ready.
Stewart- I have been following some of your comments, as well as those by Paul and ToddK. I am trying to build a whitelist of the entire world minutes a couple countries. To your post, there are about 1.5M ranges in the US alone. Instead of building a listing of millions or ranges, do you know how I could build a [hopefully aggregated] whitelist based on inputting those locations I want to deny?
Globally there are about 107,000 networks allocated to countries; With the currently allocated countries and bogons this is approximately 4 billion address. A little over 200 million are unallocated.
If you are building an Access Control List, (whitelist/blacklist) you are going to ease the load on your resources if you use entire networks as opposed to breaking it out by IP address.
The United States has 1.5 billion addresses, but these are contained within approximately 39,000 upper level network ranges (prior to being subdivided further).
Building an aggregated list is a little bit difficult because the networks assigned to countries are neither contiguous nor continuous. Due to the many projects we are working on we are not currently offering an aggregation script. But these scripts do exist. You’ll find a link to one here:
Let me know what countries you would like on your whitelist and the format you would like your data to appear, and I’ll create if for you (if it’s reasonable).
Incidentally, if anyone would like to donate an aggregation script to Country IP Blocks, I will see about getting it incorporated into the website.
Todd K I just saw your comments, and will follow your progress.
@Whitelist Admin
I am trying to exlude any user located in certain countries from being able to access one of my systems, but using a whitelist since I can not backlist in this case.
Does anyone have an easy way that I can drop in the ranges from these countries I don’t want to connect, to build a whitelist allowing everything else? If I just go country by country and add each and everyone alloweable range the list would be millions. Thank you.
I have built a new iptables list from this site, I can see hits already from China/Russia/India and other rouge countries who attack and perform denial of service attacks. Now all of their connections/data go to /dev/null.
GREAT SITE!
Congratulations.
Excellent and really precise website.
Goes right now to my delicio.us. I was looking for something like this.
Just a question, what about IPv6?
Will it work the same way as IPv4?
Thanks once again and keep up the great job! ^_^
IPv6 will work the same as IPv4.
Here’s a quick screen shot of the interface I’m working on.
http://www.flickr.com/photos/57715420@N05/5314097612/
The interface is just a nice way of selecting the continents/countries you want to block out. The guts of it will take the cidr entries and apply them to Windows Firewall. What I found on my server is that not only is the web service getting attacked, but people are trying to get access to it any way they can (web service, email server, windows credentials, etc.) The intent here is just to block everything from regions that are irrelevant to the sites that I’m hosting. If they can’t see it hopefully they’ll just leave it alone. I began with the lists on okean.com, but I like that your info is more complete.
It’s early days, but I’m thinking export/import of settings so that you set up one server and copy the settings to other web servers. I already have a smallish app that runs on a weekly basis and updates the firewall (using okean lists). I just need to modify that to pull from a better source and apply as per the settings from the app. I can probably just cache the data on my server and encrypt it so that I know it’s only my tool using it. That way I won’t be burdening you guys if people like the tool and start using it a lot.
I’m certainly open to suggestions as well.
Your tool is similar to something we are working on. Not graphically, but conceptually. Good luck with it.
I’m not planning on redistributing the data at all, just providing a means of applying that data at the firewall level instead of just the web service.
Your access has been restored. Please let us know more about your project.
@JWSmythe
JW:
Please provide us with a little more info on your project.
Thanks for responding so quickly. I have a home web server that I’m running and I’ve found the same problems with attacks from certain regions. I developed a tool a couple of days ago to load IP restrictions into Windows Firewall so that I can just open up my web server to the countries that are relevant to the sites I’m hosting. I’m thinking others might want to use such a tool as well, so I’m trying to make a nice interface for it. Inadvertently though, in my testing I think I caused you guys to block my IP address. I’m just loading the country files myself, so I didn’t suspect it would burden the server or anything, but I could be wrong.
I can certainly build in some data caching so that it only downloads the files once a day if you’d like or even cache them on my server on a daily basis and point it to my own.
Here’s the scoop:
Country IP Blocks allows access to their database and country lists freely. We do so as a courtesy to web admins, network managers, etc. Our altruism is meant to offer an excellent alternative to paid lists. We have never charged for this service. Instead, we pay for our servers and bandwidth out of our own pockets. We do so with the hope that we can make the internet just a little bit safer for us all.
Our database is generally updated in its entirety on a daily basis between the hours of 7:00 – 9:00 EST. Over the past few weeks we have noticed several users updating their data from out database several times a day. One IP address pulls our entire list of countries once an hour, 24 hours a day, 7 days a week. This is a waste of resources.
We are rapidly approaching one million hits and thousands of unique visitors each month. In order to accommodate this volume and better service our visitors we recently added another server and purchased a massive amount of bandwidth. This caused a significant increase in our monthly costs.
If the trend continues we will have to make some decisions regarding services that we will need to move from no-cost to charge for service. We hesitate to move toward a paid service model. Perhaps we should start taking donation to defray our costs?
I am going to remove your IP from our firewall (at least the IP I think belongs to you). Please limit your updates to once daily and hey, mention us to your friends, give us some credit on your website(s) or drop us a line once in a while and let us know how we’re doing.
Also, if you plan on redistributing our data please get our written permission first.
This is a terrific service you’re looking to provide. I can’t seem to find a place to register for the message board though. I have some questions and I’m wondering whom I can contact.
Go ahead and ask your questions here or leave contact info and we will get back to you.
Thanks for the very nice lists.
I didn’t see mention of your mirroring policy. I plan on using your lists in one of my databases to assist with network and application security. Could you please post or email me with what your mirroring policy is? I’d like collect the e_country_data files once per day.
Hi Stewart,
Thanks for a GREAT site. I use Hostgator and asked them about how to block a country. They were unaware of this great resource; so I want hostgator support to be aware of your site. I am totally NOT versed in this stuff. Can you email me, as I may want to pay to correctly install blocks in my cpanel for Russia and China, or allow only US Canada, and the UK.
Thanks Jim
Jim:
Does your hostgator account allow access to your .htaccess file?
Love the site.
Question I have is whether it is better to allow or block, if I only want to grant access to the following countries:
Canada, USA, Australia, New Zeland, India, and the wikipedia listed EU nations only.
Thanks in advance
You need to compare the methods based on the amount of data required for each one. If your allow list is larger than your disallow, you would be better off disallowing specific countries and allowing all others. The opposite is true if your disallow list is larger.
Finding this website is like hitting the jackpot! Its just fantastic. Selecting from the country list to make a quick and easy .htaccess deny file is just pure genius. Thank the creators!
You just did. Thank you.
Hello, this is my second post in one day. I’m not trying to be a hog, I’m just very excited about this stuff.
I saw your web page:
http://www.countryipblocks.net/e_country_data/Asia_deny.txt
I’m wondering which part of this do you actually drop into your .htaccess file on the Apache server. I’m guessing you chop out the stuff that has a number sign in front of it, and include the rest of the stuff.
For example, if you start with this:
# Country: Asia
# Total Networks: 10,183
# Total Subnets: 581,443,008
# Country: AFGHANISTAN
# ISO Code: AF
# Total Networks: 17
# Total Subnets: 73,984
deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19
# Country: ARMENIA
# ISO Code: AM
# Total Networks: 52
# Total Subnets: 195,872
deny from 62.89.0.0/19
deny from 77.95.184.0/21
deny from 78.109.64.0/20
deny from 79.170.200.0/21
deny from 80.86.224.0/20
deny from 81.16.0.0/20
deny from 81.89.208.0/20
deny from 83.139.0.0/18
deny from 83.217.224.0/19
deny from 87.241.128.0/18
deny from 89.249.192.0/20
deny from 91.103.24.0/21
deny from 91.103.56.0/21
deny from 91.198.247.0/24
deny from 91.199.38.0/24
deny from 91.199.226.0/24
deny from 91.205.132.0/21
deny from 91.208.76.0/24
deny from 91.208.149.0/24
deny from 91.209.38.0/24
deny from 91.209.105.0/24
deny from 91.210.40.0/22
deny from 91.212.71.0/24
deny from 92.43.136.0/21
deny from 93.94.216.0/21
deny from 93.185.32.0/20
deny from 93.187.160.0/21
deny from 93.191.152.0/21
deny from 95.140.192.0/20
deny from 109.68.120.0/21
deny from 109.75.32.0/20
deny from 178.160.128.0/17
deny from 188.92.40.0/21
deny from 188.115.192.0/18
deny from 193.200.130.0/24
deny from 195.8.50.0/23
deny from 195.60.80.128/27
deny from 195.88.66.0/23
deny from 195.88.254.0/23
deny from 195.191.100.0/23
deny from 195.191.154.0/23
deny from 195.191.186.0/23
deny from 195.211.24.0/22
deny from 195.250.64.0/19
deny from 212.34.224.0/19
deny from 212.42.192.0/19
deny from 212.73.64.0/19
deny from 217.26.128.0/20
deny from 217.63.96.0/19
deny from 217.76.0.0/20
deny from 217.113.0.0/20
deny from 217.113.16.0/20
What you actually drop into the .htaccess file on the Apache server is this:
deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19
deny from 62.89.0.0/19
deny from 77.95.184.0/21
deny from 78.109.64.0/20
deny from 79.170.200.0/21
deny from 80.86.224.0/20
deny from 81.16.0.0/20
deny from 81.89.208.0/20
deny from 83.139.0.0/18
deny from 83.217.224.0/19
deny from 87.241.128.0/18
deny from 89.249.192.0/20
deny from 91.103.24.0/21
deny from 91.103.56.0/21
deny from 91.198.247.0/24
deny from 91.199.38.0/24
deny from 91.199.226.0/24
deny from 91.205.132.0/21
deny from 91.208.76.0/24
deny from 91.208.149.0/24
deny from 91.209.38.0/24
deny from 91.209.105.0/24
deny from 91.210.40.0/22
deny from 91.212.71.0/24
deny from 92.43.136.0/21
deny from 93.94.216.0/21
deny from 93.185.32.0/20
deny from 93.187.160.0/21
deny from 93.191.152.0/21
deny from 95.140.192.0/20
deny from 109.68.120.0/21
deny from 109.75.32.0/20
deny from 178.160.128.0/17
deny from 188.92.40.0/21
deny from 188.115.192.0/18
deny from 193.200.130.0/24
deny from 195.8.50.0/23
deny from 195.60.80.128/27
deny from 195.88.66.0/23
deny from 195.88.254.0/23
deny from 195.191.100.0/23
deny from 195.191.154.0/23
deny from 195.191.186.0/23
deny from 195.211.24.0/22
deny from 195.250.64.0/19
deny from 212.34.224.0/19
deny from 212.42.192.0/19
deny from 212.73.64.0/19
deny from 217.26.128.0/20
deny from 217.63.96.0/19
deny from 217.76.0.0/20
deny from 217.113.0.0/20
deny from 217.113.16.0/20
I’m wondering if that’s all you do, or if you have to surround the above stuff with some sort of code wrapping, like this:
[mod rewrite apache something..code xyz]
deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
[end of spooky apache code number wrapper stuff/xlmns.12345]
You have options. A simple format would be to wrap you IP Blocks like this:
<Limit GET HEAD POST>order allow,deny
deny from xxx.xxx.xxx.xxx/xx
</Limit>allow from all
Hello,
This looks like a great website.
With all of these bad acting countries, it seems like it would be more efficient to allow only the USA and Canada addresses, rather than try to block 2000 addresses from 20 different countries.
However, I believe you indicated an “allow USA only” approach is actually more elaborate to construct than “block d,e,f,g,h,i,j,k, l,m,n,o,p,q,r,s,t,u,v,w,x,y,z and allow the rest” method.
Could you provide greater detail on why this is the case? There’s a whole lot of us out there who would be perfectly happy to interact with USA and Canada, and nowhere else (for example, if you have a defense attorney’s website serving clients in a small midwest USA metro, written in English, why would China or Russia need access to this website?).
Thanks for any elaboration on this.
We offer information on all active, reserved or allocated global IPv4 addresses. Currently, of the 4,294,967,296 possible IPv4 addresses, 3,977,143,746 are active, reserved or allocated. These addresses are contained in nearly 105,000 separate networks.
As of April 12, 2010, The USA has 37,767 networks and 1,490,138,622 subnets. Canada includes 5,758 networks and 76,999,932 subnets.
From a security standpoint it is usually better to decide what you will ALLOW onto your network instead of what you want to DENY. But, in weighing whether to set up a rule set to implicitly ALLOW or DENY, you should consider factors such as efficiency, size of the ruleset, overhead, available system memory, CPU, etc.
For example, if you wanted to deny traffic from China, you could create a ruleset to ALLOW the rest of the world, which would by default deny China. Or you could create a ruleset to expressly DENY China, which would by default allow any network that is not part of the IP blocks assigned to China. The resources required for the latter are much less than the former.
At the current time it would require significantly less resources to ALLOW the USA and Canada and deny the rest of the globe than it would to DENY access to every country except the USA and Canada. The difference is in how the rule is written and the amount of data required to properly process the rule.
In any case, you need to approach your decision thoughtfully. Any changes you make to a firewall or .htaccess file will impact resource utilization.
I have to say, this is a very nice site. You have a wel setup database and format.