Blocking access for a given geographic location

Question

What is the most reliable way to prevent users from a geographic location to access a web available application?

I understand that IPs are related to geo positioning and I also understand that the most naive way is to get the HTTP request header IP address and take it from there.

It's obvious that naive methods, like the one described are extremely easy to bypass, specially using Proxies or VPNs.

So the question is: is there a 100% reliable way of determining a web user geo location? If not, what are the available options and what are the pros and cons on each of them?

Answer 1

There is a database somewhere on the tubes named IP 2 Country which can tell where an IP is from.

It is of course not perfect but it can give you the country where the ip comes from.

There is also a method called SSN which is related to ip addresses. I don't know how it works however, and seems to be rather complicated. It is comonly used in ads to send you localised spam. For example if you live in Montreal, Canada, then the ad will display "Find singles from Montreal!". The ISP behind the person does have to support this service.

Answer 2

first - figure out what ip groups are assigned to the region then you could check with every request for the user's ip address. If it matches part of the region you want to block then send them to disney.com.

See if this helps you: IP Address Info

Answer 3

The above techniques won't work if anyone is trying to hide their location from you by redirecting through relays in other countries.

Answer 4

The short answer is no. There is no way to 100% lock down the people from a specific geographic location because you can't guarantee the location of a user that reliably using an IP address. Even if you could, it can be faked through redirects.

There are ways to make it more difficult for people in a region to access the site, but the more restrictive you get with those approaches the more legitimate users you are likely to lock out. For example, turning off the server would give you 100% assurance that no one from China could hit it, but it would also give you 100% assurance that no one in the US could either.

Answer 5

Nothing in TCP/IP includes location data (other than what you can infer from routing tables or look up in a database), and nothing indicates whether a machine is acting "on behalf of" someone in another location.

So as you say, proxies and VPN, SSH port-forwarding, TOR, etc, can completely prevent your web app from knowing the physical location of the human being who's using your site. All you can look up, is the IP address of that last hop which is the TCP/IP connection and HTTP request you actually see.

Answer 6

No, there's no fool-proof way of doing this.

There's plenty of related work going on at the IETF in the GeoPriv working group, where protocols are being designed (e.g. HELD) to allow entities to ask the network their own location, and also allow other authorised entities to request that information.

However the VPN issue still causes problems, to the extent that clients with VPN capability need to request their location information before the VPN is established.