Many organizations are subject to government regulations such as ITAR or OFAC that prohibit any dealings with certain foreign nations. Others have countries that they will not do business with for reasons of corporate policy - because of rampant piracy or fraud for example. However with the Internet, what matters isn't always where another computer is located, at least not from the domain name it reports or the place a user fills in as its contact address. This means that, wittingly or unwittingly, devices in any organization may be connecting with other machines in locations that they are legally forbidden to have any communication with.

ThreatSTOP has always had the ability to block countries. We provide our customers with geographic-based target bundles, making it easy to do far more than just block, say, Russia. Customers can block based on specific sanctions regimes such as ITAR or OFAC, or specific areas that are known to be major sources of malicious activity. For example, our Eastern Europe Bundle blocks traffic to and from Belarus, Bulgaria, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Moldova, Poland, Romania, Russia, Slovakia, Turkey, and Ukraine - countries that consistently provide far more than their "fair share" of malware because they offer lax enforcement, which in turn means they are able to provide bullet-proof hosting and other related facilities for criminals.

Countries don't necessarily stay on these lists forever though. If a country makes a clear effort to clean up its ISPs and hosting providers, it will be removed from the list. Likewise, other countries may be added if they are seen to be worth adding.

The ITAR and OFAC lists of countries are less complex. These are countries that certain organizations are legally forbidden contact with and hence should not let their computers communicate with. The advantage of using the ThreatSTOP geographic lists is that we keep track not just of changes in IP address allocation, but also in the state of the laws. This way, the block lists dynamically change as countries are added and removed from the various regulation lists.


These are the countries currently listed in each list:

ITAR: Afghanistan, Belarus, Central African Republic, China, Cuba, Cyprus, Democratic Republic of the Congo, Eritrea, Fiji, Haiti, Iran, Iraq, Ivory Coast, Kyrgyzstan, Lebanon, Liberia, Libya, Myanmar, North Korea, Republic of the Sudan (Northern Sudan), Russia, Rwanda, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Yemen, and Zimbabwe.

OFAC Embargo: Belarus, Burundi, Central African Republic, Cote d'Ivoire, Cuba, Democratic Republic of the Congo, Iran, Iraq, Lebanon, Libya, Montenegro, Myanmar, North Korea, Serbia, Somalia, South Sudan, Sudan, Syria, Ukraine, Venezuela, Yemen, and Zimbabwe.

OFAC Sanction: Cuba, Iran, North Korea, Sudan, and Syria.

Finally there is the Modified ITAR list - this is a list countries that are generally suspected of industrial espionage and potentially other acts against US interests. Many are on the ITAR and OFAC lists but not all and the list does not include some countries that are on these lists. Currently this list contains: China, Brazil, Russia, India, Korea (both), Vietnam, Ukraine, Cuba, Czech Republic, Estonia, Georgia, Iran, Latvia, Lithuania, Moldova, Romania, Pakistan, Serbia, Somalia, Venezuela, and Yemen.


It is worth emphasizing that neither the Eastern Europe nor the Modified ITAR lists are based on a legal requirement. They are, however, considered to be useful as a shorthand for protecting against certain types of attack. If you are a technology company worried about industrial espionage, then the Modified ITAR list is probably of great interest, and anyone who has no particular reason to do business with Eastern Europe will find it useful to block the attentions of the criminals there that operate botnets and other malware infrastructure.

Did You Know: Blocking OFAC and ITAR countries on your AWS WAF is automatic and affordable with our AWS Managed Rules. Turn it on, then relax and let us handle keeping the rule continuously updated. Check out all our AWS Managed Rules here, and take a look at our recent blog post for more info. 


Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?

Get a Demo