Blocking countries is such a poorly disguised form of racism. Funny how it's always the brown / yellow people countries that get blocked, and never the US, despite it being one of the leading nations in malicious traffic.

Oh, absolutely not — I have to respectfully but strongly disagree with that sentiment.

In cybersecurity, decisions must be guided by objective data, not assumptions or biases. When you’re facing abuse, you analyze the IPs involved and enrich them with context — ASN, country, city, whether it’s VPN, hosting, residential, etc. That gives you the information you need to make calculated decisions: Should you block a subnet? Rate-limit it? CAPTCHA-challenge it?

Here’s a small snapshot from my own SSH honeypot:

Summary of 1,413 attempts

  - Hosting IPs: 981 (69%)
  - VPNs: 35
  - Top ASNs:
    - AS204428 (SS-Net): 152
    - AS136052 (PT Cloud Hosting Indonesia): 83
    - AS14061 (DigitalOcean): 76
  - Top Countries:
    - Romania: 238 (16.8%)
    - United States: 150 (10.6%)
    - China: 134 (9.5%)
    - Indonesia: 115 (8.1%)

One single /24 from Romania accounts for over 10% of the attacks. That’s not about nationality or ethnicity — it's about IP space abuse from a specific network. If a network or country consistently shows high levels of hostile traffic and your risk tolerance justifies it, blocking or throttling it may be entirely reasonable.

Security teams don’t block based on "where people come from" — they block based on where the attacks are coming from.

We even offer tools to help people explore and understand these patterns better. But if someone doesn’t have the time or resources to do that, I'm more than happy to assist by analyzing logs and suggesting reasonable mitigations.

You should block abusers not an entire country based on a few actors. You can spin this as much as you like it is still a country block and that country is an incredible IT pool of talent and legitimate users. If we're still there you can block the United States also for your ipinfo business since all stats indicate that US is the number one source of fraud on the internet if we're talking IP addresses which your business does. Let us know how that goes.

I hope nobody does cybersecurity in 2025 by analysing and enriching IP addresses. Not on a market where a single residential proxy provider (which you fail to identify) offers 150M+ exit nodes. Even a JA3 fingerprinting could be more useful than looking at IP addresses. I bet you, romanian ips were not operated by romanians. yet you're banning all romanians?

The kind of blocking I'm referring to is IP metadata-based, not blanket country bans. I specifically mentioned that a single `/24` subnet was responsible for ~10% of brute-force attempts in my honeypot. That doesn’t mean I’d block all of Romania — obviously, the Romanian IP space is vastly larger — but it does raise questions about specific ASNs and IP ranges. In this case, Romanian IPs accounted for 16.8% of total attacks. That’s statistically significant and calls for deeper analysis, not assumptions.

Cybersecurity is a probabilistic game. You build a threat model based on your business, audience, and tolerance for risk. Blocking combinations of metadata — such as ASN, country, usage type, and VPN/proxy status — is one way to make informed short-term mitigations while preserving long-term accessibility. For example:

If an ASN is a niche hosting provider in Indonesia, ask: “Do I expect real users from here?”

If a /24 from a single provider accounts for 10% of your attacks, ask: “Do I throttle it or add a CAPTCHA?”

The point isn’t to permanently ban regions or people. It’s to reduce noise and protect services while staying responsive to legitimate usage patterns.

As for IP enrichment — yes, it's still extremely relevant in 2025. Just like JA3, TLS fingerprinting, or behavioral patterns — it's one more layer of insight. But unlike opaque “fraud scores” or black-box models, our approach is fully transparent: we give you raw data, and you build your own model.

We intentionally don’t offer fraud scoring or IP quality scores. Why? Because we believe it reduces agency and transparency. It also risks penalizing privacy-conscious users just for using VPNs. Instead, we let you decide what “risky” means in your own context.

We’re deeply committed to accuracy and evidence-based data. Most IP geolocation providers historically relied on third-party geofeeds or manual submissions — essentially repackaging what networks told them. We took a different route: building a globally distributed network of nearly 1,000 probe servers to generate independent, verifiable measurements for latency-based geolocation. That’s a level of infrastructure investment most providers haven’t attempted, but we believe it's necessary for reliability and precision.

Regarding residential proxies: we’ve built our own residential proxy detection system (https://ipinfo.io/products/residential-proxy) from scratch, and it’s maturing fast. One provider may claim 150M+ exit nodes, but across a 90-day rolling window, we’ve already observed 40,631,473 unique residential proxy IPs — and counting. The space is noisy, but we’re investing heavily in research-first approaches to bring clarity to it.

IP addresses aren’t perfect but nothing is! But with the right context, they’re still one of the most powerful tools available for defending services at the network layer. We provide the context and you build the solution.