Overview
BitNinja’s Country Blocking feature allows you to restrict traffic from specific countries, helping to reduce attack surfaces and unwanted activity. However, it’s important to understand how BitNinja determines an IP’s country and why geolocation mismatches can occasionally occur.
This guide explains how the system works under the hood and why certain IPs may be misclassified due to sub-range reselling or geolocation data conflicts.
How BitNinja Blocks Countries
BitNinja uses the IPDeny list to define which IP ranges belong to which countries.
This list is automatically generated using publicly available data from the five Regional Internet Registries (RIRs):
- ARIN (North America)
- RIPE NCC (Europe)
- APNIC (Asia-Pacific)
- LACNIC (Latin America and Caribbean)
- AFRINIC (Africa)
This RIR-based list represents the original IP allocations to countries. These allocations are fairly static and may not reflect current usage if the IPs have been reassigned or resold.
How BitNinja Determines Country in Incident Logs
For logging, reporting, and incident categorization, BitNinja uses MaxMind’s database to determine an IP’s real-world geolocation.
MaxMind is a commercially maintained database that tracks where IP addresses are currently being used, often down to the city level. It reflects dynamic IP usage patterns such as:
- Resold IP blocks
- Sub-allocations to ISPs and hosting providers
- VPN and proxy services
Why Discrepancies Can Happen
Because country blocking is based on IPDeny (original IP owner)
and incident geolocation is based on MaxMind (current usage), you may notice mismatches.
Example Scenario
An IP block is allocated to Germany via RIPE.
A sub-range from this block is resold to a Dutch hosting company.
IPDeny still considers it German (used for blocking).
MaxMind sees it as Dutch (used for incidents).
➡️ Result: BitNinja blocks it due to “Germany”, but incidents show as “Netherlands”.
How to Handle This
For BitNinja Users:
- Understand the source of discrepancies: IP ownership ≠ usage.
- When investigating incidents, cross-check both IPDeny and MaxMind results.
- Use the Custom IP List feature to manually adjust or override country blocks if needed.
- Avoid overly broad country blocks unless necessary, especially in regions with frequent IP reallocations like the USA.