I'm the CTO of a US-based insurance company. Apart from some reinsurers in London and Bermuda, and a couple contractors in Canada, we don't do business outside the US. We've blocked all countries except those, and it has cut down massively on the folks attacking us.
Lots of companies do this on their websites now using cloud flare or something similar. It’s practical. Still it’s frustrating as a user when you’re traveling over in Europe and can’t access your accounts to pay bills or whatnot.
Next time I travel overseas I'll have a VPN ready.
My bank had some technical problem that prevented access from overseas last time I traveled and I couldn't access my account (which was extremely inconvenient).
Most banks that will work with. For what ever reason the bank I now use knows most vpn providers and completely blocks all traffic from them so using a vpn is not an option either. The “vpn” I’ll have to use is tunneling back to my home ip. It’s actually quite frustrating.
Commercial VPNs are often blocked too. I found a p2p vpn to my home network + ssh socks5 proxy to work well.
Have you considered the additional cost of making it harder for your customers to do business with you, as well as the limited visibility that you set up for attacks that may become multi-stage in nature later?
You never see or collect the information by blocking everything at the outset.
In a world where you can proxy past these blocks fairly trivially, that's information you don't have for attribution later.
Defense in depth, or layered defenses are a best approach, but not if they blind you equally.
As someone who has whitelisted only US IP address space for my employer and blocked everything else I can attest that is DRASTICALLY reduces hostile traffic to us. I have an RDP honeypot that was blocking dozens of IPs every day before the whitelist and now it blocks 1 or 2 a day.
Kinda similar, but when I looked at the finances, I was surprised by how much money we're getting from places like the Cayman Islands, Switzerland, and the Emirates.