Data Protection
      Back to home
      1. AngelTrack Knowledge Base
      2. IT
      3. Data Protection

      IP Blocklist / Geographic Restrictions

      AngelTrack servers block connections that originate from outside North America, Australia, and New Zealand, and also from known malicious IP addresses.

      Purpose

      Foreign attacks on AngelTrack servers are increasing in quantity and sophistication. At any point in time, a determined attacker might discover a zero-day vulnerability, against which it is impossible to defend. To reduce this attack surface, AngelTrack LLC has decided to block all internet traffic originating from outside the territories of our customers.

      Implementation Timeline

      These restrictions will take effect during June and July 2024, as each AngelTrack customer migrates to AngelTrack's new cluster infrastructure.

      We do not have an exact date when any particular customer will be migrated; we can only say that each customer will be migrated at some point during the June-July 2024 period, and when that happens, the geographic restrictions will take effect for their users.

      No action is necessary to initiate or complete the migration itself, as that will be done by AngelTrack LLC. The only action that AngelTrack customers might need to take, is to conform to the new geo-restrictions, as discussed here.

      Who will be Affected by the Georestrictions

      You will be affected by AngelTrack's new georestrictions if any of the following are true:

      • You have a billing office in India or other foreign nation, from which the employees access your AngelTrack server.
      • You or your employees sometimes vacation in a foreign nation and wish to access your AngelTrack server during the visit.
      • You presently use a VPN to geolocate your traffic to a foreign country for the purpose of video streaming, and you wish to access your AngelTrack server from the same computer.
      • You use Tor on your work computer.
      • Your ISP is a small operation that sub-leases its IP address blocks from another continent.  This is rare, and isn't supposed to happen, but we have seen two cases of it over the years. You can test whether this applies to you by connecting to the internet through that ISP and then visiting an IP address lookup webpage to see where it thinks you are located. If your ISP is sub-leasing foreign IP address blocks and not properly re-registering them, then the IP address lookup webpage will say you are located in Africa or some other oddball location.

      If any of these apply to you, then continue reading for workarounds.

      Workaround

      You can use a VPN service to geolocate your network traffic to a different region. Most people do this for the purpose of video streaming content that is not available in their home country, but you can use the VPN to do the reverse: Geolocate your network traffic to North America, Australia, or New Zealand, so that AngelTrack will think you are in the proper country and allow you access.

      Most commercial VPN products have this capability, at very low cost. Please contact your VPN provider's support department if you are not sure how to use the feature.

      If you have a whole billing office in India or other foreign country, they might need a site-wide VPN solution so that all computers in the office are re-geolocated to USA. Or they could run VPNs on just those individual computers that will be accessing your AngelTrack server.

      AngelTrack LLC does not offer technical support for this task, but your VPN provider certainly should.

      Testing the workaround

      Once your re-geolocation VPN is active, you can test its effectiveness by visiting an IP address lookup webpage, like this one:

      https://WhatIsMyIPAddress.com/

      If your VPN is successful, then the webpage should say that you are located in USA, or whichever country you designated as your traffic origin point.

      VPN warning

      UNDER NO CIRCUMSTANCES should you use a free or no-name VPN service. Security researchers have determined that the majority of such services are malware, and/or turn your device into a botnet node.

      Purchase VPN service only from a big-name paid provider.

      "What's the point of a restriction if there's a VPN workaround?"

      If you now wonder why AngelTrack should bother with georestrictions when an attacker could just use a VPN, you are right, an attacker could do that and bypass the georestrictions.

      There are three reasons why it's still worthwhile:

      1. Most attackers run wardialers and so will never realize that a georestriction is the reason why AngelTrack refuses to answer;
      2. The need to run a re-geolocation VPN on all their attack servers and bots raises the cost of wardialing by a factor of 100, and so most attackers do not bother; and
      3. The VPN service can see malicious traffic passing through its network, and might intervene all by itself.

      Alternate Workaround

      If you implement the workaround above and successfully re-geolocate your network traffic to an allowed region, and you have verified this by visiting an IP address lookup page as explained above, yet AngelTrack still won't answer you, then you will need a firewall exception.

      To obtain one, please have your public IP address ready, and then contact AngelTrack Support.

      While you are waiting for that to be implemented, you can probably resume access to your AngelTrack server by tethering to your cellphone's personal hotspot.

      Malicious IP Addresses Also Blocked

      AngelTrack will also block all requests from IP addresses known to belong to threat actors, including those inside USA and AUS.

      Your IP address could be on that blacklist, if your computers are (unbeknownst to you) part of a malicious botnet.

      You could also temporarily end up on a blacklist if a threat actor ceases to use a blacklisted IP address which afterward gets reassigned to you.

      If AngelTrack refuses to answer your web browser, but you visit an IP address lookup webpage and it confirms that you are indeed in North America, Australia, or New Zealand, then perhaps your IP addresses is on a blacklist. Please contact AngelTrack Support and we will check for you.

      AngelTrack also rejects all inbound connections from the Tor network, because the purpose of Tor is anonymity, and there is no business purpose for anonymity in our industry.

      iCloud Private Relay and Other IP-Masking Services

      If you use iCloud Private Relay or another IP-masking service for internet privacy, you may or may not be able to access your AngelTrack server, due to the geolocation of the relay's exit nodes, or due to the volume of traffic from your particular exit node exceeding AngelTrack's per-IP connection throttles.

      AngelTrack LLC does not offer support for IP-masking services. We recommend you require all employees to disable such services while accessing your AngelTrack server, or at least to configure them to grant an exception for AngelTrack.