One possible starting point would be to null route their assigned address space. [1] from the firehol repo [2]. This will not block private proxies and VPN's. A determined person could easily get around this. This does not include ipv6. ttyprintk brings up a good point in that one could also look at header fields to check for Russian language attributes.<p>[1] - <a href="https://github.com/firehol/blocklist-ipsets/blob/master/ipip_country/ipip_country_ru.netset" rel="nofollow">https://github.com/firehol/blocklist-ipsets/blob/master/ipip...</a><p>[2] - <a href="https://github.com/firehol/blocklist-ipsets.git" rel="nofollow">https://github.com/firehol/blocklist-ipsets.git</a>
Looks like this is trending over in SANS as well:<p><a href="https://isc.sans.edu/diary/rss/28392" rel="nofollow">https://isc.sans.edu/diary/rss/28392</a>
Assuming you don’t want to block Russian-speaking people, but Russian-origin connections, use a firewall that updates its mapping of IP addresses to country. Pfsense has such a plug-in. You will definitely want to log outbound block or ignore events.