Why IP banning is useless

Freshness Warning
This article is over 14 years old. It's possible that the information you read below isn't current.

Many proposals for eliminating comment spam are focused on banning or throttling comments from the IP address of the spammer. This is fundamentally flawed because it assumes IP addresses are both unique and hard to come by.

Banning an IP address can have severe consequences. Many ISPs (including AOL) and companies use a proxy server that makes it appear as if all users are coming from a single (or a handful) if IP addresses. By blocking an IP address, you might be preventing a substantial portion of AOL users from commenting. Depending on your point of view, eliminating AOL may not be a great loss; however the same thing would happen to millions of users behind other proxy servers.

The other problem is that IP addresses are very easy to get or fake for spammers who care about such things. There are hundreds of thousands of open proxies that will let anyone direct Web traffic through them. When I’m using an open proxy, my IP address is effectively masked. And I can use simple software to switch to a different open proxy (and thus a different IP address) every few minutes. So my spamming activity isn’t tied to a specific IP address.

Hypothetically speaking, if the problem of open proxies were to disappear overnight, there are two other mechanisms that provide a limitless set of IP addresses to spammers: dialup and spoofing.

Most dialup ISPs provide a different IP address each time you dial in. If a spammer were to find that their IP address had been banned, they could simply disconnect and redial. It would be trivial to automate the process of dialing in, spamming, disconnecting, and dialing back in.

IP addresses are easy to fake as well. The design principles of TCP/IP allows the sender of a packet to specify its IP address. The message will still be routed to its destination using the fake origin address. Return packets would be mis-routed, however, because TCP/IP would send responses to the true location of the IP address rather than where it actually came from. This means that IP spoofing is ineffective in situations where you need to interact with a remote server, but very effective in a one-way conversation. I can’t retrieve a Web page using a spoofed IP address because I need to make the request and then have the server send me the page. But I can send requests all day long if I don’t care about the response.

Posting a comment (or TrackBack) doesn’t require interaction. I can send a comment in a POST or GET message and not worry about the response if I don’t care about receiving acknowledgment that it was successful.

theaardvark
February 18, 2004 2:34 AM

I've been crap flooded twice. The first time all comments came from the same IP address. The second time, all 157 comments came from different IP addresses and were attributed to different URLs. The only common link was the text in the comment. IP banning may have a part to play as a single weapon amongst a vast armoury. I agree that outright banning of IP addresses would prevent the use of commenting systems by some innocent parties. But restriction of comments from single IP addresses to say 3 per hour would have prevented the bulk of the first of the crap floods I suffered from. A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button. The idea is not to make comment spamming impossible. The idea is to make it ineffective. Make them have to work so hard for the minimal benefit that they go somewhere else. Regardless, however hard we try to protect our own blogs, there are enough unmaintained (and therefore unprotected) blogs out there that spammers will probably always find targets to flood.

Mean Dean
February 18, 2004 10:06 AM

I find IP banning at the server level (.htaccess) only useful when I can confirm the disposition of the source as not a proxy, often an overseas entity, aren't a hosting company, and are using an unidentified or unwanted user agent. For example, many of the recent crap-flood attacks on my blog have been from Israel from a non-host provider where the user agent is obfuscated. So while I'm sad to block that group, I'm not loosing a huge existing reader base. Otherwise, I find banning the ability to allow access to the blog, but to deny posting comments effective. I actually ran into the "other side" of just such a scenario. I emailed the individual running the blog. They had problems w/someone else from my IP. He posted my comment. I'll do likewise.

Brad Grier
February 19, 2004 11:23 AM

[Quote]"A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button." [/Quote] Unfortunately a comparison of comments/recent submissions may mistakenly tag quoted text (as above) as spam. But, mixed with the other methods, frequency of posting, Hot words...etc, it could be another valuable tool.

theaardvark
February 21, 2004 10:23 AM

Brad, I hadn't considered that. Upping the comparison to 90% would overcome that problem but I guess it would weaken its usefulness as a tool to stop spammers.

frickaline
October 11, 2004 10:56 PM

[quote]While I agree that purely banning IP addresses is pointless, I think that having an updated list of open proxies and ban all users that use those from commenting could prevent script kiddies from comment flooding. After all, script kiddies do these things because they can, and the tools to do so are readily available. If 95% of all open proxy servers used by these scripts are blocked, it would be much less effective. Sure, they'll come up with something new, but in the mean time, I'd love options in MT3 that allow easy bulk manipulation of IP bans or automated checking and interacting with resources like spamhaus, spamcop etc. [/quote] I like this comment. Sure, it has some holes, but its a start. What if we took one problem at a time and started with this one. Perhaps a web crawler could scan the Internet for proxies and keep an master list of blocked proxies. Then I just need a script to read them in and aplly them to my server on a daily basis. That might be a first step in waging this war. ISP dynamic IP address assignment is still another problem, but it seems to me that it is far less preferable method for the would-be spammer than a proxy. With respect to MAC address manipulation, this offers far less anonymity and if performed repeatedly, it is detectable by the ISP. Plus it requires some level of knowledge beyond a proxy site user. Imagine if they used an ethernet broadcast MAC by mistake!! With respect to dialup, I have no ideas there....yet.

Sarah
November 4, 2004 8:49 AM

I have been using CountryCheck.com to block anonymous proxy users and have found the number of spammers has reduced substantially.

NOONER
November 17, 2004 8:13 PM

I play ghost recon, and some times i get banned from a server from like cussing or somthing dumb, so i change my ip. but when ghost recon 2 comes out it will bann by cd key is there a poxy i can hid my cd key? or any thing i can do about it?

Jo Citizen
December 23, 2004 4:43 PM

On TCP/IP: You have to complete a three-way transaction to open a connection. Unless the target web server accepts UDP connections (and I cannot think of ANY that do), you have to complete the communication. Source address spoofing only works for ICMP, UDP, and raw IP (except for a few attacks that are aimed directly at the TCP stack). As to ways of blocking spammers... All you have to do is demand that people quoting text put something at the beginning (eg a > symbol or [quote]), and then you can implement rules like "90% the same OR 50% same and first 32 bytes the same". Not perfect, because a spammer could just put a tag on, but it's another possibility.

Dylan Smith
December 24, 2004 1:46 AM

"Posting a comment (or TrackBack) doesn’t require interaction. I can send a comment in a POST or GET message and not worry about the response if I don’t care about receiving acknowledgment that it was successful." No you can't. You still have to establish a full TCP session (so have to go through the whole SYN/ACK sequence to do so). So forging the originating IP will not work.

Brad
December 28, 2004 8:03 AM

I agree with you guys, IP banning is not very effective. However, I did find something that is VERY effective when it comes to spamming!! If you code a security/turing code/number at the bottom of the form for the user to post comments in. If they dont match the security code exactly, the post will never be added. I use this on my client's websites all the time. He was spammed once, several hundred requests. So i simply added this security code to the bottom of the request page, and it stopped right away. This will stop any computer from automating requests, and will slow down manually submitted requests dramasticly. I hope this helps some of you who are being spammed with requests!! Sincerely, Brad Ciszewski

frickaline
October 28, 2005 6:20 AM

rofl ... I just tested countrycheck.com using an anonymous proxy and it failed to detect it. They thought I was really from Manila. Back to the drawing board ....

Cody
March 14, 2006 3:49 PM

I own a web hosting company, I have ip's banned for a certain period of time to deflect a ddos. If an attack is taking place, their ip will be banned if they go above so many connections. It doesn't matter if they have an anonymous ip either, they can use a thousand different ip's and their ip will be blocked for 10 minutes therefore deflecting a ddos attack. Now if you want to block an ip from a server entirely, I do agree it is pointless unless you use software that will not allow a visitor to your website using an anonymous proxy ;)

dr1819
June 9, 2006 11:07 AM

As a networking security consultant, I strongly oppose IP address banning for the reasons mentioned by Adam in his blog: 1. IP addresses are far to easily spoofed. I often demonstrate this to my clients by re-registering and posting new content after being banned and without using a proxy. 2. While detecting and eliminating proxies isn't difficult, it's impossible to detect and elminate a NAT-based firewall, which can be configured to look like anyone. 3. Banning even one IP address can hurt tens, hundreds, even thousands of legitimate users. Banning ranges of IP address is violently agressive, highly injurious to the Internet community as a whole, and should never be a policy of any website catering to large numbers of users. There are alternatives to IP address banning, including content readers. Most users are fairly well-behaved, and troublemakers make up a small percent. It's not a difficult task to install a content reader that compares content from recently banned members with that posted by new members. While it shouldn't be used alone as a criteria for banning, it can help support a decision based upon how well the two match with respect to the general vocabulary used, the grammer, and even the style of writing. The most effective way to keep things civil is to enforce standards with grace, and work with the users, helping those who're wayward to learn more about what's acceptable and what's not. Using buttoms to automate some of the reminders and "lesson's learned" greatly eases this task.

JT
June 23, 2006 9:18 PM

What I would like to know is if any harm can be done to the internet community if you created a ban list of 0.0.0.0 to 255.255.255.255 on one server. With an allow list for a static IP range from a client server. Provided you included DNS to ISP in the allow range set and vice versa on the other server. This would in affect I think allow for two servers to travel the internet and yet be seen as a local LAN for connect intents. Anyone have thoughts? JT

j.
July 17, 2006 10:53 PM

hi, where can I mask my IP address? I'm banned from a forum and I'd really like to go back :P. I just want to hide my IP address. my e-mail is dilute13@yahoo.com if anybody could help it would make me giddy.

These are the last 15 comments. Read all 22 comments here.

This discussion has been closed.

Follow me on Twitter

Best Of

  • Pitching Bloggers Forget what you learned in your PR classes. Start acting like a human instead of a marketer, and the humans behind the blogs will respond.
  • Debunking predictions Read/Write Web's authors have some goofy predictions.
  • Google on the desktop Google picks up Picasa, giving them an important foothold on people's PCs.
  • Best of Newly Digital There have been dozens of Newly Digital entries from all over the world. Here are some of the best.
  • Rounded corners in CSS There lots of ways to create rounded corners with CSS, but they always require lots of complex HTML and CSS. This is simpler.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

14

Recently

Networking as an entrepreneur (Oct 23)
Having a network is crazy important. Networking is not.
Stretching your team (Jun 11)
Stretching your team is one of the best ways to improve your output, your team's happiness, and your velocity. But they'll need coaching.
Physical camera shutter for Cisco Spark Board (Jul 6)
A 3d printable design for a camera shutter for a Cisco Spark Board
My Travel Coffee Setup (Jan 20)
What my travel coffee brewing setup looks like, and how you can build your own for under $100.
Turkey Legs (May 30)
Product naming gone awry.
Speaking for Geeks: Your Slides (Dec 17)
Tips and tricks for creating great slides.
Speaking for Geeks: Writing Your Talk (Dec 14)
Don’t wait until the night before the talk to write it. Crazy, I know.
Speaking for Geeks: Tell a Story (Dec 13)
Telling a story keeps your presentation focused, keeps your audience interested, and makes it easier for you to remember your talk.

Subscribe to this site's feed.

Elsewhere

Tropo
Voice and communications platforms, including Tropo and Phono. Work.
SacStarts
The Sacramento technology startup community.
Pinewood Freak
Pinewood Derby tips and tricks

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

AIM or Skype: akalsey

Resume

PGP Key

©1999-2018 Adam Kalsey.
Content management by Movable Type.