Why IP banning is useless

Freshness Warning
This blog post is over 18 years old. It's possible that the information you read below isn't current and the links no longer work.

Many proposals for eliminating comment spam are focused on banning or throttling comments from the IP address of the spammer. This is fundamentally flawed because it assumes IP addresses are both unique and hard to come by.

Banning an IP address can have severe consequences. Many ISPs (including AOL) and companies use a proxy server that makes it appear as if all users are coming from a single (or a handful) if IP addresses. By blocking an IP address, you might be preventing a substantial portion of AOL users from commenting. Depending on your point of view, eliminating AOL may not be a great loss; however the same thing would happen to millions of users behind other proxy servers.

The other problem is that IP addresses are very easy to get or fake for spammers who care about such things. There are hundreds of thousands of open proxies that will let anyone direct Web traffic through them. When I’m using an open proxy, my IP address is effectively masked. And I can use simple software to switch to a different open proxy (and thus a different IP address) every few minutes. So my spamming activity isn’t tied to a specific IP address.

Hypothetically speaking, if the problem of open proxies were to disappear overnight, there are two other mechanisms that provide a limitless set of IP addresses to spammers: dialup and spoofing.

Most dialup ISPs provide a different IP address each time you dial in. If a spammer were to find that their IP address had been banned, they could simply disconnect and redial. It would be trivial to automate the process of dialing in, spamming, disconnecting, and dialing back in.

IP addresses are easy to fake as well. The design principles of TCP/IP allows the sender of a packet to specify its IP address. The message will still be routed to its destination using the fake origin address. Return packets would be mis-routed, however, because TCP/IP would send responses to the true location of the IP address rather than where it actually came from. This means that IP spoofing is ineffective in situations where you need to interact with a remote server, but very effective in a one-way conversation. I can’t retrieve a Web page using a spoofed IP address because I need to make the request and then have the server send me the page. But I can send requests all day long if I don’t care about the response.

Posting a comment (or TrackBack) doesn’t require interaction. I can send a comment in a POST or GET message and not worry about the response if I don’t care about receiving acknowledgment that it was successful.

February 18, 2004 2:34 AM

I've been crap flooded twice. The first time all comments came from the same IP address. The second time, all 157 comments came from different IP addresses and were attributed to different URLs. The only common link was the text in the comment. IP banning may have a part to play as a single weapon amongst a vast armoury. I agree that outright banning of IP addresses would prevent the use of commenting systems by some innocent parties. But restriction of comments from single IP addresses to say 3 per hour would have prevented the bulk of the first of the crap floods I suffered from. A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button. The idea is not to make comment spamming impossible. The idea is to make it ineffective. Make them have to work so hard for the minimal benefit that they go somewhere else. Regardless, however hard we try to protect our own blogs, there are enough unmaintained (and therefore unprotected) blogs out there that spammers will probably always find targets to flood.

Mean Dean
February 18, 2004 10:06 AM

I find IP banning at the server level (.htaccess) only useful when I can confirm the disposition of the source as not a proxy, often an overseas entity, aren't a hosting company, and are using an unidentified or unwanted user agent. For example, many of the recent crap-flood attacks on my blog have been from Israel from a non-host provider where the user agent is obfuscated. So while I'm sad to block that group, I'm not loosing a huge existing reader base. Otherwise, I find banning the ability to allow access to the blog, but to deny posting comments effective. I actually ran into the "other side" of just such a scenario. I emailed the individual running the blog. They had problems w/someone else from my IP. He posted my comment. I'll do likewise.

Brad Grier
February 19, 2004 11:23 AM

[Quote]"A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button." [/Quote] Unfortunately a comparison of comments/recent submissions may mistakenly tag quoted text (as above) as spam. But, mixed with the other methods, frequency of posting, Hot words...etc, it could be another valuable tool.

February 21, 2004 10:23 AM

Brad, I hadn't considered that. Upping the comparison to 90% would overcome that problem but I guess it would weaken its usefulness as a tool to stop spammers.

October 11, 2004 10:56 PM

[quote]While I agree that purely banning IP addresses is pointless, I think that having an updated list of open proxies and ban all users that use those from commenting could prevent script kiddies from comment flooding. After all, script kiddies do these things because they can, and the tools to do so are readily available. If 95% of all open proxy servers used by these scripts are blocked, it would be much less effective. Sure, they'll come up with something new, but in the mean time, I'd love options in MT3 that allow easy bulk manipulation of IP bans or automated checking and interacting with resources like spamhaus, spamcop etc. [/quote] I like this comment. Sure, it has some holes, but its a start. What if we took one problem at a time and started with this one. Perhaps a web crawler could scan the Internet for proxies and keep an master list of blocked proxies. Then I just need a script to read them in and aplly them to my server on a daily basis. That might be a first step in waging this war. ISP dynamic IP address assignment is still another problem, but it seems to me that it is far less preferable method for the would-be spammer than a proxy. With respect to MAC address manipulation, this offers far less anonymity and if performed repeatedly, it is detectable by the ISP. Plus it requires some level of knowledge beyond a proxy site user. Imagine if they used an ethernet broadcast MAC by mistake!! With respect to dialup, I have no ideas there....yet.

November 4, 2004 8:49 AM

I have been using CountryCheck.com to block anonymous proxy users and have found the number of spammers has reduced substantially.

November 17, 2004 8:13 PM

I play ghost recon, and some times i get banned from a server from like cussing or somthing dumb, so i change my ip. but when ghost recon 2 comes out it will bann by cd key is there a poxy i can hid my cd key? or any thing i can do about it?

Jo Citizen
December 23, 2004 4:43 PM

On TCP/IP: You have to complete a three-way transaction to open a connection. Unless the target web server accepts UDP connections (and I cannot think of ANY that do), you have to complete the communication. Source address spoofing only works for ICMP, UDP, and raw IP (except for a few attacks that are aimed directly at the TCP stack). As to ways of blocking spammers... All you have to do is demand that people quoting text put something at the beginning (eg a > symbol or [quote]), and then you can implement rules like "90% the same OR 50% same and first 32 bytes the same". Not perfect, because a spammer could just put a tag on, but it's another possibility.

Dylan Smith
December 24, 2004 1:46 AM

"Posting a comment (or TrackBack) doesnt require interaction. I can send a comment in a POST or GET message and not worry about the response if I dont care about receiving acknowledgment that it was successful." No you can't. You still have to establish a full TCP session (so have to go through the whole SYN/ACK sequence to do so). So forging the originating IP will not work.

December 28, 2004 8:03 AM

I agree with you guys, IP banning is not very effective. However, I did find something that is VERY effective when it comes to spamming!! If you code a security/turing code/number at the bottom of the form for the user to post comments in. If they dont match the security code exactly, the post will never be added. I use this on my client's websites all the time. He was spammed once, several hundred requests. So i simply added this security code to the bottom of the request page, and it stopped right away. This will stop any computer from automating requests, and will slow down manually submitted requests dramasticly. I hope this helps some of you who are being spammed with requests!! Sincerely, Brad Ciszewski

October 28, 2005 6:20 AM

rofl ... I just tested countrycheck.com using an anonymous proxy and it failed to detect it. They thought I was really from Manila. Back to the drawing board ....

March 14, 2006 3:49 PM

I own a web hosting company, I have ip's banned for a certain period of time to deflect a ddos. If an attack is taking place, their ip will be banned if they go above so many connections. It doesn't matter if they have an anonymous ip either, they can use a thousand different ip's and their ip will be blocked for 10 minutes therefore deflecting a ddos attack. Now if you want to block an ip from a server entirely, I do agree it is pointless unless you use software that will not allow a visitor to your website using an anonymous proxy ;)

June 9, 2006 11:07 AM

As a networking security consultant, I strongly oppose IP address banning for the reasons mentioned by Adam in his blog: 1. IP addresses are far to easily spoofed. I often demonstrate this to my clients by re-registering and posting new content after being banned and without using a proxy. 2. While detecting and eliminating proxies isn't difficult, it's impossible to detect and elminate a NAT-based firewall, which can be configured to look like anyone. 3. Banning even one IP address can hurt tens, hundreds, even thousands of legitimate users. Banning ranges of IP address is violently agressive, highly injurious to the Internet community as a whole, and should never be a policy of any website catering to large numbers of users. There are alternatives to IP address banning, including content readers. Most users are fairly well-behaved, and troublemakers make up a small percent. It's not a difficult task to install a content reader that compares content from recently banned members with that posted by new members. While it shouldn't be used alone as a criteria for banning, it can help support a decision based upon how well the two match with respect to the general vocabulary used, the grammer, and even the style of writing. The most effective way to keep things civil is to enforce standards with grace, and work with the users, helping those who're wayward to learn more about what's acceptable and what's not. Using buttoms to automate some of the reminders and "lesson's learned" greatly eases this task.

June 23, 2006 9:18 PM

What I would like to know is if any harm can be done to the internet community if you created a ban list of to on one server. With an allow list for a static IP range from a client server. Provided you included DNS to ISP in the allow range set and vice versa on the other server. This would in affect I think allow for two servers to travel the internet and yet be seen as a local LAN for connect intents. Anyone have thoughts? JT

July 17, 2006 10:53 PM

hi, where can I mask my IP address? I'm banned from a forum and I'd really like to go back :P. I just want to hide my IP address. my e-mail is d[REDACTED]3@yahoo.com if anybody could help it would make me giddy.

These are the last 15 comments. Read all 22 comments here.

This discussion has been closed.

Recently Written

The Trap of The Sales-Led Product (Dec 10)
It’s not a winning way to build a product company.
The Hidden Cost of Custom Customer Features (Dec 7)
One-off features will cost you more than you think and make your customers unhappy.
Domain expertise in Product Management (Nov 16)
When you're hiring software product managers, hire for product management skills. Looking for domain experts will reduce the pool of people you can hire and might just be worse for your product.
Strategy Means Saying No (Oct 27)
An oft-overlooked aspect of strategy is to define what you are not doing. There are lots of adjacent problems you can attack. Strategy means defining which ones you will ignore.
Understanding vision, strategy, and execution (Oct 24)
Vision is what you're trying to do. Strategy is broad strokes on how you'll get there. Execution is the tasks you complete to complete the strategy.
How to advance your Product Market Fit KPI (Oct 21)
Finding the gaps in your product that will unlock the next round of growth.
Developer Relations as Developer Success (Oct 19)
Outreach, marketing, and developer evangelism are a part of Developer Relations. But the companies that are most successful with developers spend most of their time on something else.
Developer Experience Principle 6: Easy to Maintain (Oct 17)
Keeping your product Easy to Maintain will improve the lives of your team and your customers. It will help keep your docs up to date. Your SDKs and APIs will be released in sync. Your tooling and overall experience will shine.


What I'm Reading


Adam Kalsey

+1 916 600 2497


Public Key

© 1999-2022 Adam Kalsey.