Comments

Comments for Why IP banning is useless

Excerpt: Many proposals for eliminating comment spam are focused on banning or throttling comments from the IP address of the spammer. What those proposals fail to address is that IP addresses are neither unique nor hard to come by. Read the whole article…

Simon Willison
February 10, 2004 12:04 PM

I lost faith entirely in IP based blocking techniques when I read the source code for FloodMT: [URL deleted because it doesn't deserve publicity. If you want to find it, try Google. -- Adam]

Scott Johnson
February 10, 2004 1:55 PM

I've had a dynamic IP at my house since 1994. The majority of all other home users have a similar configuration. Because of this, I've never subscribed to IP banning measures. They just aren't effective.

Anders
February 11, 2004 3:08 AM

Agreed with all of the above, and a confirmation: in a recent crapflood attack (by FloodMT I guess, but not confirmable) the 2600 or so spams I received came from several hundred different IPs. MT Blacklist helped me clean up, but it was still a reasonably large manual effort. In another attack, I was systematically spammed with ~ 600 comments with apparently round robin stuffing of the URL fields with 68 unique domain names. (All can be found in my published blacklist, of course)

Phillip Marquez
February 11, 2004 12:40 PM

You missed another easy way to change your IP, (should open proxies disappear overnight) many home routers allow cloning of MAC addresses. It typically only takes a few tries while using a large ISP to pick a MAC address that gets a different dynamic IP. While not singularly useful to the average spammer, it just adds more complication to the mix.

ServMe
February 13, 2004 4:27 PM

While I agree that purely banning IP addresses is pointless, I think that having an updated list of open proxies and ban all users that use those from commenting could prevent script kiddies from comment flooding. After all, script kiddies do these things because they can, and the tools to do so are readily available. If 95% of all open proxy servers used by these scripts are blocked, it would be much less effective. Sure, they'll come up with something new, but in the mean time, I'd love options in MT3 that allow easy bulk manipulation of IP bans or automated checking and interacting with resources like spamhaus, spamcop etc.

Adam Kalsey
February 13, 2004 4:32 PM

That would be like trying to maintain a list of all ftp servers on the net. The sheer numbers and ephemeral nature makes it impossible. It takes virtually no skill to set up an open proxy. They spring up and die off constantly. Many proxies are misconfigured, resulting in open access without the admin even knowing it. Whild you could easily set up a tool like MT-Blacklist to check the source IP of known spam to see if it's an open proxy, there are more proxies than you could possibly ban. And as I stated, open proxies aren't the only way to get a constantly-changing IP address.

Jim Dabell
February 16, 2004 2:14 PM

Masking your IP address isn't hard, but it does cause inconvenience and raise the bar for would-be spammers a little. But, as you say, it negatively affects people, so it's not very cost-effective. A better solution might be to take a leaf out of email spam filters' books - a previously flagged IP address would make it "more likely" to be a spam comment, and you could take a number of other factors into consideration as well, such as comment length. Comments triggering a numbe rof criteria could then be flagged for manual approval from an admin. For instance, an email with the word "Viagra" in will get past SpamAssassin. So will an email with a "click here to remove" link. But an email with both probably won't. > This means that IP spoofing is ineffective in situations where you need to interact with a remote server, but very effective in a one-way conversation. I cant retrieve a Web page using a spoofed IP address because I need to make the request and then have the server send me the page. But I can send requests all day long if I dont care about the response. That's not quite accurate. You still need to set up the TCP connection, which requires either recieving at least one of the packets, or guessing a sequence number. In the past, many operating systems have had easy to guess sequence numbers, but most modern stacks make it very difficult to do that nowadays.

theaardvark
February 18, 2004 2:34 AM

I've been crap flooded twice. The first time all comments came from the same IP address. The second time, all 157 comments came from different IP addresses and were attributed to different URLs. The only common link was the text in the comment. IP banning may have a part to play as a single weapon amongst a vast armoury. I agree that outright banning of IP addresses would prevent the use of commenting systems by some innocent parties. But restriction of comments from single IP addresses to say 3 per hour would have prevented the bulk of the first of the crap floods I suffered from. A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button. The idea is not to make comment spamming impossible. The idea is to make it ineffective. Make them have to work so hard for the minimal benefit that they go somewhere else. Regardless, however hard we try to protect our own blogs, there are enough unmaintained (and therefore unprotected) blogs out there that spammers will probably always find targets to flood.

Mean Dean
February 18, 2004 10:06 AM

I find IP banning at the server level (.htaccess) only useful when I can confirm the disposition of the source as not a proxy, often an overseas entity, aren't a hosting company, and are using an unidentified or unwanted user agent. For example, many of the recent crap-flood attacks on my blog have been from Israel from a non-host provider where the user agent is obfuscated. So while I'm sad to block that group, I'm not loosing a huge existing reader base. Otherwise, I find banning the ability to allow access to the blog, but to deny posting comments effective. I actually ran into the "other side" of just such a scenario. I emailed the individual running the blog. They had problems w/someone else from my IP. He posted my comment. I'll do likewise.

Brad Grier
February 19, 2004 11:23 AM

[Quote]"A comparison of comments to recent submissions would have prevented the second crap flood. If say, over 50% of the text is the same as a recent comment then it could be rejected. This would also prevent accidental double clicking of the submission button." [/Quote] Unfortunately a comparison of comments/recent submissions may mistakenly tag quoted text (as above) as spam. But, mixed with the other methods, frequency of posting, Hot words...etc, it could be another valuable tool.

theaardvark
February 21, 2004 10:23 AM

Brad, I hadn't considered that. Upping the comparison to 90% would overcome that problem but I guess it would weaken its usefulness as a tool to stop spammers.

frickaline
October 11, 2004 10:56 PM

[quote]While I agree that purely banning IP addresses is pointless, I think that having an updated list of open proxies and ban all users that use those from commenting could prevent script kiddies from comment flooding. After all, script kiddies do these things because they can, and the tools to do so are readily available. If 95% of all open proxy servers used by these scripts are blocked, it would be much less effective. Sure, they'll come up with something new, but in the mean time, I'd love options in MT3 that allow easy bulk manipulation of IP bans or automated checking and interacting with resources like spamhaus, spamcop etc. [/quote] I like this comment. Sure, it has some holes, but its a start. What if we took one problem at a time and started with this one. Perhaps a web crawler could scan the Internet for proxies and keep an master list of blocked proxies. Then I just need a script to read them in and aplly them to my server on a daily basis. That might be a first step in waging this war. ISP dynamic IP address assignment is still another problem, but it seems to me that it is far less preferable method for the would-be spammer than a proxy. With respect to MAC address manipulation, this offers far less anonymity and if performed repeatedly, it is detectable by the ISP. Plus it requires some level of knowledge beyond a proxy site user. Imagine if they used an ethernet broadcast MAC by mistake!! With respect to dialup, I have no ideas there....yet.

Sarah
November 4, 2004 8:49 AM

I have been using CountryCheck.com to block anonymous proxy users and have found the number of spammers has reduced substantially.

NOONER
November 17, 2004 8:13 PM

I play ghost recon, and some times i get banned from a server from like cussing or somthing dumb, so i change my ip. but when ghost recon 2 comes out it will bann by cd key is there a poxy i can hid my cd key? or any thing i can do about it?

Jo Citizen
December 23, 2004 4:43 PM

On TCP/IP: You have to complete a three-way transaction to open a connection. Unless the target web server accepts UDP connections (and I cannot think of ANY that do), you have to complete the communication. Source address spoofing only works for ICMP, UDP, and raw IP (except for a few attacks that are aimed directly at the TCP stack). As to ways of blocking spammers... All you have to do is demand that people quoting text put something at the beginning (eg a > symbol or [quote]), and then you can implement rules like "90% the same OR 50% same and first 32 bytes the same". Not perfect, because a spammer could just put a tag on, but it's another possibility.

Dylan Smith
December 24, 2004 1:46 AM

"Posting a comment (or TrackBack) doesnt require interaction. I can send a comment in a POST or GET message and not worry about the response if I dont care about receiving acknowledgment that it was successful." No you can't. You still have to establish a full TCP session (so have to go through the whole SYN/ACK sequence to do so). So forging the originating IP will not work.

Brad
December 28, 2004 8:03 AM

I agree with you guys, IP banning is not very effective. However, I did find something that is VERY effective when it comes to spamming!! If you code a security/turing code/number at the bottom of the form for the user to post comments in. If they dont match the security code exactly, the post will never be added. I use this on my client's websites all the time. He was spammed once, several hundred requests. So i simply added this security code to the bottom of the request page, and it stopped right away. This will stop any computer from automating requests, and will slow down manually submitted requests dramasticly. I hope this helps some of you who are being spammed with requests!! Sincerely, Brad Ciszewski

frickaline
October 28, 2005 6:20 AM

rofl ... I just tested countrycheck.com using an anonymous proxy and it failed to detect it. They thought I was really from Manila. Back to the drawing board ....

Cody
March 14, 2006 3:49 PM

I own a web hosting company, I have ip's banned for a certain period of time to deflect a ddos. If an attack is taking place, their ip will be banned if they go above so many connections. It doesn't matter if they have an anonymous ip either, they can use a thousand different ip's and their ip will be blocked for 10 minutes therefore deflecting a ddos attack. Now if you want to block an ip from a server entirely, I do agree it is pointless unless you use software that will not allow a visitor to your website using an anonymous proxy ;)

dr1819
June 9, 2006 11:07 AM

As a networking security consultant, I strongly oppose IP address banning for the reasons mentioned by Adam in his blog: 1. IP addresses are far to easily spoofed. I often demonstrate this to my clients by re-registering and posting new content after being banned and without using a proxy. 2. While detecting and eliminating proxies isn't difficult, it's impossible to detect and elminate a NAT-based firewall, which can be configured to look like anyone. 3. Banning even one IP address can hurt tens, hundreds, even thousands of legitimate users. Banning ranges of IP address is violently agressive, highly injurious to the Internet community as a whole, and should never be a policy of any website catering to large numbers of users. There are alternatives to IP address banning, including content readers. Most users are fairly well-behaved, and troublemakers make up a small percent. It's not a difficult task to install a content reader that compares content from recently banned members with that posted by new members. While it shouldn't be used alone as a criteria for banning, it can help support a decision based upon how well the two match with respect to the general vocabulary used, the grammer, and even the style of writing. The most effective way to keep things civil is to enforce standards with grace, and work with the users, helping those who're wayward to learn more about what's acceptable and what's not. Using buttoms to automate some of the reminders and "lesson's learned" greatly eases this task.

JT
June 23, 2006 9:18 PM

What I would like to know is if any harm can be done to the internet community if you created a ban list of 0.0.0.0 to 255.255.255.255 on one server. With an allow list for a static IP range from a client server. Provided you included DNS to ISP in the allow range set and vice versa on the other server. This would in affect I think allow for two servers to travel the internet and yet be seen as a local LAN for connect intents. Anyone have thoughts? JT

j.
July 17, 2006 10:53 PM

hi, where can I mask my IP address? I'm banned from a forum and I'd really like to go back :P. I just want to hide my IP address. my e-mail is d[REDACTED]3@yahoo.com if anybody could help it would make me giddy.

This discussion has been closed.

Recently Written

The Trap of The Sales-Led Product (Dec 10)
It’s not a winning way to build a product company.
The Hidden Cost of Custom Customer Features (Dec 7)
One-off features will cost you more than you think and make your customers unhappy.
Domain expertise in Product Management (Nov 16)
When you're hiring software product managers, hire for product management skills. Looking for domain experts will reduce the pool of people you can hire and might just be worse for your product.
Strategy Means Saying No (Oct 27)
An oft-overlooked aspect of strategy is to define what you are not doing. There are lots of adjacent problems you can attack. Strategy means defining which ones you will ignore.
Understanding vision, strategy, and execution (Oct 24)
Vision is what you're trying to do. Strategy is broad strokes on how you'll get there. Execution is the tasks you complete to complete the strategy.
How to advance your Product Market Fit KPI (Oct 21)
Finding the gaps in your product that will unlock the next round of growth.
Developer Relations as Developer Success (Oct 19)
Outreach, marketing, and developer evangelism are a part of Developer Relations. But the companies that are most successful with developers spend most of their time on something else.
Developer Experience Principle 6: Easy to Maintain (Oct 17)
Keeping your product Easy to Maintain will improve the lives of your team and your customers. It will help keep your docs up to date. Your SDKs and APIs will be released in sync. Your tooling and overall experience will shine.

Older...

What I'm Reading

Contact

Adam Kalsey

+1 916 600 2497

Resume

Public Key

© 1999-2021 Adam Kalsey.