There is a site with IP blocking. When a client makes too many invalid attempts when guessing e.g. password, then their IP address becomes blocked.
I've heard about IP spoofing and similar attacks. Can an attacker spoof their IP address and continue their attempts to guess passwords?
If it matters, site uses HTTPS and HSTS.
Essentially it depends on the attacker and what resources they have available. Ordinary home-users or attackers who aren't very dedicated might be deterred by source IP address blocking, but more advanced/determined attackers have a number of ways to get round this.
The obvious one is to use one of the wide range of proxy services available on the Internet. This includes things like ToR and Anonymizer.com. Since one of the goals of these services is to mask the source IP address of the user, they will bypass the block until the attacker tries enough attempts with a given IP and gets blocked again.
As an interesting aside, the attacker could cause a partial DoS to your application by going round enough of these sites, as any of your other users who make use of those services will be blocked, once you block the IP addresses belonging to them.
On top of online services, the attacker could do things like use Wi-Fi hotspots or college/university networks to get access to more source IPs
So essentially this blocking would make things more awkward but wouldn't stop a determined attack.
It depends on the filtering policy. If it's an explicit deny, whereby only authorised users [and thus IPs] are added to a whitelist, it can be quite an effective layer of security.
In this scenario, an attacker would need to compromise an allowed host in order to connect to the site. The size and nature of the authorised user-base will determine how difficult this is. Sites which contain licensed content often use this type of access control.
Also note, this does not describe a bullet-proof security control. As such, it should be one layer of a greater defence in depth security model.
Where's it's a blacklist configuration, the situation is much different. The other answers describe this scenario quite well.
You can't simply spoof IPs when using TCP, since you need to be able to receive the response. Related: https://stackoverflow.com/questions/6081839/application-security-concerns-how-easy-is-it-to-fake-an-ip-address/6081911#6081911
You can however use relays of some sort. Proxies, TOR,...
IP blocking gets pretty ineffective if the attacker has a botnet. That gives him many IPs.
Nobody here seemed to mention this so here's my 2 cents:
Dynamic IPs are used by a lot of ISPs. I have one, for example. This means that as soon as I reboot my router (which is trivial, just powering it off and on will do, and some people do power off theirs) I get a new IP address.
This also means that somebody else will get my old IP, so the guy will be blocked from your website for no reason. Also, it is possible to script all of this up, so if the "attacker" (read: script kiddie) knows how to craft a batch file, there goes your IP banning.
Bottom line: it is not only trivial to bypass this, but using it can even harm legit users.
Spoofing an IP address won't work very well for HTTPS since you need to make a proper 2 way connection first - you can't do that if the responses are getting sent to the wrong address.
People on most DSL connections can simply reboot their modem/router to get a new IP address. So they can keep trying. And botnets have hundreds of IP addresses to try from. So it doesn't do much to stop them.
It can also cause problems if someone decides to take advantage of the IP blocking. Some ISPs like AOL have all their customers behind NAT and going out to the internet on only a few IP addresses. Blocking one of those will prevent any other legitimate people from logging in. Same goes for most large offices and schools - a single IP address could really be 1000 users.
