87

Why do people use IP address bans (e.g. to block a malicious user from an internet service) when IP addresses change often?

For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple power-cycle is enough to change the IP address. Thus IP address bans are relatively ineffective.

On the other hand, banning IP addresses can cause a lot of grief for innocent users who are using the former IP addresses of a malicious user, and sometimes a range of IP addresses is banned thus causing the banning of innocent users to affect even more people.

So why are IP address bans still used?

P.S. I am referring specifically to long-term bans. I perfectly understand the advantages of short-term bans e.g. to put a block on a spam or DoS attack, or other situations where briefly disrupting the malicious traffic is beneficial.

Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14
  • How else are people going to kick malicious users off their website? It's not like they can ban by user-agent or something... – Sakamaki Izayoi Aug 09 '15 at 19:00
  • I used to power down my router on a timer overnight, but I often *didn't* get a new IP address. I still would shut down the router except I'm currently using the ISP-provided one and it gets firmware updates at odd times in the night; power cycling during an update would brick it. Also I assume you're referring to a modem/router, not a router attached to a separate modem. – Chris H Aug 10 '15 at 09:07
  • You highly changed the nature of your question: there are 3 (for me) highly different approach of black listing @IPs. Hence some answers are now out of scope. You would better have submitted another question about *static black lists*. – dan Aug 10 '15 at 10:57
  • 4
    `"IP addresses change often"` if ISP gives you dynamic IP. But ban works well (only) if it's static IP. For example my previous provider gave me static IP and it stayed the same for several years. But I agree that IP-ban doesn't work nowadays because there are very few ISPs with static IPs. (Why? Because there are more internet-connected devices than IPv4 IPs and the only practical way of giving them IPs is to use dynamic IPs... Still waiting for next IP alternative, but please, not IPv6...) – Jet Aug 10 '15 at 12:38
  • 2
    @Jet You mean the only practical way of giving them all IPs is to use *NAT*. Dynamic IPs are still IPv4 addresses, same as the static ones. Except they don't always belong to the same device like a static one does. The network treats them the same, though (except for some blacklists...) – BenjiWiebe Aug 10 '15 at 12:49
  • @BenjiWiebe yes, but by "dynamic" I meant non-static global IPs – Jet Aug 10 '15 at 13:01
  • 1
    @Jet I knew what you meant. I'm just saying static IPs, dynamic IPs, are the same thing as far as the *Internet Protocol* goes. – BenjiWiebe Aug 10 '15 at 16:55
  • If you're asking about irc blocks, the fact that admins can assign arbitrary blocks has more to do with their decision making process than any formal information security practice. – bobstro Aug 10 '15 at 17:33
  • @Jet: How do you figure we will ever get the next IP alternative? What if every alternative gets the same reaction from a substantial amount of people that you just expressed for IPv6? – mtraceur Oct 23 '16 at 03:21

9 Answers9

90

IP address bans have flaws as you mention, but I think the primary reason they are used is simply that there aren't really any better alternatives. Other identifying features, like browser user agent, cookies, browser fingerprint, etc. are even easier to spoof or circumvent. There are plenty of extensions you can use to change your user agent or fingerprint, and cookies can simply be cleared.

For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple power-cycle is enough to change the IP address. Thus IP address bans are relatively ineffective.

The ease with which you can change your IP address depends heavily on the ISP. For instance, back when I had Verizon DSL, my IP address would change each time I turned the modem off and back on just like what you describe. But after switching to Comcast, my IP address has not changed for the entire two years I've been with them, even after multiple power outages and modem restarts. So the "router reboot" workaround won't necessarily work for everyone.

Another thing you should consider is that even if you're one of those people who can change your IP address with a reboot, you're likely still getting an IP address from a fairly limited pool of addresses. This is because ISPs generally don't assign addresses completely randomly; they divide their service area into smaller areas (e.g. neighborhoods), and then allocate a small range of addresses to assign to customers in each area. So if there was a really persistent and problematic user, a site administrator could ban the entire address range (though this could cause significant problems for other users as you mention).

Side note: It's worth mentioning that there are other ways of masking your IP address that get around this problem, like using a VPN service or Tor. Some sites, like Wikipedia, try to block all IP addresses of known public proxies to counter this.

On the other hand, banning IP addresses can cause a lot of grief for innocent users who are using the former IP addresses of a malicious user, and sometimes a range of IP addresses is banned thus causing the banning of innocent users to affect even more people.

Yes, IP address bans are a blunt tool and this is one of the problems inherent with them. This is especially the case when an IP address is shared by hundreds or thousands of users in the same building, or even a large part of an entire nation via carrier-grade NAT. It is the responsibility of site administrators to minimize the effects of IP address bans on legitimate users. Various measures can be taken - for instance, you could make an effort to identify IP addresses are shared and make sure those IP addresses are only banned for short periods, or make it so that users with a certain minimum reputation can still log in from banned IP addresses and remain unaffected by them. If done right, IP address bans can be very effective at blocking unwanted users while having minimal impact on legitimate ones.

Peter Mortensen
  • 877
  • 5
  • 10
tlng05
  • 10,244
  • 1
  • 33
  • 36
  • 10
    Less important, but still there: *temporary* IP bans are actually quite effective - if you only want to keep the user from the site for a while, the "restart the connection" workaround doesn't pay off all that much. Especially in the dial-up days when that could mean you'd have to pay for starting the connection again - my ISP charged by the hour, for example, and had a different rate for night calls, so if you wanted the connection all day, it was much cheaper to start in the night and keep it running. – Luaan Aug 10 '15 at 14:22
  • A growing problem with blacklisting an IP address is the use of Carrier-Grade NAT due to the IPv4 address shortage. Denying a single IP address from a carrier using CGN will deny thousands or tens of thousands of users. – Ron Maupin Aug 10 '15 at 14:49
  • 9
    In reference to your last paragraph, an example is that if StackExchange implemented IP-banning, they could allow users with greater than say, 100 reputation, to log in and avoid the ban. So those pesky university students who just spammed SE and got the whole university network banned wouldn't affect users like me who have at least 101 reputation as a 'trusted' user. – Chris Cirefice Aug 10 '15 at 15:03
  • To be clear, I hate (long term) IP bans because for the most part they are a major inconvenience to legitimate (good) users. But, how would a "selective" (long term) IP ban (as suggested) work. I mean, in order to identify the user to determine the users reputation, you have to allow them access (while not logged in) for an indefinite period of time (always/forever) so they can log in. – Kevin Fegan Aug 10 '15 at 18:30
  • 2
    @KevinFegan If you are banning IPs at the firewall level, then yes it would be pretty difficult. But "ban" doesn't have to mean preventing access entirely - for most websites, forums, etc. you can ban at the application level, so that banned IPs cannot make new accounts or posts but they can still browse the site or log in to prove reputation. – tlng05 Aug 10 '15 at 19:32
  • In that case we're talking more about a "stop posting junk on our forum" IP ban, which is common if a malicious user with a banned account is repeatedly creating new accounts. In the case of "stop flooding our server with traffic", it would be more common to ban at a firewall level (otherwise the server is still having to process the excessive traffic) but in such cases it is, from what I gather, more common to use a short-term ban to disrupt the traffic until more long-term action can be taken. – Micheal Johnson Aug 10 '15 at 20:20
  • To go along with "*there aren't better alternatives*" - the *threat* of an IP ban is sometimes enough for some users because they don't know exactly how it works. But obviously it depends on the user-base how effective that threat is. – DoubleDouble Aug 11 '15 at 19:00
  • To change your IP address if your ISP uses sticky IPs, change the MAC address of your router. – Chloe Aug 11 '15 at 22:11
19

Why do people use IP address bans when IP addresses often change?

A practical example which is a huge return on investment:

Because fail2ban (Wikipedia / fail2ban) is much faster and adaptive than the DHCP (Server Fault, correct DHCP lease) renewal latency of the ISP of an attackant or a stupid robot.

dan
  • 3,033
  • 14
  • 34
  • 1
    You are right, but sometimes there is no DHCP for the last mile. For example PPP has its own (IPCP) protocol to provide IP address. So, in case of PPtP VPN over Ethernet or PPPoE (both were pretty common in my country 10 years ago: VPN for home networks, and PPPoE for DSL/ATM) DHCP is not used. Same is true for PPP over modem (dial-up), if someone still remembers it. – user996142 Aug 12 '15 at 18:49
12

IP bans are mostly used because there's not really any other better way to ban a user, especially if they're simply using your website. Yes, quite a lot of domestic IP addresses are dynamic (aka, they change every time the modem connects to the ISP), but really, how else are you going to get rid of a user, apart from physically finding them and stopping them that way:

enter image description here

If you are attempting to block a user's IP from connecting to your server via a client application (that you/your company made) installed on their machine, you have access to a whole wealth of information you can use to permanently ban someone without using their IP address, such as finding and using the serial numbers of their hardware as an ID (such as motherboard, or even MAC [although that's technically not a serial]). You can make it so that you can block off their ID if you don't want the user, and then they will have to replace their hardware (or use another computer) to access your service again.

Back to the question: ISPs also usually use a specific range(s) of IPs for dynamic IPs; if a user does indeed have a dynamic IP, you can almost bet they'll be using the same IP range again in the near future (or even the same IP).

An ISP could for example cycle between 123.46.7x.xxx, 47.91.43.xxx, and 93.41.235.xxx; using this logic, it is possible to simply ban the IP ranges that the user uses, but this will cause issues with other users using the same IP range.

In my time (mainly gameservers) I have seen that many system administrators misunderstand and think that every user has a static IP assigned to them, and don't realise that dynamic IPs actually exist. This, in itself, could be in part of why IP bans are still used.

AStopher
  • 777
  • 6
  • 18
  • 2
    I can certainly agree that a lot of admins are under the misconception that IPs are static, as it is assumed that by banning a single IP you will ban one user almost permanently (like, until they get a different ISP). – Micheal Johnson Aug 11 '15 at 06:49
  • I don't know that *any* admins are under the misconception that IPs are static. If their network is under some form of attack, their priority is to cut it off (presuming they don't want to watch it and gather intel first), and an IP ban is effective for that. Banning an IP address temporarily using a tool like fail2ban is a less blunt tool than banning it permanently. – Craig Tullis Aug 12 '15 at 16:29
  • +1 for relevant meme – YetAnotherRandomUser Jun 21 '18 at 01:43
  • @Craig I suppose it depends what level they are, if they're a professional then they are unlikely to misunderstand that not all IPs are static, however I can see why an ametur would misunderstand. – AStopher Jun 21 '18 at 08:09
8

There are some assumptions that you need to identify:

  • time
  • intent of the ban

IP address bans make no sense if they are intended to be a long-term solution, for reasons that you identify. In the short term (less than one day), they can be very effective.

When you need to deal with traffic-level issues then a short-term IP address ban works very well. Yes, the attacker could change their IP address easily, but an automated IP address banning system works well (and is commonly utilized). Again, this works when using short-term bans.

Your question appears to be concerned about long-term, account-issue bans. If that's true, then I can't help you. I can only guess that an architect who does this could not imagine a better way to deal with the problem and used a blunt tool.

Peter Mortensen
  • 877
  • 5
  • 10
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    Permanent IP bans can be very useful in specific instances. For example, say I run a product website and only ship to the United States. It might be worthwhile, based on my server logs, to ban blocks of IPs from Asia from where I see a lot of hack attempts coming. Yes, I know there are unusual edge cases like a customer who just happens to be traveling in Asia at the moment and wants to order the product for when he gets home but that might be worth the risk based on traffic patterns and hacking vulnerability. – Rick Chatham Aug 13 '15 at 19:44
  • 1
    You bet - and I do the same thing (geo-ip blocking). But the OP is asking about individual IP bans due to specific behaviour. – schroeder Aug 13 '15 at 19:47
5

Although they change, they change slowly over time. An unwanted visitor can be shut down in the short term by banning the IP address. If the ban is also only short-term, there's no overall accumulation of dead spots.

Peter Mortensen
  • 877
  • 5
  • 10
ddyer
  • 1,974
  • 1
  • 12
  • 20
  • However I was talking about long-term bans (although never explicitly stated this in the question). – Micheal Johnson Aug 10 '15 at 06:41
  • 1
    Edited the question. – Micheal Johnson Aug 10 '15 at 06:46
  • But I have the feeling that many users who get some kind of "you are banned" nonsense when they visit a site will try again later only if they have no alternatives, especially users who are non-technical but to some extent worried about security (they are more common than we tend to think). Maybe IP bans "work" in the sense that from the website perspective the traffic quantity and/or quality improves, but from the perspective of the wrongly banned good users it sure isn't going to look like that. I wouldn't accept one single good user of my website to be told my website banned them. – SantiBailors Aug 11 '15 at 10:17
2

It would be perfectly reasonable to ban a range of addresses if there's no chance legitimate traffic will originate from those addresses. As you wrote:

[...] sometimes a range of IP addresses is banned thus causing the banning of innocent users to affect even more people.

You haven't elaborated on what sort of bans specifically, but for example, there's no reason consumer IP dial-up address ranges should be originating mail, so restricting their access makes sense if I'm concerned about spam. If you're not expecting remote users to access your system from any but a few locations, blocking other ranges will only reduce spurious traffic.

It would help if you could provide some more concrete examples of what exactly you're referring to. Bans on game servers are a lot different than blocking access to a commercial service.

bobstro
  • 211
  • 1
  • 2
  • I'm talking for example about the classic situation of a legitimate IRC user being banned because a server op g-lined half an ISP's range of IP addresses due to one malicious user who kept rebooting their router. – Micheal Johnson Aug 10 '15 at 17:15
  • I wouldn't consider that an "information security" scenario, more like an arbitrary admin decision that could have been made for any number of arbitrary reasons, and primitive at that. – bobstro Aug 10 '15 at 17:30
  • it is surprisingly common – Micheal Johnson Aug 10 '15 at 20:22
  • It's common, sure. But the "why" is purely admin whim. Nobody here can say for sure what is on their minds when they do it. Your question seemed more interesting since it seemed you were asking about the viability/effectiveness of banning individual IP addresses as an *effective* security measure. What you're describing isn't, nor would anybody knowledgeable recommend the practices you've describe, except for perhaps limiting access to a server that is under attack as a temporary measure. In such a scenario, it's a choice of lesser evils. – bobstro Aug 10 '15 at 20:34
2

Banning Static IP addresses

Static IP addresses were already mentioned and are one reason. They are already offered by some ISPs, and they might gain popularity as usage of IPv6 increases.

Banning Proxies

In your question you assume that users don't use proxies and can thus just change their personal IP address. But most attackers use proxies so that an attack can not be traced back to them, and they can't just get a new IP address for that.

Let's say that an attacker wants to perform a brute-force attack on your specific service. They collect 200 working proxies and start attacking. Let's say that each proxy is blocked for one hour after five attempts. That leaves 1000 guesses per hour, which isn't all that much. And if the IP address is blocked for a day, it's only 1000 guesses per day.

Or let's assume an attacker wants to do something more illegal than a bruteforce attack. They might want to set up their own proxy on a server they (anonymously) own or control, so they can make sure that the proxy doesn't log their attacks. Depending on the resources of the attacker, they may only have a very limited number of these proxies, and thus must abort their attack if all of them are blocked for malicious activity.

This reasoning also doesn't change for even longer-term bans. The longer the IP address is banned, the more security is gained, but legitimate users are also affected more. Personally, I wouldn't ban for more than an hour for services with a lot of users, but maybe the people who do have higher security needs.

Peter Mortensen
  • 877
  • 5
  • 10
tim
  • 29,018
  • 7
  • 95
  • 119
  • "Static IP addresses were already mentioned and are one reason. They are already offered by some ISPs, and they might gain popularity as usage of ipv6 increases." A malicious user is not likely to request a static IP address from their ISP lol. – Micheal Johnson Aug 10 '15 at 17:16
  • 1
    @MichealJohnson maybe they don't have a choice. Because their ISP doesn't offer dynamic IPs, because the wlan they are stealing doesn't offer it, because their roommate who is paying for internet needs a static IP, because they didn't think about it when signing their contract with their ISP, because their university doesn't offer dynamic IPs, etc. But I think that - at least for now - the second point I'm mentioning is more of a reason. – tim Aug 10 '15 at 17:26
  • The point that I was making is that it's no use saying that "IP bans are effective because more users are requesting static IPs", as those who ought to be banned are unlikely to request a static IP given the choice. – Micheal Johnson Aug 10 '15 at 20:21
  • 1
    @Michael Johnson, you seem to have misunderstood Tim's statement. He never said "more users are requesting static IPs." He only said said they "might gain popularity as usage of ipv6 increases". Seems pretty unlikely that end users will even know or care. If static IPs do become more popular with IPV6, it will be due to ISP preference, not user demand. – barbecue Aug 10 '15 at 21:05
0

For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple power-cycle is enough to change the IP address. Thus IP address bans are relatively ineffective.

This statement is not always true. Your ISP may provide you fixed IP address, and it does in some cases. Additionaly, you may have no public IP at all (i.e. use proxy or source NAT). In this case all your ISP network may be banned, so changing IP inside this network will not help.

There are several cases when IP ban is good solution:

  • Open proxy or open relay is available on some host. Any spammer may use it, so such IP should be banned unless network admin fixes this issue.
  • Huge network you are not interested in for sure. Imagine you are running forum for your local community (people of your town). One day you faced spam attack from some country many thouthand miles from you. You may ban whole network (even by /8 mask!) because you are sure anyone from this country is spammer. And you do not have a time to ban million spammers in this country personally. Why should you spend your CPU and power for serving them even with captcha?
  • Your hardware is poor, and someone ddoses you. It will not save you in case of REAL ddos attack (because it will use millions of IP addresses all over the world), but may save you from script-kiddy with 10 computers network.

But in general cases "permanent ban by IP" does not work for public services. You should use captcha, temporary ban, or some other techniques to save yourself from spammers.

user996142
  • 308
  • 1
  • 7
-4

Most IP addresses don't change automatically, so it's a good way to ban a user on your server because the IP address may change from "X.Y.Z.1" to "X.Y.Z.255", so after changing the IP address many times, you will be banned after your IP address returns to "X.Y.Z.1".

Kevin Fegan
  • 107
  • 5
  • 1
    Dynamic IP addresses do not necessarily change on the /8 block, and a decent number of IP addresses do, in fact, change automatically from time-to-time. In addition, it is possible to ban IP ranges... Any knowledgeable webmaster would block 1.1.1.0/8, not 1.1.1.1, 1.1.1.2, etc... Would -1 if I could. – Sakamaki Izayoi Aug 09 '15 at 19:47
  • 1
    @SakamakiIzayoi I too would -1 this – Micheal Johnson Aug 10 '15 at 06:44
  • 3
    @SakamakiIzayoi /8 means an 8-bit netmask. In other words, 1.1.1.0/8 covers 1.0.0.0 through 1.255.255.255. You probably meant /24, which would cover 1.1.1.0 through 1.1.1.255. – user Aug 10 '15 at 09:22
  • @MichaelKjörling I meant /8, as the user specifically typed "X.X.X.1" – Sakamaki Izayoi Aug 10 '15 at 17:18
  • @SakamakiIzayoi - when the user user specifically typed "X.X.X.1", I see that as meaning a range of IP addresses where the first three parts of the IP address don't change, and the third part can be anything (0-255). So, something like "10.09.08.00" through "10.09.08.255". This sort of a range is "/24" (which used to be called "C-Class"), not "/8". – Kevin Fegan Aug 10 '15 at 19:00
  • I thought the user was referring to the /8 block changing by the 3 leading Xs, not the last digit (/24). Apologies. – Sakamaki Izayoi Aug 10 '15 at 19:03
  • @KevinFegan 10.9.8.0/24 was not a class C in classful routing; it was a small portion of the class A network we now refer to as 10.0.0.0/8. When the first octet had the value 0 through 127, that was a class A network, equivalent to a /8 in classless routing. – user Aug 10 '15 at 19:53
  • @MichaelKjörling - I am in no way an expert on networks, so before I posted my comment, I did a Google search to research it and found this page: http://www.netfilter.org/documentation/HOWTO/networking-concepts-HOWTO-4.html. That page indicates that "/24" used to be called "C-Class". Perhaps they are wrong. While relatively unimportant (probably even irrelevant), I just mentioned that "fact" in my comment. My apologies if that's wrong. – Kevin Fegan Aug 10 '15 at 20:23
  • @SakamakiIzayoi - I do understand... That point was not exactly clear in the users post since using "X" everywhere infers all 3 "X"s could be anything. It's a bit more clear in full context, but it would have been better if the user posted it something like: **`"X.Y.Z.0"`** through **`"X.Y.Z.255"`**. – Kevin Fegan Aug 10 '15 at 20:31
  • 1
    @KevinFegan It's a commonly held misunderstanding (and/or oversimplication) that (for example) "class C" simply meant a network mask length of 24 bits. Class C addresses were IP addresses that began with 110 binary (first octet 192 through 223), and this range was subdivided into 2^21 networks of 2^8 hosts each. (3 + 21 + 8 = 32 bits of IP address.) https://en.wikipedia.org/wiki/Classful_network#Introduction_of_address_classes has a summary, and [RFC 791](https://tools.ietf.org/html/rfc791) (see page 24) is the authoritative reference. – user Aug 10 '15 at 20:35
  • Many years ago they used classes to find mask (how much bits are for network and how much are for host). I.e.: if you have "192" as first byte, then it is "class C" and you use 24 bits for network and 8 for host. But since 1993 they invited "classless domain routing". They now provide mask directly as number of bits for network (i.e. "/24"), so you should not say "C class" now. But some people still say "class C" instead of "/24". – user996142 Aug 12 '15 at 18:37