

Ask HN: the risks of blocking IPs - mwsherman

So, I am seeing some obvious bots and exploits hitting my server. They don't pose an immediate problem yet -- they mostly get 404s as they search for known exploits.<p>My instinct is to block the IP addresses, but I am concerned that it might have the effect of blocking legitimate customers. Maybe the abuser is sitting in a Starbucks, for example, and I wouldn't want to ban the people at the next table. Ditto for a corporate firewall.<p>What has your experience been? Is blocking IPs a bit too brute-force? Has it ever caused a customer complaint?<p>Thanks. - Matt
======
bluesmoon
here are a few things you can do:

1\. instead of blocking, throttle the IPs. Rate limit them to making no more
than 1 request every 30 seconds or so. Most script kiddies get fed up if their
attack gets painfully slow.

2\. if you see a high rate of traffic coming from an IP, quarantine it for say
2-5 minutes (ie, block all traffic from it) and after that time throttle it.

3\. If you notice patterns in the IPs, eg, they all come from the same block,
then redirect those IPs to a different box (you can set up a VIP to do this).
You can do what you want on this box (eg: don't bother opening database
connections here), but the main thing is that your primary web server has all
its resources available to serving legitimate customers.

4\. Never give an attacker any indication that you've noticed their attack. It
only makes it more fun for them and they'll persist longer. So, if you see
abusive traffic, don't return a 404 or a 403. Just return a regular 200 with a
cached version of your regular page.

------
Rust
If you block IPs, try to be as specific as possible. There was a popular site
I couldn't reach for months from my home connection, but full of info I liked.
I finally emailed the owner from work and found out that he had blocked my
entire class B (xxx.xxx) range due to spamming. This has happened more than
once, unfortunately.

My rule of thumb is to block small first, then wider based on the registrant
of that IP. Russia and China seem to have the most spam-bots running (or at
least the most aggressive), but as long as you block at the xxx.xxx.xxx level,
you shouldn't impact actual users very much.

Like barredo said though, include some information on your 403 page.

------
barredo
I always ban IPs. If they are bots, they are highly unlikely to be real
visitors too sharing those ip addresses.

Ban the IPs temporarily, say, a month, and put a message in your '403
forbidden access error page' saying sorry: "your ip is blocked because of
weird-things-happening-from-your-ip, if you are a customer you should check
for trojans or virus on your computer and send us an email"

------
ScottWhigham
I've done IP blocking for about 5 years on my site and will continue to do so.
I put up a special page when the IP is blocked that has my phone number and I
explain, "Hey - this sucks for both of us. Here's the problem and one of the
possible reasons your IP might have been blocked. Those stupid spammers - it's
all their fault. If you are a human, we apologize and here's our phone
number." I get probably 2-3 calls a year.

Is this ideal? Of course not - bluesmoon's solutions are far more elegant. But
how much time will it take me to code/manage those solutions over the next
five years? Lots. How much more money will I have made as a result? Probably
none. So I made the choice to be more aggressive but to be humble on my
"You're blocked!" page and the customers that do call get it; they understand.

~~~
bluesmoon
depending on scale, your method might end up being better. It all comes down
to a trade-off of effort. Will investing a bunch of time building
infrastructure now help you in the long run or can you wait 1-2 years before
you build that infrastructure?

For a startup that doesn't yet know if they're going to make it big or not, it
may well be worth it to delay the infrastructure and just put some heart
behind it :)

