IP Address Banning

[genebujold]

Before I begin, I would like to once again congratulate our forum's administrators and moderators - you're among the best in the business! This post is in no way whatsoever directed towards you or this board. Rather, it is my intention that it be used as an eye-opener for system administrators everywhere, hopefully so that they and Sun (makers of Java) can come up with a viable solution to this problem.

Thank you for your hard work - all of us really enjoy being here!

On with the post...

As a networking security consultant, I take very strong exception to the practice of IP banning. It's not a good practice, for several reasons.

Here's what happens: A user violates a board's rules, is warned, keeps violating, and is banned. The vast majority of bb software out there, including pbpBB, uses IP tracking to identify a user. This, direct from phpBB's website:

Easy to Use Administration Centre

- Extensive ban management, ban by email address, username or single/multiple IP address or hostname

- IP tracking of posts and posters

The administrator clicks the "ban user" button, and the bb software no longer allows anyone with that IP address to log on. Some software won't even allow the user to see the page!

Everything's fine, right?

Well, no. The administrator didn't really ban the user - he banned an IP address. Anyone who uses it, now or in the future, will no longer be able to access the board - and most Internet users today do not use static IP addresses!

That's right - the days of static IP addresses are long gone. Ever heard of DHCP? It was standardized more than a decade ago (Oct, 1993) under RFC 1541, and was revised four years later under RFC 2131.

Whether you're using dialup, broadband, or behind a corporate firewall, you probably have DHCP enabled and are allowing your ISP to supply you with an IP address every time you log on. If you're using an "always on" connection, like broadbad, whenever your computer is turned on, it requests and receives an IP address. Occasionally you'll get the same one you had last time - unless another user happens to be using it, in which case you'll get a different one.

Then there's NAT, which stands for Network Address Translation. NAT is increasingly being used to add more users behind corporate firewalls without having to obtain additional IP addresses, a problematic and contentious task. In addition, NAT is also used in the vast majority of personal and small office router-hubs and router-switches like those available from Linksys, Netgear, and Microsoft.

Here's how NAT works:

A NAT-enabled router has it's own IP address, and each user behind it has their own. When you surf the Internet, your request (mouse-click on a link) is sent to the router, which strips your IP address and substitutes it's own, and stores the translation in a log. Thus, it translates the network address. It then forwards the link to the URL which returns the requested web page - to the router. The router checks its log, finds the original requestor, and sends the page on it's way down to the particular user who requested it.

The problem is that the board doesn't know the user's IP address - all it knows is the router's address! So what happens? You ban the router - and all users behind it.

Not such a big deal if it's just a single home. But businesses could have hundreds, perhaps thousands of users behind NAT. While I admit the liklihood of having two users in the same corporation using the same board is pretty low, this can become problematic for other boards with much larger user base, or when the board's topic is central to a particular corporation's line of interest (like a computing bb banning IBM's main firewall's IP address).

Then there are those who administrators who realize that a user may obtain a different IP address each time he logs on so he bans the entire subnet (as in from www.xxx.yyy.1 to www.xxx.yyy.256).

Swell - he just denied access to 255 potential users.

Not smart.

What about users who're banned at public terminals, like a library? The library probably uses NAT, as well, and may even have all libraries in the county under a single NAT device. So, when you ban the IP address, you've just banned all users of all libraries in that area.

Not good at all.

There's got to be a better way!!!

Fortunately, there is - Java. Java applets can be written to do many different things, including reading the IP address and hostname of any machine on which the applet runs:

http://reglos.de/myaddress/MyAddress.html

The only problem with this is that it's a simple matter for a user to change his IP address and hostname! So it's not a very good tool for keeping a determined user banned for very long.

So what part of the computer is more permanent? A MAC address. As you may know, a MAC address is a unique address that's contained in your network interface card or modem.

http://www.webtropy.com/articles/Mac-Assignments.asp?MAC+Assignments

It's easy to see your MAC address in Windows NT or XP. Just type "ipconfig /all" (without the quotes) at the command (C:\) prompt. The MAC address is the one that says "Physical address."

Can Java be used to view a user's MAC address? Well, yes and no.

A few people have succeeded, but only for Windows machines running IE, and then, only when the machine's local security is set pretty low. If you're using other browsers or operating systems, it's probably not going to happen.

And there's the rub, folks. A board's administrator has a valid need to known who's really accessing his website, while users have a valid need to minimize security problems - and if your computer/firewall's settings are set low enough to allow websites to view your MAC address, you're probably wide open to all kinds of attacks.

One alternative would be to use a "trusted third-party" approach. This approach would allow users to sign up with ONE trusted third party, like Verisign, using verifiable personal information, such as a credit card (your address, phone, etc., will all have to be verified for a small fee, like $5 a month). You're then given an ID code and password. Each user would only be allowed one ID code.

When you logged onto the website, you would be redirected to a logon function run by Verisign, and would see their digital signature (I'm sure you've seen many of these when you've installed new software). Clicking on it would allow you to log onto Verisign, which would then pass a confirmation to the message board that says "yep - it's &7yGHgUf776r all right."

And that hash, &7yGHgUf776r, would only be generated between the board and Verisign when you first signed up with the board. Your hash for other boards would be different. Think of it as a unique number having three owners - you, Verisign, and the board.

The problem with this, however, is that who would want to use it? Although it would only add one extra step, users like their anonymity. Even though your identity would remain secret from the board (only Verisign would have it), most users and most boards would refuse to pay for it. And any board that said, "you can't sign up unless you register with Verisign" wouldn't be very popular!

So - back to Java. There's got to be a way to include the ability for Java to scan for an individual's MAC address, regardless of browser, operating system, or security setting, then create a hash of it, and send the hash to the website. A hash is created by running your MAC address through an algoritm - but you cannot run it backwards and obtain the MAC address. That way, your MAC address remains secure yet your computer can be correctly identified to the website - without revealing any personal information whatsoever, other than the fact that your computer is the same computer as it was yesterday, when you flamed the administrator and were banned.

Even so, the determined user would still be able to get around this simply by buying a new network card, and they're readily available for around $15.

As for the chucklehead who banned me from the other board because of a case of mistaken identity, I think I'll just get a second e-mail address, change the IP and MAC addresses of my router (yes, I can do that), my local subnet, and machine name and try signing up again. Unless he banned the entire subnet, it should work just fine, and he won't have a clue!

Then, after a while, I may just post this discourse under the thread which discusses technical issues and see how he responds - I see that it's one of his favorite threads...

[Bubba136]

While gene's dissertation was extremely enlightning, I wonder how many people our moderators have actually had to ban over the past three years? I bet the number is not that great. so, besides being a puzzle that perplexes the internet professionals and cries out to them "solution", is their really any worries here, mate? Granted, perhaps a better mouse trap would be great for the group, unless there is an immediate, dire need for solving gbj's dilemma, I think I would think that Jeff would continue to work as he is working and apply fixes to problems of more immediate concern (if any).

[Tom-NL]

Err, Gené. Isn't there a thing called "IP spoofing", and also a thing like "MAC spoofing" ? I can give you an URL, if interested ... While I do find the subject matter of this post interesting, I wonder if the average board user thinks the same. This is clearly a post to the board admins. Why not just send them a PM about this subject, or even better directly mail them (or rather: "him")?

[genebujold]

While gene's dissertation was extremely enlightning, I wonder how many people our moderators have actually had to ban over the past three years?

I think I would think that Jeff would continue to work as he is working and apply fixes to problems of more immediate concern (if any).

Probably very few have been banned from this board, which is why I said, "This post is in no way whatsoever directed towards [the moderators] or this board."

Err, Gené.

Isn't there a thing called "IP spoofing", and also a thing like "MAC spoofing" ? I can give you an URL, if interested ...

While I do find the subject matter of this post interesting, I wonder if the average board user thinks the same. This is clearly a post to the board admins. Why not just send them a PM about this subject, or even better directly mail them (or rather: "him")?

Thanks for the offer for links - however, I'm up to my ears as I am.

It's not just a post to the board admins. It's a post to the users, as well, as a resource you may need in the future, or an education tool if you find the topic coming up on other forums.

Believe it or not, I got the idea while reading through the Luxury Fashion Forums, of Emery's fame. For about 30 posts these fashion divas were going back and forth on the pros and cons of IP address banning! That and my recent experience prompted me to write this feature here. I then wrote a quick note there, then pointed to this feature.

Beside's - they're fashion divas - I would think they'd enjoy knowing about a board for high heels...

This is a resource - for you, for others, for anyone. If you ever were wrongly banned, you could use my post to help educate the administrators. It might not work - then again it might. If you liked the board from which you were wrongly banned, it would certainly be worth an e-mail.

It all depends on the administrator, and most administrators are willing to take a second look at a situation when it's politely brought to their attention.

[asdf174]

Thanks that was pretty informative. (I don't think I spelled that right.)

[WarrenB]

Thanks that was pretty informative. (I don't think I spelled that right.)

You spelled it properly.

[Firefox]

We've had to ban only a handful in three years. And that's usually just temporarily. A better way is email bans. They are selective and effective. OK, it's possible to keep signing up for new email accounts but people sonn get bored of the hassle of that. Unfortunately one doesn't need a valid functional email to sign up here. That feature was implemented to preserve people's privacy for those people who don't understand about web mail alias or can't be bothered to sign up for a web mail account. So, to encourage those people we have made life more difficult for ourselves in another way.

[chris100575]

In the time I've been here I've seen one member leave voluntarily, but don't remember anyone being banned. Guess things are working out nicely here! Chris

[Pam]

You will certainly be missed! Good luck and hope to hear from you soon Pam

[kneehighs]

Great post Gene....I was just banned at a forum too!