[besson3c]

I apologize for the other thread of mine where a particular individual was mentioned. I'm content to leave the discussion about this person alone, I made the point I wanted to make... I'm not interested in carrying on that particular line of debate.

However, I would very much like to know why firewall IP bans are unrealistic, just for my own curiosity? Like I said, I don't care about this individual, this is not some sort of request. Just wondering what the technical reasons are for this not working as I described for people in general?

If you would prefer for me to contact a mod privately, I'd be happy to, just don't know which mod would be best suited to field this question?

[Dakarʒ]

Oh, come on. Are you trying to antagonize the mods?

[Dork.]

Originally Posted by Dakarʒ 

Oh, come on. Are you trying to antagonize the mods?

No, he's trying to get information, since he runs his own forum and had to deal with a similar situation when a troll violated the only rule that place has. I think it's a reasonable question.

And even though I'm a poster on that forum, I'd like to think I have an objective view of the situation.

[Dakarʒ]

Well, you must be psychic, as he doesn't mention that reason anywhere in that post.

[Dork.]

Originally Posted by Dakarʒ 

Well, you must be psychic, as he doesn't mention that reason anywhere in that post.

I'm not psychic, I'm just supplying some additonal context to besson3c's request. Even if its not about the prior situation I mention, the fact that he runs his own forum should tell you that he does have a legitimate technical interest in this.

[Dakarʒ]

Here's context: He's brought this subject up here several times before and been repeatedly told its unrealistic and will not be implemented. So he might not be bringing this up out of innocent curiosity.

[Person Man]

Originally Posted by Dakarʒ 

Here's context: He's brought this subject up here several times before and been repeatedly told its unrealistic and will not be implemented. So he might not be bringing this up out of innocent curiosity.

Yes, and since he doesn't seem to want to use the search feature to look for himself, I went and did it for him.

Exhibit A. From this thread, from 2002:

Originally Posted by tooki

Originally Posted by theolein

You're free as an administrator to do what you like with these forums. Access is free and the users do not have any claims over you. Just ban him permanently. Every time he comes back with another username just ban him again. You could also modify your UBB code to detect his ip and ban that (you can do a range of ip's for him since I assume his isp uses ip pooling and compare those with other members here to see that no undeserving users get banned. Better still do this in your hosts file or in httpd.conf so that he won't be able to view the forums).Sooner or later he'll give up and go and bother some other forum. If he spams you, contact his ISP (aol in this case)and get him banned there. Spamming is against the toc's of almost all isp's.

If he goes to the trouble of still going around this, by going to someone else's computer for instance, you can get him for harrasment. Just make sure you keep a copy of all correspondence so that you're covered legally.

For all intents and purposes, there is no way to permanently ban someone -- we can disable an account, and you can't have more than one account for any given email address. Ca$h has been banned dozens of times, and each time he re-registers.... If we banned his IPs, we'd be banning all of AOL (not that that would necessarily be a bad thing!) or possibly the school he goes to. Meanwhile, we have contacted AOL dozens of times, but to them, the $25 a month he brings them more than offsets the annoyance he is to the rest of the internet.

Exhibit B: from this thread, from December 2006:

Originally Posted by Demonhood

Originally Posted by Kevin

Can't you just look at a IP range?

believe it or not, he's not the only one from his state and ISP that posts here.

There are others, but I'm not going to look for them. He can do his own search.

This is why I said IP bans do not work. This should provide the reasons the mods give for his question, whether he agrees with them or not. The mods have already decided NOT to use IP bans, and I fully agree with them.

It makes no difference whether a range is banned vs a single address, with an expiring ban or not. A single address when it has the potential to be given to more than one person is catching one too many innocent bystanders. Ones that could potentially become members, who then decide not to join the forum because of what is, to them, an unknown reason.

[Dork.]

Originally Posted by Dakarʒ 

Here's context: He's brought this subject up here several times before and been repeatedly told its unrealistic and will not be implemented. So he might not be bringing this up out of innocent curiosity.

Or maybe after researching it for a bit he thinks it's easier than the forum admins here have led on, and thinks that some discussion might be warranted that is not in the context of other members, which is how it was phrased in the past.

And if it turns out that he's misunderstanding something, I would think he'd like to know more about why he's misunderstanding it.

But I don't want to put words into his mouth any more than I have, so I'll stop now.

[Dakarʒ]

Originally Posted by Dork. 

Or maybe after researching it for a bit he thinks it's easier than the forum admins here have led on, and thinks that some discussion might be warranted that is not in the context of other members, which is how it was phrased in the past.

And if it turns out that he's misunderstanding something, I would think he'd like to know more about why he's misunderstanding it.

But I don't want to put words into his mouth any more than I have, so I'll stop now.

He thinks he's right and he's out to convince them.

End of story.

[Dork.]

Originally Posted by Person Man 

This is why I said IP bans do not work. This should provide the reasons the mods give for his question, whether he agrees with them or not. The mods have already decided NOT to use IP bans, and I fully agree with them.

It makes no difference whether a range is banned vs a single address, with an expiring ban or not. A single address when it has the potential to be given to more than one person is catching one too many innocent bystanders. Ones that could potentially become members, who then decide not to join the forum because of what is, to them, an unknown reason.

Fair enough, but besson3c didn't being the subject up either time, and the only thing he posted in the second thread was something inane. So I'm not exactly sure what Dakar3 is talking about.

[Dakarʒ]

The thread that just got locked (this morning?).

[Person Man]

Originally Posted by Dork. 

Fair enough, but besson3c didn't being the subject up either time, and the only thing he posted in the second thread was something inane. So I'm not exactly sure what Dakar3 is talking about.

I responded to this question from the original post in this thread:

Originally Posted by besson3c

However, I would very much like to know why firewall IP bans are unrealistic, just for my own curiosity?

[Dork.]

Originally Posted by Dakarʒ 

The thread that just got locked (this morning?).

Right. Did that thread get locked because it was about IP Banning, or because it was about a specific member?

[Dork.]

Originally Posted by Person Man 

I responded to this question from the original post in this thread:

Yes you did, and I agree with you, for what its worth.
Sorry if you got the wrong impression from my post.

[Dakarʒ]

Originally Posted by Dork. 

Right. Did that thread get locked because it was about IP Banning, or because it was about a specific member?

I imagine primarily for the latter, but Demonhood specifically mentioned in the lock that besson's suggestions had already been tried and did not work.

[Dakarʒ]

Here you go:

besson, we've already tried half of your suggestions from you original post, to little effect. the rest are simply too time consuming.

[besson3c]

Does it sound like I am? Just asking a question, not trying to be confrontational in the slightest way. Also thinking there is some potential for some constructive exchange of information here...

Like I said, this isn't about any one particular ban, I have no agenda here.

[besson3c]

Originally Posted by Person Man 

Yes, and since he doesn't seem to want to use the search feature to look for himself, I went and did it for him.

Exhibit A. From this thread, from 2002:



Exhibit B: from this thread, from December 2006:



There are others, but I'm not going to look for them. He can do his own search.

This is why I said IP bans do not work. This should provide the reasons the mods give for his question, whether he agrees with them or not. The mods have already decided NOT to use IP bans, and I fully agree with them.

It makes no difference whether a range is banned vs a single address, with an expiring ban or not. A single address when it has the potential to be given to more than one person is catching one too many innocent bystanders. Ones that could potentially become members, who then decide not to join the forum because of what is, to them, an unknown reason.

Any ISP has several different subnets and 255 addresses within each subnet. The chances of somebody both getting the same IP while it is active in the MacNN blocklist *AND* wishing to visit this forum is extremely remote.

Besides, AOL temporarily blacklists email originating from particular servers based on data it gets from various mail relay IP addresses, this affects a number of other users. Spamcop is predicated around users reporting offending IPs, often resulting in false positives or at least affecting other users. We had reports that Yahoo groups servers were compromises in the past, so a number of places blacklisted these servers.

The point is, welcome to the internet, when you are using shared resources this potential always exists. However, my examples all deal with email which is generally far more important and of higher profile than these forums. Getting bent out of shape over the mere *possibility* of a good IP becoming blocked, under the entirely hypothetical and unlikely circumstance that this happens is just misguided energy. This is a reasonable solution, as near as I can tell at the moment.

[besson3c]

Originally Posted by Dork. 

Or maybe after researching it for a bit he thinks it's easier than the forum admins here have led on, and thinks that some discussion might be warranted that is not in the context of other members, which is how it was phrased in the past.

And if it turns out that he's misunderstanding something, I would think he'd like to know more about why he's misunderstanding it.

But I don't want to put words into his mouth any more than I have, so I'll stop now.

This is accurate, thanks!

If I'm missing some information here, cool, I've been wrong before... No biggy.

[besson3c]

Originally Posted by Dakarʒ 

He thinks he's right and he's out to convince them.

End of story.

I do think I'm right based on the information I have at the moment, is this a surprise? Why would anybody make a suggestion of any sort if they thought it was inherently flawed from the get-go?

Like I said, if I'm wrong I'm wrong... I'm curious to know how I'm wrong though - not in a one-upmanship sort of territorial way, just genuine curiosity.

[Dakarʒ]

It's not that you think you're right. It's the fact that they don't agree with you and you won't let it go.

[Dakarʒ]

I apologize to the mods, I didn't realize my first reply would cause this avalanche.

[besson3c]

Originally Posted by Dakarʒ 

I imagine primarily for the latter, but Demonhood specifically mentioned in the lock that besson's suggestions had already been tried and did not work.

I didn't feel it was out of place to ask him to elaborate on this in a different thread. Since he felt the need to abide by the established MacNN rule, he needed to close the thread for that reason, fine.

For the record, I think it was fine that he closed the thread once it got into being all about Rob. I should have made my point about Rob privately. At the time, I suppose I thought that he would be a valid example and justification for the technical discussion. I was wrong, it clearly just was a launch point for bringing up Rob dirty laundry.

[Railroader]

Originally Posted by Dakarʒ 

I apologize to the mods, I didn't realize my first reply would cause this avalanche.

Welcome to my world.

[Dakarʒ]

Originally Posted by Railroader 

Welcome to my world.

"Ooo it burns nigga it burns"

[besson3c]

Originally Posted by Dakarʒ 

It's not that you think you're right. It's the fact that they don't agree with you and you won't let it go.

I know that they aren't entitled to provide me with a detailed rationale that addresses my arguments and the depth of this issue, but I can ask, can't I? I'm certain that I've never asked these questions directly in this manner...

[Peter]

why do you think its different banning them on firewall or on VB?
if you banned an innocent user on the firewall macnn wouldn't resolve, at least if they're banned by VB we can put a notice saying "please try again in a week" (hence why we dont IP ban)

[Kevin]

Doesn't matter. The problem isn't MacNN. Rob just needs serious help.

Somewhere along the lines someone didn't teach him he had to be responsible for his actions.

[besson3c]

Originally Posted by Peter 

why do you think its different banning them on firewall or on VB?
if you banned an innocent user on the firewall macnn wouldn't resolve, at least if they're banned by VB we can put a notice saying "please try again in a week" (hence why we dont IP ban)

That's fine, but what if you really wanted to deal with a particular individual such as the aforementioned for once and for all, and had no intentions in inviting him or her back?

By allowing them to even see the server and load these pages, they are getting some feedback. They will know that they have been banned, and may feel motivated to circumvent this ban by trying to acquire a new IP and/or nickname. If this forum (not all of MacNN, just this forum) simply disappeared to them without you telling them that you have decided to place a block on them, I think there would eventually tire of trying to reach the place, and wouldn't necessarily feel that they have been wronged and thus feel motivation to return without any feedback from the forum to fuel their fire.

You take away the prize, you take away motivation.

Of course, I do realize that a single IP wouldn't keep anybody away permanently, but like I said, it should take you guys much less time to put in a new firewall rule than it would for somebody to keep coming up with new IPs.

If you wanted to really take care of business, you could do a firewall MAC address block, although I'm not certain if a website is able to determine somebody's MAC address, I've never looked into this.

[besson3c]

Just did a quick search on firewall blocking MAC addresses for my own curiosity. There is no way a website/middleware language can determine MAC addresses, so scratch that...

[Wiskedjak]

and, IP blocking is very easily circumventable through several, free, proxy-IP services.

[Chuckit]

Originally Posted by besson3c 

Of course, I do realize that a single IP wouldn't keep anybody away permanently, but like I said, it should take you guys much less time to put in a new firewall rule than it would for somebody to keep coming up with new IPs.

How long does it take you to unplug your modem (or, alternatively, change your proxy settings)?

[besson3c]

Originally Posted by Wiskedjak 

and, IP blocking is very easily circumventable through several, free, proxy-IP services.

Why not block the proxy IP block? What reason does any legit forum user have for using a proxy IP? This sort of service sounds extremely shady anyway....

[besson3c]

Originally Posted by Chuckit 

How long does it take you to unplug your modem (or alternately, change your proxy settings)?

Many ISPs offer sticky IP addresses where the DHCP lease doesn't expire each time you go offline. In fact, I believe this is by far the most common DHCP server behavior now.

[Person Man]

Originally Posted by besson3c 

Why not block the proxy IP block? What reason does any legit forum user have for using a proxy IP? This sort of service sounds extremely shady anyway....

What???

Be glad you don't live in places like China, for instance...

[besson3c]

Originally Posted by Person Man 

What???

Be glad you don't live in places like China, for instance...

Huh? Are you saying that there are Chinese users here who rely on this service?

[Person Man]

Originally Posted by besson3c 

Huh? Are you saying that there are Chinese users here who rely on this service?

No, but you seemed to imply that all people using a proxy server were doing something shady.

China's censorship of the internet (and a few other countries) is legendary, which is why there are proxies that get around what has been termed the "Great Firewall of China."

Also, some people value their privacy and like to use anonymizing proxies as an extra layer to protect their privacy. (And no, not all of them have something to hide, either).

[OreoCookie]

Originally Posted by besson3c 

Many ISPs offer sticky IP addresses where the DHCP lease doesn't expire each time you go offline. In fact, I believe this is by far the most common DHCP server behavior now.

However, you can ask your provider for a new IP. Also, that won't help if somebody sits behind a router at university or so. So besson, don't you think we would have taken these steps already (years ago) if it were feasible? We don't need any more self-righteousness on this board.

[Person Man]

Originally Posted by OreoCookie 

Also, that won't help if somebody sits behind a router at university or so.

Ooh, good point. Some universities use NAT routers and for their dorm access and to the outside world, all the computers look like they're coming from one IP address. Ban that address, and you've cut off the university.

[besson3c]

Originally Posted by Person Man 

No, but you seemed to imply that all people using a proxy server were doing something shady.

China's censorship of the internet (and a few other countries) is legendary, which is why there are proxies that get around what has been termed the "Great Firewall of China."

Also, some people value their privacy and like to use anonymizing proxies as an extra layer to protect their privacy. (And no, not all of them have something to hide, either).

Fair enough, but I think in light of the difficulties and time spent on these ban evaders that blocking these services would still be a reasonable solution, do you agree?

[Person Man]

Originally Posted by besson3c 

Fair enough, but I think in light of the difficulties and time spent on these ban evaders that blocking these services would still be a reasonable solution, do you agree?

Perhaps. But it almost seems like too much trouble than it's worth. Anyone can set up a proxy, and then you're back to square one.

Example: You ask a friend to set up a Circumventor proxy for you. He uses his home IP address. Ban that address, and it's like banning a single address on an ISP again. Still could catch (however small the chance) other people.

[besson3c]

Originally Posted by OreoCookie 

However, you can ask your provider for a new IP. Also, that won't help if somebody sits behind a router at university or so. So besson, don't you think we would have taken these steps already (years ago) if it were feasible? We don't need any more self-righteousness on this board.

At this university, dorm routers are banned for security reasons, and each public machine has its own IP... I've never heard of a provider that allows users to change their IP whenever they want, what makes it worth it for them to provide this service, I wonder? Do you believe that this service is common? I realize that my solution is not bulletproof, but it seems like you have a problem if the guy I sense you would like to be rid of can create himself another account within minutes of being banned. This doesn't seem like any solution either...

What's with the little dig there at the end? Who is being self-righteous? I'm just trying to determine the full rationale here, which has not been offered AFAIK. How can I be self-righteous if I don't know what I'm being self-righteous against exactly? Why assume such a thing?

[Dakarʒ]

That's 6 question marks.

[besson3c]

Originally Posted by Person Man 

Perhaps. But it almost seems like too much trouble than it's worth. Anyone can set up a proxy, and then you're back to square one.

How can anyone setup a proxy? These IP addresses need to come from somewhere - assigned from some source, some netblock owner. If there are really rogue services out there that provide such a service (which can be used for several different malicious purposes), they can be isolated and dealt with, no?

[Wiskedjak]

Originally Posted by besson3c 

Why not block the proxy IP block? What reason does any legit forum user have for using a proxy IP? This sort of service sounds extremely shady anyway....

Shady or not, these services are very easy to acquire and difficult to block. There are even a few Firefox plugins to make things simpler.

[OreoCookie]

besson, even `nobody' is mentioned here in this thread, it's clear that you're referring to Rob, so don't play coy with me here.

Also, most universities have WLANs and many of them (e. g. here at UC Berkeley or at home in Munich) don't used fixed IPs (which aren't shown externally anyway, coz you're behind a WLAN router). Also, even if somebody were to used a fixed IP at a university, it wouldn't necessarily mean it's that user's machine (e. g. computer labs, shared office computers). Also, there are plenty of anonymizers available (designed to protect your privacy). Again, if it were that easy, we probably would have done it already a long time ago. There has to be a reasonable balance between the measures you take and the effects it has.

[Wiskedjak]

Originally Posted by besson3c 

How can anyone setup a proxy? These IP addresses need to come from somewhere - assigned from some source, some netblock owner. If there are really rogue services out there that provide such a service (which can be used for several different malicious purposes), they can be isolated and dealt with, no?

Collusion E-zine - Proxy IP Spoofing

[Dork.]

Originally Posted by OreoCookie 

besson, even `nobody' is mentioned here in this thread, it's clear that you're referring to Rob, so don't play coy with me here.

So now there's a problem if besson3c asks any questions at all about IP blocking here, because you'll assume it's really code for him talking about another member?

I was telling the truth about the user he had to ban from the other forum. He's had to look into this stuff recently, so I imagine that prompted his line of inquiry just as much as anything that happened here.

[besson3c]

Originally Posted by OreoCookie 

besson, even `nobody' is mentioned here in this thread, it's clear that you're referring to Rob, so don't play coy with me here.

Also, most universities have WLANs and many of them (e. g. here at UC Berkeley or at home in Munich) don't used fixed IPs (which aren't shown externally anyway, coz you're behind a WLAN router). Also, even if somebody were to used a fixed IP at a university, it wouldn't necessarily mean it's that user's machine (e. g. computer labs, shared office computers). Also, there are plenty of anonymizers available (designed to protect your privacy). Again, if it were that easy, we probably would have done it already a long time ago. There has to be a reasonable balance between the measures you take and the effects it has.

Fair enough... If you feel that this is a common obstacle for members here (I don't know either way), thank you for explaining this.

However, what has happened when you've historically tried this for some users? Have you found that people commonly are behind WLANs or are happy to jump on another computer or something? Have many different IP addresses have users gone through, approx?

I think I have been pretty transparent in having Rob in mind, but all of this would apply to any ban evader in the past, prevent, or future, so I don't see the point in getting bogged down in whatever rule number it is that I'm sure you have in mind. The design of that rule is to keep members from bringing up dirty laundry and all of that stuff, right? Well, I have no beef with Rob in particular. The source of irritation is in the exploitation of this weakness, which is something any other member could get in on too.

[besson3c]

Originally Posted by Wiskedjak 

Collusion E-zine - Proxy IP Spoofing

How does this address my questions? Yes, people can find some rogue routers to hide behind, but these routers still face the internet with an IP or set of IPs that can be used to establish firewall rules, right?