IP Based Protection Against Malicious Activities

IP based protection means that certain activities / traffic is filtered by IP address based on some kind of lists. There are many kinds of lists such as spam lists or general bad behavior lists. Such lists can be used for many purposes such fighting SPAM or improving website security. When considering the PROs / CONs of such lists and their usage follow these rules:

  1. False positive tolerance. The question is how reliable you need your service and is it an option to have false positives rules. For example, if you maintain the mail servers for a world-trading company it would not be an option to have potential customers blocked by any means. Generally, mass lists are prone to false positives especially when they block whole networks.
  2. List usage. Avoid relying entirely on a black / while list for users' experience. Always give an escape option in case the user is accidentially trapped in a list. For example, if you decide to prevent users access to your site based on a list, try to send them to a page which explains what the problem is and how amend it. Just blocking them with no explanation can't be right.
  3. Overall purpose. If your purpose is generally to block spammers, spamlists might help. Spamhaus, Spamcop and others are in the business for so long that they can help even at the cost of incorrectly blocking some home DLS users. Generally, any malicious activity which relies on heavier traffic or resource usage (such as spamming / flooding) can be tracked and blocked because it is impossible to exploit a lot of bandwidth or CPU without being spotted. On the other hand to compromise a website requires much less resources and can be performed through any kind of internet connection / proxy. Thus mass lists are much more reliable for fighting spam than ensuring website security.
  4. Resource usage. Large IP lists will consume a lot of resources when deployed. Even if you use the most lightweight technology for filtering, such as iptables, a chain of million ip rules will eat up GBs of memory and huge number of CPU cycles. Not to mention that any more sophisticated usage of a list in a programming language can be devastating to performance. That's why IP lists are totally unsuitable for defense against flooding when the list has to be examined at a large frequency.
Finally, don't forget  the worst enemy of internet safety - botnets. Large botnets rule over millions of hosts spread all over the world. Those hosts change permanently and by the time one host is spotted two others join the botnet. Thus blacklists are no good for botnets at all.

blog comments powered by Disqus