Why do people use IP address bans when IP addresses often change?

IP address bans have flaws as you mention, but I think the primary reason they are used is simply that there aren't really any better alternatives. Other identifying features, like browser user agent, cookies, browser fingerprint, etc. are even easier to spoof or circumvent. There are plenty of extensions you can use to change your user agent or fingerprint, and cookies can simply be cleared.

For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple power-cycle is enough to change the IP address. Thus IP address bans are relatively ineffective.

The ease with which you can change your IP address depends heavily on the ISP. For instance, back when I had Verizon DSL, my IP address would change each time I turned the modem off and back on just like what you describe. But after switching to Comcast, my IP address has not changed for the entire two years I've been with them, even after multiple power outages and modem restarts. So the "router reboot" workaround won't necessarily work for everyone.

Another thing you should consider is that even if you're one of those people who can change your IP address with a reboot, you're likely still getting an IP address from a fairly limited pool of addresses. This is because ISPs generally don't assign addresses completely randomly; they divide their service area into smaller areas (e.g. neighborhoods), and then allocate a small range of addresses to assign to customers in each area. So if there was a really persistent and problematic user, a site administrator could ban the entire address range (though this could cause significant problems for other users as you mention).

Side note: It's worth mentioning that there are other ways of masking your IP address that get around this problem, like using a VPN service or Tor. Some sites, like Wikipedia, try to block all IP addresses of known public proxies to counter this.

On the other hand, banning IP addresses can cause a lot of grief for innocent users who are using the former IP addresses of a malicious user, and sometimes a range of IP addresses is banned thus causing the banning of innocent users to affect even more people.

Yes, IP address bans are a blunt tool and this is one of the problems inherent with them. This is especially the case when an IP address is shared by hundreds or thousands of users in the same building, or even a large part of an entire nation via carrier-grade NAT. It is the responsibility of site administrators to minimize the effects of IP address bans on legitimate users. Various measures can be taken - for instance, you could make an effort to identify IP addresses are shared and make sure those IP addresses are only banned for short periods, or make it so that users with a certain minimum reputation can still log in from banned IP addresses and remain unaffected by them. If done right, IP address bans can be very effective at blocking unwanted users while having minimal impact on legitimate ones.


Why do people use IP address bans when IP addresses often change?

A practical example which is a huge return on investment:

Because fail2ban (Wikipedia / fail2ban) is much faster and adaptive than the DHCP (Server Fault, correct DHCP lease) renewal latency of the ISP of an attackant or a stupid robot.


IP bans are mostly used because there's not really any other better way to ban a user, especially if they're simply using your website. Yes, quite a lot of domestic IP addresses are dynamic (aka, they change every time the modem connects to the ISP), but really, how else are you going to get rid of a user, apart from physically finding them and stopping them that way:

enter image description here

If you are attempting to block a user's IP from connecting to your server via a client application (that you/your company made) installed on their machine, you have access to a whole wealth of information you can use to permanently ban someone without using their IP address, such as finding and using the serial numbers of their hardware as an ID (such as motherboard, or even MAC [although that's technically not a serial]). You can make it so that you can block off their ID if you don't want the user, and then they will have to replace their hardware (or use another computer) to access your service again.

Back to the question: ISPs also usually use a specific range(s) of IPs for dynamic IPs; if a user does indeed have a dynamic IP, you can almost bet they'll be using the same IP range again in the near future (or even the same IP).

An ISP could for example cycle between 123.46.7x.xxx, 47.91.43.xxx, and 93.41.235.xxx; using this logic, it is possible to simply ban the IP ranges that the user uses, but this will cause issues with other users using the same IP range.

In my time (mainly gameservers) I have seen that many system administrators misunderstand and think that every user has a static IP assigned to them, and don't realise that dynamic IPs actually exist. This, in itself, could be in part of why IP bans are still used.

Tags:

Ip