IP Blocking
By Leo Vegoda
May 31, 2022
A network can fence its own IP addresses or block specific external ones from access. Administrators frequently block access to their own IP addresses to bar unwanted access to content. Individual IPs or blocks of IPs may also be blocked due to unwanted or malicious behavior.
Blocking Specific IPs
IP address blocking prevents a specific IP address or group of IP addresses from connecting with a server, computer, or application. In general, IP addresses are blocked to prevent unwanted or harmful sites or servers from connecting with an organization’s network, or an individual’s computer.
Alternately, all external access may be blocked. An example is blocking anyone on the Internet trying to reach my accounting server.
Blocking an Organization’s IPs
IPs inside an organization’s system can also be blocked. For example, a hospital can block internal IPs to protect confidential data from network users who shouldn’t have access to that information.
An outbound block is sometimes required, too. For instance, an accounting server, infected with a bot, may be blocked from trying to reach a command server.
Difficulties with IP Blocking
IP blocking becomes problematic when a person or company wants to block an address that’s part of a group. When you want to block a specific IP, the entire group of IPs it belongs to must also be blocked.
A good example is the country of Nigeria. Because so many Internet scams originate in Nigerian IP addresses, many – sometimes all – Nigerian IP addresses are blocked. And so, Nigeria’s legal businesses and Internet users have suffered as a result of mass IP blocking.
Common Reasons for Blocking IP Addresses
Scams are a common reason for IP address blocks but there are countless other reasons for blocking an IP address or group.
- Hackers: The goal of most hackers is to access proprietary information (business secrets) or confidential data (employee health and pay, or accounting records). If they were to gain access, valuable information might be compromised, credit card information stolen, or a ransomware attack might shut down a business.
- Bots: These typically infect personal computers and use them to amplify attacks elsewhere. For example, they routinely send spam or to try to guess passwords, etc.
- Confidential Data: Sensitive information warrants special attention. For instance, for general security, an enterprise network administrator might block all PCs used by accounting. To do so systematically, these desktops are given IP addresses in the range 10.100.11.0 – 10.100.11.255. Administrators then block access to any other address.
- Mail Server Spam: Spammers often send from the same IP repeatedly. To block these (sometimes dangerous) nuisances, their source IPs are recorded and blocked. There are Reputation Block Lists (RBLs) such as SpamHaus and SORBS that perform this function. They gather spam reports from many different mail servers and list IP addresses reported to have sent spam. Many mail server operators block all addresses on those lists.
- Viruses: On a well-secured company network, before an individual user is logged in and allowed access, anti-virus software scans the PC for the latest viruses. If infected, it may be quarantined to a private subnet that’s been blocked from the rest of the network. Once isolated, it can be patched and the virus removed.
- Limiting Access: It’s common for schools and businesses to block sites that they deem distracting, inappropriate, or harmful to the productivity of students or employees. This kind of blocking is usually done by name, using a service that categorizes sites, but some firewall administrators manually block specific IP addresses.
- Criminal Activity: If an IP address has a history of illegal activity, like illegal trade or dark web activity, many servers will block that IP address.
- Extensions: Web browsers can be enhanced with additional software, known as extensions, that perform a variety of tasks. Ad blockers are among the most common. Publishers who rely on advertising may block users (IPs) with ad blockers. This can apply to other extensions.
- Throttling: Throttling is limiting the bandwidth to an IP address. This could make a website or application slower for the blocked users. Sometimes companies might use this technique to manage network bandwidth, preventing one user from using all available capacity. For example, a video streaming service might limit all IP addresses to regular High Definition (HD) video instead of 4K on the night of a major video release so that their servers can keep up with a surge in demand that night.
How are IP Addresses Blocked?
Software known as a firewall blocks access based on IP addresses. These applications examine source and destination IPs in every packet of data on a network and compare each to its list of blocked addresses. If the packet matches an IP on the list, it simply discards the packet.
For instance, if a lot of spam is received from a mail server at one address, it may get added to a list. Other lists might include IP addresses that allow any inbound communication (vulnerable to exploitation), or IP addresses that have been used for botnet attacks. These collections of identified bad sources are commonly referred to as Reputation Block Lists, or RBLs. Network or server administrators may decide to block any IP address on certain RBLs.
A similar issue arises with IP addresses that are vulnerable to hijacking as open relays or proxies. These, too, are often included on lists of IPs to be blocked.
Being listed on an RBL lowers the value of IPv4 addresses. While RBLs aren’t universally implemented, inclusion on one or more of them results in an IP being blocked for those who do deploy the RBL.