Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
All About IP Bans (They suck)
I've wanted to make this thread for a while but every time I write it I don't quite explain stuff correctly, so I'm just going to commit and hope it works...

We use IP bans to deal with people that evade steamid bans with alternate accounts. The principal behind this is instead of banning an individual account, we ban a whole computer, so any alts fail to connect regardless of their ban status. Today I'm going to explain what exactly is happening when we IP ban someone, and why IP bans are actually less effective than regular bans when used incorrectly.

First off, computers have IP addresses. Just like a mailing address, IP addresses mark messages sent to and from computers. When a message is sent, just like a letter you would send in the mail, it is marked with the source address and destination address. When we ban an IP address, the server adds the IP to the IP ban list, and if a player connects from an IP address that is in the IP ban list, the server will kick the player. Notice how I said "if a player connects", as in, the player still connects to the server briefly. In order to kick the player because they are banned, they have to actually be connected first, otherwise what is telling them they are banned? Something important to note is that this is NOT a hard deny and IP bans are not a substitute for firewall. Traffic can still reach our server, so trying to use an IP ban to stop a denial of service attack is useless.

So IP bans block the players IP instead of steamid. Great, right? Not quite, because IP addresses do not behave similarly to steamids at all. Lets talk about pitfall #1, network address translation. The standard that a large percentage of the internet still uses for network connectivity is called IPv4, which also defines what exactly an IP address is. IPv4 addresses are 32 bits, meaning they can represent 4.1 billion unique values. After the internet started booming in size, computer networking experts predicted that we would run out of IPv4 addresses if something wasn't done, so network address translation (NAT) was born. NAT is enabled on a router (a router in its simplest form is a boundary between two networks), and what it does is it represents multiple computers each with a unique IP address as a single device with one IP address. The details on how exactly this works aren't important, it gets hairy fast. This diagram explains it quite well:

[Image: unknown.png]
The issue here is that you are not banning a computer, you are banning the router that represents that computer, which could be representing other computers in that house. IP bans always have this effect of collateral damage as long as the IP being banned is representing multiple devices. This situation specifically isn't really an issue, because the chance that two individual people connecting to the server from the same house and one of them getting IP banned is very low. However, where it DOES become a big issue is with carrier grade NAT. Cell phone data service, wireless broadband service, and some cable internet services, due to the number of devices they have to provide connectivity to, do an additional layer of NAT to conserve IP addresses.
[Image: unknown.png]
Now instead of banning a single house, we are banning whole neighborhoods. It's kind of like adding a whole town to a no-fly list because one terrorist came from there, not very fair and way overkill... but honestly acceptable for a temporary ban (if IP bans were temporary that is, which they aren't, so this isn't acceptable). I haven't even talked about pitfall #2 though, which makes the IP ban all but useless.

DHCP, Dynamic Host Control Protocol, is a standard that allows computers to request an IP address from a DHCP server, and have one assigned to it automatically. This is called dynamic IP addressing, which differs from static addressing where you have to manually keep track of duplicate IP addresses. This protocol lets you connect to the wifi without having to manually set your IP address every time. DHCP is done on a lease system, so IP addresses are not kept permanently, the computer needs to maintain their lease by staying connected to the network. If the DHCP lease expires, they lose the address they had, and they will have to request a new one.

This might not be so bad inside your house, but you would think that your internet provider sets static IP addresses for the router they give you, right? Wrong! Your router requests an IP address to use from your ISP's DHCP server, just like your computer requests an IP address to use from your house's DHCP server (which also happens to be your router). You might see the issue here. If I get IP banned and the DHCP lease on my router expires, I get a brand new IP address, and some poor schmuck across the city got my banned IP address. Depending on your service provider, your DHCP lease expires every day, every week, or if the device is disconnected for x amount of time.

To wrap up, two issues with IP bans:
1. Because of Network Address Translation, issuing an IP ban causes collateral damage. Very rarely will you be banning an individual computer, at the very least you will be banning an entire home, if not an entire geographic location such as a neighborhood or town.
2. IP addresses do not stay "attached" to the same person for very long, so IP bans will never permanently ban the person you want it to. Sure the IP is banned, but since people get new IP addresses so often, the IP you banned just gets recycled and assigned to a different person, so they are now banned.

IP bans are not "super bans", they are actually less powerful than steamid bans and serve only one purpose: temporarily ban someone alt evading. It is less effective than a regular ban in any other circumstance.

Anyway, I hope that was informative somehow. Thanks for reading.

Forum Jump:

Users browsing this thread: 1 Guest(s)

About Us
    This is Dinkleberg's GMod, a gaming community based in Garry's Mod. We have a Trouble in Terrorist Town, Prop Hunt, Murder, and Deathrun Server. Come check them out sometime.