Load balancing proxies might conceal commenter's IP address about textpattern HOT 9 CLOSED

From r.wetzlmayr on July 08, 2009 04:39:33

This issue was closed by r3247 .

Status: Fixed

from textpattern.

From r.wetzlmayr on August 01, 2009 17:19:09

X_HTTP_FORWARDED_FOR is spoofable and thus an untrusted source to base IP-based bans
upon.

Status: Confirmed
Owner: ---

from textpattern.

Banning based on IP address will become more problematic in the future:

The largest ISP in the Netherlands has started using DS-Lite for new customers, which means you're getting an IPv6 range + a single private range IPv4 address which connects to the IPv4 internet via a carrier grade NAT system. So there will be multiple customers sharing the same public IPv4 address when visiting a IPv4-only websites.

And when you do visit a website via IPv6, which address are you going to ban? Customers get at least a /64 range. You can ban the entire range, which would be fine for a consumer (using privacy extensions, a seemingly random address from that range would be used), but not when it concerns a business client which uses a /64 for its internal network.

The fun doesn't end there... depending on the ISP, customers might even get a /56 or /48 range. How would you distinguish between /64 customers and /48 customers? If you assume the customer has a /48, you could end up banning 65 thousand customers who in reality have a /64. The other way around, you'd block only a fraction of the address space available to the spammer.

from textpattern.

I've never liked banning based on IP. It often backfires, as you say, when you ban legit people who get an address from an ISP pool.

I use Tor or JonDo or OpenVPN depending on my mood and I doubt I'm the only one :-) So there must be a whole bunch of people on the "same IP address" at different times of the day.

More intelligent filtering (there are many plugins already) is surely a better way to handle it than the fire-and-hope method of blocking an IP address? If it was up to me I'd drop the ban-by-IP feature altogether.

from textpattern.

If it was up to me I'd drop the ban-by-IP feature altogether.

+1

from textpattern.

Fine by me, I vote to get rid of it. One less thing to support going forward.

from textpattern.

Can we sneak removal of the IP ban system into 4.6 do you think? Or leave it for now?

Either way, do we just ditch it wholesale (txp_discuss_ipban table, UI elements, and verification while commenting) or do we take a phased approach? Like maybe dropping the UI elements and issuing a deprecation warning when visiting the ipban panel, but leaving the table and comment verification in place until a later release so at least filtering still "works" for the time being?

from textpattern.

Personally I haven't used it ever. So I'd propose to

1. add a few voices from the forum
2. remove it entirely unless someone comes up with a convincing argument

from textpattern.

I've requested input on the forum:
http://forum.textpattern.com/viewtopic.php?pid=295944

from textpattern.