Web Site Security without Relying on “Dirty” IP Addresses

Topic

New Reply

Those who run web sites have to juggle protection against bad people, against the interests and needs of the users.

Many sites rely on an international list of “dirty” IP addresses.  Such sites assume that if the person is using a “dirty” IP address, they could put the whole web site at risk.  Accordingly, some of those sites simply will not let the user participate on posting, etc. on the site.

This manifests itself mostly among people who use a VPN.  If that VPN randomly chooses a server that is “dirty,” then that user is prevented from using everything on the web site (such as posting), even if it is a paid site.

The user then has a decision to make:  1) Not use a VPN (a violation of that person’s rights), or 2) Not use the particular web site.

Are there any other reasonable ways that web site security can be maintained without violating users’ rights?  I can understand the position of the web site, but I also understand the position of a legitimate, non-nefarious user.

 

Reply | Quote

Replies

My recommendation on the user side is to test your VPN using the IP address checkers I referred to in today’s newsletter and choose your VPN.  If you get one that is “dirty”, disconnect and choose another.  If your VPN vendor consistently offers up dirty addresses, find another vendor.  Clearly there are TONS in the marketplace.

It’s the old “vote with your pocketbook” idea – everyone needs to keep in mind that an IP address from a VPN vendor that has gotten good reviews doesn’t always mean that the IP addresses they hand out are deemed “clean”.

VPN vendors that tout their benefits should also do their part and vet and kick off nefarious actors.

Going forward as the attackers are now squatting on “clean addresses” I foresee that this will have to evolve to more towards an authentication process where credentials will be validated and who you are will give you full rights to the site.  At that point in time I predict that sites will be moving to a credentials with multi factor login and that will ‘vet’ you to the site.  But we’re not there yet and many people won’t like a mandated MFA world.

Over the past year the number of bot attacks we have had to put blocks in place keeps increasing.

I asked the folks at wordfence support about this:

 

Hi Susan,

The likely feature causing an increase in blocks on VPNs is the Real-time IP Blocklist. That can be disabled in Wordfence > Firewall > All Firewall Options > Real-time IP Blocklist, though, I generally don’t recommend disabling it. The IPs on that list are observed being malicious in most cases.

​

Because our company monitors millions of attacks on WordPress sites every hour we are able to see attacks on a large scale. An individual site may see 10, 50, or maybe even 100 visits or more from a malicious IP address trying to login or use exploits to compromise a site. We protect over 5 million sites and can see just how frequently those IPs are attacking. The aggregated data is then used to automatically generate a list of IP-addresses that are currently involved in bad behavior and are added to our blocklist. The IPs are added to the list as our systems see attacks coming from them, and then when the attacks stop coming from them the system removes the IP address.

​
It is important to note that Wordfence does not block VPNs by default. It only blocks IPs that are involved in malicious behavior regardless of where they originate. Because hackers use the same privacy tools that regular users do we can’t in good faith Allowlist all VPNs.

Disabling the blocklist will reduce your protection, and generally, I recommend keeping that enabled due to the amount of protection it provides.

​​

Let me know if you have any questions.

Thanks,

Scott

Customer Support Engineer Lead

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

wavy, windbg, PKCano

Reply | Quote

Susan,

Thank you for the additional comments.  Does anybody have any statistics regarding the
“dirty” IP addresses for free VPN sites, vs. paid sites?  In principle it makes sense that free sites would be worse, but what is there to prevent a spammer from using paid sites?  Given the amount of traffic on ANY server, wouldn’t it be very difficult for a VPN to identify spammers?

 

 

 

Reply | Quote

The VPN vendor issues a series of IP addresses (the same as ISPs like Comcast, Verizon, etc). But VPNs are not connected to the Users they service by hard wiring or cell towers like ISPs; they are meant to hide the location. The IPs they issue are recycled over and over to multiple users. And, VPN vendors don’t monitor, or have responsibility for the Users’ activity.

If you use a VPN, it falls to you to be sure the IP you use is clean. If the one you get is dirty,  then drop it, reconnect, and check again to be sure the new one is clean.

Free VPNs are more likely to be misused than paid. The “bad guys” usually don’t want to be tied to an account. But that doesn’t mean paid is a secure thing.

Reply | Quote

For those reading the above posts from Kenneth Stephens, Susan Bradley and @PKCano , please take ALL of their info into account and remember the following:

If you’ve successfully logged into a site and you’ve submitted a post but it doesn’t show up in the thread where you submitted it, the above reason (having what’s considered to be a dirty IP address) could very well be the reason you don’t see it.

In any case, you can then recheck your IP address using the tools Susan spoke of to recheck your IP address. If it’s dirty, that’s probably why you don’t see your post…it got caught by the automated spam filtering that many sites use these days, and a note to the site’s moderator or moderators (after obtaining a clean or at least cleaner IP address) may give some insight as to how they handle such occurrences, as each site is different when it comes to their individual policies with regards to submissions from IP addresses that are dirty.

Reply | Quote

Kenneth Stephens wrote:

Not use a VPN (a violation of that person’s rights)

Where does the agreement to use the internet state you have any rights?

I expect most of my activity is known, at least by Google et al.

cheers, Paul

Reply | Quote