IP Attacks - denial


TL;DR : IP Address blocking allows network administrators to prevent access to specific online services for both security purposes and censorship, by blocking IP addresses.


In Layerman"s terms
Protagonists
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.

Jack wants to disrupt Alice's shop and prevent customers like Bob from accessing it.

Jack gathers a large group of people and directs them to block the entrance of Alice's shop. These people don't actually want to buy anything; they just stand there and create a crowd, making it impossible for real customers like Bob to enter the shop.

As a result, Alice's shop gets overwhelmed, and legitimate customers can't get in to make purchases. Alice, unaware of Jack's intentions, continues to run her shop but is unable to serve her real customers due to the crowd blocking the entrance.

The Scenario: Using IP Address Blocking to Control Access to Online Services

Step 1: Identifying the Target IP Address

Network administrators identify the IP address or range of IP addresses associated with the online service they wish to block access to. This could be for security reasons, such as blocking malicious websites, or for censorship, such as restricting access to certain information.

Step 2: Implementing the IP Block

The administrator configures the network firewall or router to block traffic to and from the identified IP addresses. This can be done using various means, such as

  • firewall rules (eg. Linux system with iptables (eg. sudo iptables -A INPUT -s 192.168.1.100 -j DROP) or ufw (eg. sudo ufw deny from 192.168.1.100))

  • ACLs - access control lists used in routers and switches to control the flow of traffic based on IP addresses.

    access-list 100 deny ip 192.168.1.100 0.0.0.0 any
interface GigabitEthernet0/1
ip access-group 100 in

  • Other network devices, such as

    • Intrusion Prevention Systems (IPS) - detect and block malicious traffic, including specific IP addresses (Snort or Suricata can be used to write custom rules to block IPs). A simple example for the Snort solution :
    alert ip 192.168.1.100 any -> any any (msg:"Blocked IP"; sid:1000001; rev:1;)

    • Network Access Control (NAC) - primarily used to ensure that only compliant and trusted endpoint devices can access the network. Cisco Identity Services Engine (ISE) or Aruba ClearPass tools can enforce policies to block certain IPs.

    • Web Application Firewalls (WAF) - primarily used protect web applications by filtering and monitoring HTTP traffic. Eg. ModSecurity, an open-source WAF, can be configured to block IPs by adding rules:

    SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1234,phase:1,deny,log,status:403"

    • Cloud-Based Security Services (GCP, AWD, AZC) - all offering tools to manage and block IP traffic. Eg. Amazon Cloud Services WAF allows you to create IP sets and associate them with web ACLs, and Azure uses its Network Security Groups (NSGs)

    • Custom Proxy Servers - Eg. Squid Proxy can be configured with ACLs to block specific IPs.

Step 3: Monitoring Network Traffic

Whatever network security tooling helps monitor incoming and outgoing traffic to ensure that requests to the blocked IP addresses are being denied. This helps verify that the blocking is effective and that no unauthorized access is occurring.

Step 4: User Interaction

Users on the network attempt to access the online service associated with the blocked IP addresses. When they try to connect, their requests are intercepted and denied by the firewall or router. It's effective. Users receive an error message or experience a timeout when trying to access the blocked service.

Effect on Privacy, Anonymity, and Hacking Concerns

Illustrating how IP address blockage can be an effective security measure, administrators regularily use IP address blocking to protect the network from malicious activities, such as preventing access to known phishing sites or blocking traffic from suspicious IP addresses. This enhances network security by reducing the risk of attacks. But beyond security implication, the ability to decide what users can access to, essentially advocating internet networks control capabilities, leads to interesting social events and deep concerns:

  • During the Arab Spring, several governments in the Middle East and North Africa resorted to blocking internet access as a means to stifle protests and control the flow of information. Some of the most notable examples were Syria's or Egypt's decision to internet shutdowns to suppress dissent communications in January 2011 during the height of the protests against President Hosni Mubarak. This action was intended to disrupt the organization of protests, which heavily relied on social media platforms like Facebook and Twitter for coordination and communication (Al Jazeera)

  • A recent example of IP denial regarding censorship is the 2022 European Union's ban involving blocking the transmission and facilitation of Russian state-controlled media outlets RT (Russia Today) and Sputnik (alledged Kremlin's information warfare designed to manipulate public opinion and undermine democratic processes in Europe) content across all EU member states. This action was part of a broader set of sanctions imposed following Russia's invasion of Ukraine. The EU aimed to curtail the spread of non-aligned information and potential propaganda that supported the Russian military actions and political narratives. These measures raises serious questions about freedom of expression and access to information, setting a dangerous precedent for media censorship


Done!

Thanks and Congratulations for reading this to the end. We hope this article brings a little clarity over what IP Denial is, and how it works.