Blocking abusive clients

[terryednacot]

Originally filed at https://github.com/spanicker/ip-blindness/issues/14 by @spanicker

At some point, a service may have confidence that a given request is associated with an abusive client. Perhaps the request is willfully causing quality of service issues, demonstrates intent to harm another user, or otherwise violates a site’s terms of use.

Historically, services would ban a user by their IP address. This has become less common with the rise of the mobile internet, but IP is still a surprisingly common tool in scaled abuse scenarios.

We would like to provide websites with the ability to request that the proxy no longer send traffic from the user of the proxy that issued the given request. We need to do this without re-introducing the cross-site tracking risk that the proxy is designed to counter.

Are there existing protocols or limitations relevant to your service that we should be mindful of? Would it be acceptable if embedded services would have to ban a user once for each top-level context (e.g. a.com on example1.com and a.com on example2.com would need to ban the user separately

[hilarywsr]

Hello Mike,

Within my role in cyber security, a significant aspect involves the examination, authorization, and limitation of access to our corporate software by way of IP Addresses. Despite employing various other techniques to limit access, we've observed that this remains one of the most effective approaches to prevent extensive misuse.

After thorough internal deliberation regarding the IP Protection proposal, we have notable apprehensions about the potential consequences of eliminating IP addresses. This change could render us vulnerable to misuse, which is a concern we share across our legal department due to its implications for compliance.

Could you kindly provide insights into how the proposal aims to address these challenges?

Appreciate your assistance.

[SedesGobhani]

I would like to also chime in on this one, and ask how legitimate websites will see protection proxy users. Will we see just all zeros or blank IP addresses? Or will we see a leased fake IP? If a fake IP, how many times per year, month, week, day, or hour can they change to a new fake IP? I ask because I'd like to know whether website designers would be able to at least temporarily block abusers (until they change their fake IP again). TIA for a reply.

[DavidSchinazi]

When traffic flows through the IP Protection proxies, websites will see the IP address of the second proxy. Multiple users can share the same proxy IP address at a time. When a user loads multiple web pages, those loads can use different IPs. This is required to prevent tracking of users. Because of this, proxy IP addresses cannot be relied upon as stable identifiers for any purpose.

[Idobr]

Hi David, As a result of this feature, application layer attacks can be more difficult to detect and mitigate, ranging from Distributed L7 DDoS to various business logic abuse/fraud attacks performed by malicious bots. How is Google going to prevent such attackers and fraudsters from abusing this feature? These risks cannot be solved by authenticated browsers. In today's market, there are many security risk-based solutions that use various ways to positively correlate the user, session, browser, and source IP to ensure that the user is indeed who he claims to be. The path to hell is filled with good intentions...

[bigio]

When traffic flows through the IP Protection proxies, websites will see the IP address of the second proxy. Multiple users can share the same proxy IP address at a time.

this way if a web application firewall will block a malicious user, it will block many innocent users as well; whitelisting Google network is obviously not an option.

[SedesGobhani]

I would rather block a few legitimate users than allow some hacker unlimited freedom to test out their various exploits.