Ban management on web application


I want to create an accounts ban system on a web application, does anyone have any idea on the best way to confront this.

I was thinking about using the client’s MAC address but that surely does not seem to be the most reasonable way.

Any leads on this would be much appreciated.

Well… it depends on the type of application.

An application that is going to be generally accessible will be hard to moderate. The individual that you want to ban may change computer, spoof a new MAC address, etc. It is going to be very difficult to enforce a ban. If the application does not require an account or if the account can be freely created by the user, then you are basically out of luck. As I said, the mac addres may be spoofed or a different computer (or just a different network adapter) can be used. If the user can freely create an account, a new account can easily be created and the problem continues under a different name.

An application requiring an account (maintainable only by an administrator) and catering to a closed audience will be much easier to moderate. You simply disable the account and you are done. You need to have this mechanism planned in the user authentication method.

Thank you so much,

At the moment the accounts is not moderated before activation, I will take it in to consideration changing how new accounts are maintained.

You can ban IPs automatically if they use root as login for example. Or block an IP for some time after a failed login.

And of course make sure login takes time and people can’t do thousands per second.

I have already done some basic flood prevention except for temporary bans which seem to be a pretty good idea but, the thing is that in this case bans would be synced accross several dedicated servers, so we would have a global banlist accross the whole network.

While it would be better to handle this at the server level, you can also deal with some of this by implementing the App.HandleURL event by looking for times when Request.Path = “” and Request.RemoteAddress is someone that you’ve banned.