Blocking access to site by banned IP addresses

Question

I have a list of IP addresses of bots/hackers that are constantly attacking one of my sites. I want to block these visitors by IP and am trying to work out a \"best\" approa

Answer 1

I'd stick the code in a place where it will run as soon as possible, before the server consumes too many resources .

I would say you should send back as little information as possible, ideally HTTP status 503 (Temporarily unavailable) with a short message linking to an acceptable-use page, or a page explaining to people some reasons why they MIGHT have been blocked and what to do if they feel them are blocked unfairly. You may wish to do this in text/plain instead of HTML as it will use fewer bytes :)

Using an in-memory list of blocked IPs also breaks when you have a large number of blocked addresses (say 1 million) because scanning it becomes prohibitive (remember you need to do this for every request to the relevant resource).

Ultimately you will want a way to distribute the lists of blocked IPs to all your web servers and/or keep it centralised - depending on exactly what kind of abuse you are getting or anticipating.

Having said that, you should definitely apply the YAGNI principle. If you aren't experiencing real capacity problems, don't bother blocking abusers at all. Very few sites actually do this, and most of them are things where there is a significant cost associated with running the site (such as Google search)