Ban on IP - As response to registration changes

Hi all,

The new registration changes intensify an old issue: Griefing, trolling - alts created to cause hassle.

As i co-run a major community sim, we have alrready seen the effects of the new registration policy - an email is enough to create an alt, so griefers and trolls simply use this to continue their disturbance. We are basically without any effective means to keep our community safe of this.

Thus i think it would be neccessary that each user can be identified at last wit hthe leading 3 tuples of the IP address (i.e. 123.456.789.xxx), like on irc.bondage.com or other nets.

If we had the powert to ban critical IP ranges or could access this user information via LSL, we would have a handle versus most of the issues. Works on many IRC nets, would work her,e why not do it?

Please vote for:

1/ Aye
2/ Abstain
3/ Nay

Thanks all... And happy SL'ing..

prop

EXTENSION:

This method is used on many IRC nets, some would simply not exist anymore if they did not use BOPM or range bans to defend. Please ask irc.bondage.com users/admins about "grumpy"

PERMUTATION OF IP ADDRESSES:

Most providers follow a stable allocation pattern of IP addresses to users. Often they assigne a class C subnet to a specific region. Even AOL has some location information in their Ip assigment.

HOW TO AVOID HARM FOR INNOCENT USERS

If you are able to kick/eject based on IP subset via script, then you could also creat an explicit "allowance" list. Meaning, a user can apply for allowance if he/she is caught by a ban. Some IRC channels i know have at times temporarily akicked AOL due to abusive users.... And had an "enter if on allowance list" policy.

These methods are not new to the net, and fortunately the total number of persistently abusive users is low. You will most likely end up banning less than 20 class C subnets so the impact on users is minimal.

INABILITY TO BYPASS

Try running SL via an open proxy <g>

Of course there are methods to bypass this, but they are _not_ simple. And they need resources... that will be expended sooner or later. The thing is, you can never defend fully... but make the attack a high effort.

I likes it.

Impossible to do this without screwing innocent people over.

IP address changes depending on your ISP and your home router. Ban a range like you suggest, and you ban a lot more than one person - most of whom may not even know the person you're trying to ban! Maybe everyone from their town who uses that ISP, or everyone from that school? It just doesn't work.

Same goes for banning a single IP. It may change the next time they log on, and some poor joker who just happens to get that IP assigned to them next is banned for no reason at all.

Can't use the MAC address of their network card, either. A router can change that info in a heartbeat.

My IP changes 3 times per day... and I'd say that most people's cable connection/ADSL connection would be subject to the same system.

On the other hand... at work, we are a team of 3 people with the same IP address on the external router... so how would you deal with that? Would one have to ban a whole university, for instance, just because one user misbehaved?

Banning by IP is a viable way for most web boards to conduct enforcement, but you must be very careful how you do it or you end up banning all of AOL users (for example) or everyone on one node of a major city's cable company.

Still, it deserves a hard look. Without credit card/age verification any more, this is what it's coming down to if we want SL to be something other than Sociolotron with poseballs.

For private islands, yes, this would be ideal.

I don't see how this would stop them. I can think of several very easy ways to get around this sort of ban.

And LL should hand over my full name, address, credit card number, blood type, semen count, shoe size, and number of pets in household. That way we could ban on any of these real-life private criteria.

MM

When I was on cable I couldn't access a lot of IRC servers due to IP banning There must be other ways.

Nay. This would hurt the innocent, and only block griefers that don't know how to get around it. I have been bumped off IRC networks for banned IP addresses more times than I can count. I would be very frustrated not being able to travel freely within SL because some 17-year-old boy down the street was griefing you. I understand what you are tring to accomplish, but I think there has got to be a better way.

OMG Rude, do you live down the street from me?!

I voted no... instead, ban on MAC addresses/NIC addresses or something. People can usually just call their ISP or even reboot their modem to get a new IP, but a new MAC will cost them $$ and card install time.

-Ghoti

This works great for IRC channels, I think it would be perfect for SL land parcels too. Show me a proposal and I'll put 10 votes on it.

Ghoti, a ban on a MAC address takes two seconds to defeat, if you have a home router, because you can plug in any MAC address info that you want!

And doing that locks out everyone in the home. So if there are three SL users in the family, and one misbehaves, you lock out all of them, because the household only shows as the router's MAC address, not the mom, dad and college kids seperate systems.

Won't work. Most IPs are dynamic and change everytime you log into the ISP.

I vote yay. I think giving us more ability to control who can or can't access services is a good thing, even if its possible to be implemented carelessly.

If someone griefs me today, they get thrown on a ban list. If that person politely IMs me, and explains in a mature way that their infraction was a mistake or misunderstanding - I almost always remove the ban and give them a second (or third) chance.

I see no reason why reasonable people couldn't work that way for IP bans as well. And the nice thing about SL over IRC: In SL, its much clearer to the uninitiated who you need to contact to request that a ban be lifted than it is in the IRC world.

For folks who are unreasonable about their ban lists, I still see no change. Many of those folks ban *everyone* from their parcels by default today anyway, much to the chagrin of folks just passing thru.

I'm not sure on this one. It would be good to be able to ban a griefer shuffling alts at your land, I suppose. I have not bought land yet, but is the IP address of someone on your land visible to the landowner? I know it is to the music stream - so it can stream the music to the clients - but I didn't think it was visible otherwise.

True, but here, like in most things in life, you have to find a balance. Administrative needs versus fairness. I come from a long history on IRC and the banning instrument i have proposed keeps IRC at last half way operable.

The issue here is not so much that I as administrator desire to be unfair, it is an issue that came up due to a LL policy change. I have to react to that on behalf of other users that are as innocent as those accidently caught.

Also, as most ISP permutate their IP assignment based on class C (or maybe a tiny bit wider) rather stabilly, you actualyl do not catch manny innocent.

PLUS: You can always create "allowance" lists if you eject suspicious ranges via script. People who might be kicked out by the range ban and desire to be in can be included in an explicit allowance list.

This should minimize the impact on "innocent" users.

I am sure you refer to BOPM blacklisting. That is an issue indeed as in many blacklists puters with backdoors or spam trojans are listed. This would not work yet as "no access to network" thing but "no access to sim".

Thus you could simply ask an officer to add yo uto an allowance list. A hassle, sure, but on the other hand, without this tool someone truly malicious can practicalyl end the existance of a community sim by persistent griefing.

I do not say you need to emply this tool, but i think we need to have it in case of _emergency_

Aodhan. Works.. works well. You simply ban IP ranges. Please ask your ISP about their IP assignemtn pattern, it is surprisingly deterministic (aside you use AOL)

Pointless.... banning ISP ranges, as has been said will hit innocent parties as well
banning specific adresses is easily defeated. What is needed is a return to credit card verification.

Yes, I forsee a rule based system at some point in the future.

Ie:

If Suspicious IP address & new user & not in SIM group then ban.

It would be also cool to put timers on the ban, so for example, for the next x days ban this domain.

You have to be a pretty persistent griefer to constantly check to be see if you're still banned or not.

It works well with STATIC IPs like those who are on cable modem.

Dial up and DSL change IP every time and only the first 2 octets will match.

An IP range ban will affect 65,536 IP addresses. A single IP ban can be worked around by relogging. As for dial ups it's very easy to change services.

You're probably assuming the way US handles IPs. IPs are not handled the same way all over the world.

Around here, if I'm on dial up, I can buy prepaid cards from about a hundred different ISPs. The only way to IP ban that would be to ban almost the whole country.

IP banning works well statistically in something the size of a chatroom. In a world such as SL where you may have tens of thousands of active users you run into a higher probability that the IP range you ban will hit innocent users.

You ban ONE innocent user, you're asking for trouble. Collateral damage is still damage.

Even this type of IP ban is useless. There are still several very easy ways around it that a determined griefer will know.

Even the credit card check is easy to get around (without using a stolen card) if the person is really determined to cause you grief.

I'm not going to post any details, but I could get around both of these with maybe half an hours work.

If the proposal is as I understand it...then it'd just be banning from a particular parcel...I'm sure innocent users have been banned from parcels heretofore.

If we're talking about a global ban, well, then you're right...