Block Ip in asp.net

**Frinavale** · Mar 29 '10, 02:39 PM

If you prevent an IP from accessing your website you can run into problems because sometimes many people will share the same IP.

For example, say you have a university where many students are connected to a LAN which is connected to the Internet. Any university students that connect to your website will be connected using the same IP: the university's IP.

If you block this IP then many people will be blocked from your site. This is why many websites block users instead of IP addresses.

It's a lot of work cleaning up after people who are abusing your website but that's part of the job.

Now, that being said, you can detect the IP of the user that is connected to your website using the Request.UserHos tAddress. This contains the IP address of the user connected to your webpage.

For example:

Code:

string ip_address = Request.UserHostAddress;

Happy coding!

-Frinny

**Monish30** · Mar 30 '10, 02:39 AM

Thanks Frinivale
But what about the dyanamic ip? I have upload the below code

Code:

 string VisitorsIPAddr = string.Empty;
        //Users IP Address.                
        if (HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null)
        {
            //To get the IP address of the machine and not the proxy
            VisitorsIPAddr = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();
        }
        else if (HttpContext.Current.Request.UserHostAddress.Length != 0)
        {
            VisitorsIPAddr = HttpContext.Current.Request.UserHostAddress;
        }

I get correct IP but when i disconnect the internet and reconnect it again i get different ip because my ip is not static it's dynamic ip.

**Frinavale** · Mar 30 '10, 01:06 PM

Oh yeah, I forgot about that reason for why you shouldn't block by IP address :)

You can't fix this...this is just how things are.

-Frinny

**Monish30** · Mar 31 '10, 12:00 PM

So is there any solution MR Frinavale. Can i get some unique thing from client computer that remain unique in all the request.
Can I get something unique from client side using javascript?
Thanks in advance
Monish

**Frinavale** · Mar 31 '10, 01:06 PM

JavaScript wont help you...
I'm not sure if there's a better way to do this.

I honestly think that blocking the user is the best solution (it's what we do here on bytes). Eventually they will get the hint.

**CroCrew** · Mar 31 '10, 01:33 PM

Hello Monish30,

I have been following this post and held off on posting my comments. First off Frinavale is spot on with the first reply post to your question.

There have been many attempts/implementations of blocking “banned users” from websites. There is no “easy” way on administrating users that abuse a website. Identifying a banded user is next to impossible.

I know that you’re pressing to find an alternative “easy” way of administrating users that abuse your website. Before you even ask about using MAC address as an identifier don’t. MAC address are not routed beyond the user's local network so there is no way for you to see it from a remote machine. Even if you create an ActiveX control and embedded on your page the user would get a warning popup that they would have to install this potentially unsafe control before it would work. ActiveX will also not work on non-IE browsers without another special plugins that will require user install.

Other things to think about:
1) MAC address can be spoofed.
2) Network card can be changed.
3) User can go to a different machine.
4) User can create a new account.
5) IP is shared between computers.

As you can see there are too many variables to come up with an “easy” solution.

When the web standards were being developed, the designers went to great lengths to ensure that web visitors could only be repeatedly identified at their own choice. Cookies are the standard way to identify repeat visitors, but the visitors have been given the right to clear them at any time or not accept them at all if that is their preference.

If the fraudulent activities of your website are of very high priority to block, you should block the IP address and then investigate if the IP is shared between users. Remove the block after a period of time and monitor to see if the fraudulent activity begins again.

You can take it a step further by adding other layers:
1) Force people to login to your website and ban fraudulent activity on IP and login.
2) Force users to provide email address when signing up for an account and only allow unique email to sign up for an account.
3) When allowing a update/post to your forum send a conformation email to the email address at signup asking them to verify that they want to post what they wrote by clicking on a link within the email.

The key is to make it harder for people to deface your website but still easy to use.

Good luck,
CroCrew~

**Frinavale** · Mar 31 '10, 02:30 PM

Thanks for re-iterating CroCrew, that is a much better response than mine!

:)

Block Ip in asp.net

Block Ip in asp.net

Comment

Comment

Comment

Comment

Comment

Comment

Comment