Why doesn’t Syspeace simply block everyone that has ever earned a block indefinitely?
For a few reasons:
- IP addresses are dynamic and not guaranteed to be bound to the same person or organization over time. They are bought and sold all the time and allocated and reallocated to new organizations. Beyond this, they are also reallocated to new users by service providers or ISPs, or used in services with many users.
In an absolute sense, you can’t trust that the IP address is being used by the same person and for the same purpose tomorrow as it was yesterday. This increases the potential for false positives. In the most extreme cases, an innocent user’s computer can become part of a botnet but then clean up the server computer after. Labeling this IP address as an attacker for all eternity would not be correct.
- Technical pressure. Stockpiling blocks for IP addresses starts to add up over time and impact performance. It slows down all network processing slightly, and the process of detecting new attacks in particular.
- Lack of clarity and manageability overall.
Many centrally kept blacklists over senders of spam email and attackers, including Syspeace’s own Global Blacklist, focus on providing a list of current attackers for these and related reasons. Short blocks of IP addresses that have made attack attempts recently balances effectiveness with reaction speed while still blocking attackers you are likely to encounter.
Multiple rules can be used to great effect to block repeat offenders for a longer period of time, and you can also use the local blacklist to block attackers without an expiration date.