How to identify all IPv6 addresses for a user
I’m starting to feel crazy because I’ve googled this 20 different ways and nothing comes up.
I have a site that occasionally needs to block users by IP address in order to prevent abuse. With IPv4 this works great, as the user’s entire connection from their ISP is blocked. (Note that I also treat VPN connections differently in order to prevent them from simply hopping on a VPN.)
However, IPv6 throws a real wrench into this as each user doesn’t simply have one IP assigned at a time from their ISP. I’ve seen patterns of abuse from IPv6 addresses that seem to be similar, but I’m sure how to definitively tell if they’re from the same user.
I know each ISP probably does things slightly differently, but is there a way to identify users that will be good enough in practice?
Solution 1:
The safest solution is to scale up automatically. For example:
- start by blocking a single address
- if you see violations from more than X addresses in a /64 block the whole /64
- if you see violations from more than Y addresses in a /56 block the whole /56
- if you see violations from more than Z addresses in a /48 block the whole /48
The downside is that you'll need several violations before you block them completely. The benefit is that you block the most accurately. You also increase the difficulty of bypassing your block internally.
Also keep in mind that addresses don't always belong to the same user. At home my IPv4 address is shared amongst several users (DS-Lite) and changes every day. IPv6 prefixes can also change over time, and the old addresses can then be assigned to a different user. So don't put too much value in the long term usability of IP addresses as an identifier.