Denying IP Ranges with htaccess
Saturday, March 14, 2009 (02:44:45)

Posted by Devon

When it comes to preventing unwanted visitors such as email harvesters, forum spammers, and otherwise generally bad bots; admins have been using the .htaccess file with a ruleset of deny from ip. That's fine for a case by case basis but say you want to deny an entire ip range for whatever reason you want.

That's where CIDR Notation comes into play. CIDR stands for Classless Inter-Domain Routing. It is a method of categorizing and allocating IP addresses for efficiently routing IP packets on the Internet.

Basically it's an amendment tacked onto an ip address. After DNS was created they knew the standard IPv4 range was not scalable enough. CIDR is an attempt to provide additional efficiency of packet routing to IP addresses within the same geographic area. The whole system was designed to be a temporary measure until a better solution (IPv6) could be implemented. Because CIDR has proven it's usefulness as an additional method for packet routing it is being worked on for IPv6 as well.

CIDR is not a perfect way to specify a range for IP deny but it can make the life of an admin much easier. Now we will go over some real world examples and how to save your htaccess file from getting bogged down with hundreds of IP Deny lines.

Here is an example of an IP Deny within .htaccess which bans a range of IP's from DotBot.

deny from 208.115.111.240
deny from 208.115.111.241
deny from 208.115.111.242
deny from 208.115.111.243
deny from 208.115.111.244
deny from 208.115.111.245
deny from 208.115.111.246
deny from 208.115.111.247
deny from 208.115.111.248
deny from 208.115.111.249
deny from 208.115.111.250
deny from 208.115.111.251
deny from 208.115.111.252
deny from 208.115.111.253
deny from 208.115.111.254
deny from 208.115.111.255

As you can see there are quite a few IP's that DotBot has at it's disposal. Now go over to Mikero.com's CIDR IP Calculator and plug in the IP ranges. It will spit out a very nicely formatted CIDR range to deny.

deny from 208.115.111.240/28

By the way, if you use Whois on some domains such as dotnetdotcom.org (DotBot's home), sometimes the registration details will display a CIDR address for you. That can make your life easier if they become a nuisence but in most cases using Whois on every IP is more work than it's worth. Most admins just stick with using ARIN for quick and painless IPv4 probing of visitors indexing their site.

That's it. All those deny lines are gone thanks to CIDR addressing. As mentioned earlier CIDR is not perfect. There are instances where you can't specify the exact range you want. The Mikero CIDR calculator will automatically show you the next largest range which includes the range you want. Sometimes, that can include a couple hundrend million more IP addresses than you want so it's definitely not a good idea to use it for that purpose. There is always a way around it though as I'll detail.

Let's say you want to ban ranges 85.0.0.0 to 89.255.255.255. If you are looking for an IP deny solution then you are probably familiar with using
deny from 85
deny from 86
deny from 87
deny from 88
deny from 89

In this instance CIDR is actually no good. What you have been doing is the easiest method. CIDR will output the following if you try to ban by that range.

Resulting network range (in CIDR notation): 80.0.0.0/4
I had to expand your range by 184549376 addresses, or 220%.

As you can see, CIDR couldn't calculate the exact range and had to expand out to the next possible range. Doing so included an additional 184549376 addresses. Not good. In this instance it's best to use the simple
deny from 85 method
OR
if you want to write that in CIDR notation it would be
deny from 85.0.0.0/8
deny from 86.0.0.0/8
deny from 87.0.0.0/8
deny from 88.0.0.0/8
deny from 89.0.0.0/8

Whenever you want an entire range from the first octect the CIDR notation is always /8:
192.0.0.0 to 192.255.255.255 = 192.0.0.0/8
65.0.0.0 to 65.255.255.255 = 65.0.0.0/8
and so on.


I don't pretend to understand CIDR Notation or calculations yet. What I have found is a very easy way to shorten .htaccess rules with the use of CIDR. Thanks to the excellent calculator by Mikero.com for providing an easy way for admins to learn more about CIDR.

Content received from: Treasure Coast Designs, http://www.treasurecoastdesigns.com