Skip to main content

Overview

The IP Blocking system in Argos Mesh provides a distributed blacklist managed by Redis. When suspicious activity is detected, IP addresses are automatically banned for a configurable duration to prevent further abuse.
The IP blacklist is shared across all Sentinel service instances, ensuring consistent protection throughout your distributed system.

How IP Blocking Works

IP blocking is managed by the RedisService component, which provides two core operations:
  1. Ban an IP: Add an IP to the blacklist with a TTL
  2. Check if banned: Query whether an IP is currently blocked

RedisService Implementation

Here’s the complete implementation from the Sentinel service: 
@Service
public class RedisService {
    private final StringRedisTemplate redisTemplate;
    private static final String BLACKLIST_PREFIX = "blacklist:ip:";

    public RedisService(StringRedisTemplate redisTemplate) {
        this.redisTemplate = redisTemplate;
    }

    // Method that blocks an IP
    public void banIp(String ipAddress, long durationMinutes) {
        // Save the IP with the value "BANNED" and a TTL
        redisTemplate.opsForValue().set(
            BLACKLIST_PREFIX + ipAddress,
            "BANNED",
            Duration.ofMinutes(durationMinutes)
        );
    }

    public boolean isBanned(String ipAddress) {
        return Boolean.TRUE.equals(
            redisTemplate.hasKey(BLACKLIST_PREFIX + ipAddress)
        ); 
    }
}
Source: sentinel/src/main/java/com/argos/sentinel/service/RedisService.java

Automatic Banning

Trigger Conditions

IPs are automatically banned when they exceed the rate limit: 
if (currentCount != null && currentCount > LIMIT) {
    redisService.banIp(ip, 10);  // Ban for 10 minutes
    return true;
}
Source: sentinel/src/main/java/com/argos/sentinel/service/TrafficAnalyzer.java:33-36
1
Step 1: Rate Limit Exceeded
2
When an IP makes more than 50 requests in a 10-second window, the threshold is breached.
3
Step 2: Immediate Ban
4
The banIp() method is called with a 10-minute duration:
5
redisService.banIp(ip, 10);
6
Step 3: Redis Storage
7
A key is created in Redis:
8
  • Key: blacklist:ip:192.168.1.100
  • Value: "BANNED"
  • TTL: 10 minutes (600 seconds)
    • 9
    Step 4: Automatic Expiration
    10
    After 10 minutes, Redis automatically removes the key, unbanning the IP.

    Ban Duration

    The default ban duration is 10 minutes. This provides a balance between security and user experience, preventing temporary network issues from causing permanent blocks.

    Configuring Ban Duration

    To modify the ban duration, update the banIp() call in TrafficAnalyzer.java: 
    // Ban for 30 minutes instead of 10
redisService.banIp(ip, 30);

    Redis Key Structure

    The blacklist uses a simple key-value pattern:
    Key PatternExampleValueTTL
    blacklist:ip:<address>blacklist:ip:203.0.113.42"BANNED"Duration (minutes)

    Checking Ban Status

    The isBanned() method is called at multiple checkpoints:

    1. Before Rate Limiting

    public boolean processAndCheckLimit(String ip) {
    if (redisService.isBanned(ip)) return true;
    // ... rate limiting logic
}
    Source: TrafficAnalyzer.java:23

    2. Before Event Processing

    @RabbitListener(queues = "argos.sales.queue")
public void processSalesEvents(ProductSoldInternalEvent data) {
    String ip = data.ipAddress();

    if (redisService.isBanned(ip)) {
        return;  // Silently drop events from banned IPs
    }
    // ... continue processing
}
    Source: SalesListener.java:29-31
    Banned IPs have their events silently dropped. No alerts are generated for already-banned IPs to prevent alert spam.

    Manual IP Management

    While Argos Mesh handles banning automatically, you can also manage the blacklist manually using Redis CLI.

    Manually Ban an IP

    # Ban an IP for 1 hour (3600 seconds)
redis-cli SETEX "blacklist:ip:192.168.1.100" 3600 "BANNED"

    Manually Unban an IP

    # Remove an IP from the blacklist immediately
redis-cli DEL "blacklist:ip:192.168.1.100"

    Check Ban Status

    # Check if an IP is banned
redis-cli EXISTS "blacklist:ip:192.168.1.100"

# Returns:
# 1 = IP is banned
# 0 = IP is not banned

    View All Banned IPs

    # List all currently banned IPs
redis-cli KEYS "blacklist:ip:*"

# Example output:
# 1) "blacklist:ip:192.168.1.100"
# 2) "blacklist:ip:203.0.113.42"
# 3) "blacklist:ip:198.51.100.78"

    Check Remaining Ban Time

    # Get TTL (time-to-live) in seconds
redis-cli TTL "blacklist:ip:192.168.1.100"

# Example output:
# 456  (IP will be unbanned in 456 seconds)
# -1   (IP is banned permanently - no TTL set)
# -2   (IP is not banned - key doesn't exist)

    Integration Flow

    Here’s how IP blocking integrates with the complete security pipeline:
    1
    Event Received
    2
    ProductSoldInternalEvent arrives from RabbitMQ with an IP address.
    3
    First Check: Blacklist
    4
    if (redisService.isBanned(ip)) {
    return;  // Stop processing immediately
}
    5
    Second Check: Rate Limit
    6
    If not banned, analyze traffic patterns:
    7
    if (analyzer.processAndCheckLimit(ip)) {
    // IP was just banned due to rate limit
    // Send alert
}
    8
    Alert Generation
    9
    When a new ban occurs, send a critical alert:
    10
    AlertInternalEvent event = new AlertInternalEvent(
    "Suspicious behavior", 
    ip, 
    "CRITICAL", 
    LocalDateTime.now()
);

    Performance & Scalability

    O(1) Lookups

    Redis EXISTS and HASKEY operations are constant time, providing instant ban checks.

    Distributed State

    All Sentinel instances share the same Redis blacklist, ensuring consistent protection.

    Automatic Cleanup

    Redis TTL automatically removes expired bans without manual intervention.

    Memory Efficient

    Each banned IP uses only ~100 bytes of memory in Redis.

    Use Cases

    Preventing Scalping Bots

    E-commerce bots often attempt to purchase limited inventory by making hundreds of requests per second. IP blocking stops these attacks after the first 50 requests.

    DDoS Mitigation

    During a distributed denial-of-service attack, each attacking IP is automatically identified and banned, reducing the attack surface.

    API Abuse Prevention

    If a client misconfigures their application and sends excessive traffic, they’re temporarily banned until the issue is resolved.

    Monitoring the Blacklist

    Create a monitoring script to track banned IPs: 
    #!/bin/bash
# blacklist-monitor.sh

echo "=== Argos Sentinel Blacklist Monitor ==="
echo ""

BANNED_COUNT=$(redis-cli KEYS "blacklist:ip:*" | wc -l)
echo "Total banned IPs: $BANNED_COUNT"
echo ""

if [ $BANNED_COUNT -gt 0 ]; then
    echo "Currently banned IPs:"
    redis-cli KEYS "blacklist:ip:*" | while read key; do
        IP=$(echo $key | sed 's/blacklist:ip://')
        TTL=$(redis-cli TTL $key)
        echo "  - $IP (expires in ${TTL}s)"
    done
fi

    Best Practices

    Monitor False Positives

    Regularly review banned IPs to ensure legitimate users aren’t being blocked.

    Whitelist Critical IPs

    Implement a whitelist for internal services and monitoring systems to prevent accidental bans.

    Adjust Ban Duration

    For production systems, consider longer ban durations (30-60 minutes) for repeat offenders.

    Log Ban Events

    Implement structured logging to track when and why IPs are banned for audit purposes.

    Next Steps

    Rate Limiting

    Understand how rate limiting triggers automatic bans

    DDoS Protection

    See how IP blocking fits into the complete security strategy

    Build docs developers (and LLMs) love

    Get started for freeTalk to us