An attacker can ban arbitrary IP addresses on the target side by spoofing HTTP headers. This can be exploited to ban search-engine crawlers, the site’s reverse proxy, or legitimate users.