Drupal 7 included the ability to block specific IP addresses from accessing a site.
This feature was removed from Backdrop core because IP blocking should ideally be done before the traffic reaches the application layer.
To block by IP at the Apache layer, you can add something like the following to the .htaccess file:
<Limit GET HEAD POST>
deny from 38.101. # To block an IP range
deny from 18.104.22.168/11 # To block an IP block
If someone absolutely needs to do IP blocking at the application layer, they can add a few lines into settings.php to kill matching requests. Example follows.
There are also several contrib modules that can block by IP. We recommend Ban or Autoban.