We're building a web service which users will subscribe to, and we were thinking of authenticating users based on their IP address.
I understand that this creates some hassle, eg, if a client's IP changes, but I wanted to know from a security point of view if this was safe? I'm not sure how hard it is to spoof IP addresses, but my thinking is that even if that happened we wouldn't end up sending data back to the attacker.
Any thoughts?
Thanks!
I'd say this would be very risky. Hackers use a number of IP spoofing tools to avoid detection, and there are legitimate anonymity uses. Check out IP onions via the Tor network (used extensively by wikileaks folks, for example) http://www.torproject.org
That said, if your data isn't sensitive AT ALL, like you want to guess their location to show the local weather, you can certainly use IP blocks to roughly locate people. If that kind of thing is all you're after, check out: http://www.hostip.info/dl/index.html
Think about proxies and VPN's.
And what if an user would like to use your site from an other PC?
You might want to use browser fingerprints (together with IP) it's safer, but then they must always use the same browser...
Conclusion: not a good idea.
Related
I'd like to know if it's at all possible to determine whether a particular URL belongs to the same LAN which the machine originating the request is from.
I mainly want to do this for security purposes at the level of the software which does HTTP requests, i.e. I want to disallow it even attempting to go outside of the network. I know such things are usually done at the level of network administration, but the question is about how to do this at the level of software.
I thought it might be possible to go the IP address way - e.g., resolve DNS, determine the IP address, and then see if it's in one of the local network classes (10.0.0., 192.168..*, etc.)
Does anyone have any idea / guess how to do this elegantly in C++ with possibly the usage of libcurl?
Thanks.
I'm a C/C++/Qt dev, and today, I have a particular need and I'm sure I'm not the only one. I need to choose with which network interface my computer app will connect to...
For example, I'm home, using a VPN to access some protected stuff (like a VPN used by my company). And I know I can't use the VPN to browse the Internet. I would like to be able to tell my FTP Client to connect to the VPN interface and my browser, to the classic interface (VPN may be a bad example, but the idea is there.)
As almost none of classical app one have on his computer, let the user choose which IP to, I would like to dev something which can do this for me and everybody who can need it, but I simply don't know where to begin. I know I'll have to hack, maybe intercept and relay the connection (Firewall like, or more NAT like), or maybe I can close and reopen the connection for the app (and STOP/CONT it to avoid it to notice, or anything else.
If you have any idea of how and where I can begin my research, it would be helpful. Thank you for your help.
A consultant at work mentioned that you can have web services running on different endpoints and hence utilize the network correctly if I have more than one network card with different bandwidths.
Not being too network savvy, is he saying I can take my web service and tie it down to one network card and make sure clients make calls at that network card to access it as I have more bandwidth at that card?
Can I do this without changing the clients?
Also if my web service has a number of web methods and I want some web methods to run on a different network card, would I have to split the web service so that the web methods are on different web services? In other words I would have to write two web services?
Are you really maxing out your network that you need to implement something like this? I would look into bottlenecks within the application first before going down this road.
If your network is the bottleneck, then perhaps moving you web service to a completely different server might be a better solution. It'll mostly likely be cleaner and easier to implement.
Having said that, it can probably be done, but would be convoluted. Network cards would need to be on different networks. Wouldn't make sense if it's the same network. Each network card will have different IP address assigned.
In IIS, you'll need to make sure that site which houses your web service is configured for one particular IP address.
Can I do this without changing the clients?
Depends. You will need to make sure whoever is calling your web service does it using the IP address configured within IIS. That might mean either creating a DNS record that points to that particular IP address OR editing your clients to point to the right IP address.
If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.
Client side cookies can be deleted and server side cookies again have no way to reliably map said cookie to the anonymous user.
Does this mean there is no reliable way of tracking anonymous users indefinitely?
Using only IP addresses for user authentication/identification is extremely unreliable. There might be many hundreds or even thousands of users behind one IP (e.g a corporate network) and for most of those on home connections their IPs are likely to be dynamic and regularly changing.
You have to use Cookies for more reliable tracking. You can specify just about any time-to-live for a cookie, so that when an anonymous user returns, you can identify him.
Of course cookies can be deleted by users, so they could delete their cookies and vote again. However, is this likely to be a big problem? If someone really wants to game your poll, they could write a script. However, you could add a few basic security features: only allow some maximum votes per IP per day, and allow only so many votes per IP per second.
If you let anonymous users vote for
any post on a site just one time and
you log that vote by the user's IP,
what's the likelihood that you'd be
banning other users from voting
Unless that page is extremely popular, it's very unlikely that someone else being assigned the same IP address by the ISP would also visit it.
Edit: Users using the same IP address due to NAT are a much bigger problem and probably a deal-breaker for using the IP address. I'd be less worried about corporate networks than about private home networks: very common, and having two people in the same household wanting to visit and vote on the same site is rather more likely than two random strangers.
and that the original user would be able to vote again after a certain amount of time
because their IP address has changed? I'm guessing almost certainly.
It's not just a question of time; most ISPs assign IP addresses upon connect, so all someone has to do to get a new one is to reinitialize their DSL connection (or whatever they use).
Does this mean there is no reliable way of tracking anonymous users indefinitely?
Correct.
Yes, there is no certainty in tracking IP addresses or using cookies.
How can i go about programaticaly getting the IP address of my network as seen from the Internet? Its obviously a property that my router has access to when it connects to the ISP. Is there any way to get this info from a router using a standard protocol. My only other option is to either find a WS which returns my IP address (suprisingly difficult to do), or just go to something like whatismyip.com and strip out all the HTML (very dirty and susceptable to change). Is there any other way???
Don't scrape whatismyip.com, see here for how you can call their API which just returns your address.
If you don't use this, you have to write something like it yourself, i.e. a host beyond your router which can report back your apparent address.
Note that webserver might not see your real WAN IP address because:
your ISP might be transparently
proxying HTTP traffic, and the server would see the IP of the
proxy. In that case, you'd typically
need to look for and parse a
X-Forwarded-For header.
or, as Olaf noted, there may be another NAT router between you and the wide open Internet, in other words, the WAN address of your router is on a private network. The best you'd get from a service like whatismyip.com is the IP of the outermost NAT router.
If your router supports snmp you could use that to ask it about it's external ip. A small example is found here:
http://www.rohitab.com/discuss/index.php?showtopic=31901
I've voted up Paul Dixons answer because it seemed complete, but there's one more aspect to this:
Your ISP might provide private addresses for you - this does happen with some ISPs. Depending on what you expect you might need a routable address that you don't have
The proxy information that Paul mentions (HTTP-Header X-Forwarded-For) might be a non-routable address if you yourself have a proxy
based on mixing all these aspects (getting a nonroutable address from your ISP and having a proxy yourself) you might get bizarre results.
These aspects are not the typical day to day situation, but depending on your needs you might want to take these into account.
I don't see a language specifacation but I did it here in python: Finding a public facing IP address in Python?Basicly there is no way of doing it without relying on an external server, in this case I use http://www.whatismyip.com/automation/n09230945.asp which only provide the ip address.
Alternatively you could use your own script which in PHP would look like:
<?php
echo $_SERVER['REMOTE_ADDR'];
?>