If you let anonymous users vote for any post on a site just one time and you log that vote by the user's IP, what's the likelihood that you'd be banning other users from voting and that the original user would be able to vote again after a certain amount of time because their IP address has changed? I'm guessing almost certainly.
Client side cookies can be deleted and server side cookies again have no way to reliably map said cookie to the anonymous user.
Does this mean there is no reliable way of tracking anonymous users indefinitely?
Using only IP addresses for user authentication/identification is extremely unreliable. There might be many hundreds or even thousands of users behind one IP (e.g a corporate network) and for most of those on home connections their IPs are likely to be dynamic and regularly changing.
You have to use Cookies for more reliable tracking. You can specify just about any time-to-live for a cookie, so that when an anonymous user returns, you can identify him.
Of course cookies can be deleted by users, so they could delete their cookies and vote again. However, is this likely to be a big problem? If someone really wants to game your poll, they could write a script. However, you could add a few basic security features: only allow some maximum votes per IP per day, and allow only so many votes per IP per second.
If you let anonymous users vote for
any post on a site just one time and
you log that vote by the user's IP,
what's the likelihood that you'd be
banning other users from voting
Unless that page is extremely popular, it's very unlikely that someone else being assigned the same IP address by the ISP would also visit it.
Edit: Users using the same IP address due to NAT are a much bigger problem and probably a deal-breaker for using the IP address. I'd be less worried about corporate networks than about private home networks: very common, and having two people in the same household wanting to visit and vote on the same site is rather more likely than two random strangers.
and that the original user would be able to vote again after a certain amount of time
because their IP address has changed? I'm guessing almost certainly.
It's not just a question of time; most ISPs assign IP addresses upon connect, so all someone has to do to get a new one is to reinitialize their DSL connection (or whatever they use).
Does this mean there is no reliable way of tracking anonymous users indefinitely?
Correct.
Yes, there is no certainty in tracking IP addresses or using cookies.
Related
I was reading howstuffworks and this is what is written there :
http://computer.howstuffworks.com/cookie3.htm
" It turns out that because of proxy servers, caching, concentrators and so on, the only way for a site to accurately count visitors is to set a cookie with a unique ID for each visitor."
Couldn't derive from it why only cookie is the way ?
Thirty users might come from the same IP address (think an ISP block or inside a corporate network).
Thirty different users might retrieve content from various caches rather than making unique requests that make it all the way to the app server (local cache, ISP cache ,etc.)
Without tracking individual sessions, traffic may be mis-estimated or mis-interpreted.
We're building a web service which users will subscribe to, and we were thinking of authenticating users based on their IP address.
I understand that this creates some hassle, eg, if a client's IP changes, but I wanted to know from a security point of view if this was safe? I'm not sure how hard it is to spoof IP addresses, but my thinking is that even if that happened we wouldn't end up sending data back to the attacker.
Any thoughts?
Thanks!
I'd say this would be very risky. Hackers use a number of IP spoofing tools to avoid detection, and there are legitimate anonymity uses. Check out IP onions via the Tor network (used extensively by wikileaks folks, for example) http://www.torproject.org
That said, if your data isn't sensitive AT ALL, like you want to guess their location to show the local weather, you can certainly use IP blocks to roughly locate people. If that kind of thing is all you're after, check out: http://www.hostip.info/dl/index.html
Think about proxies and VPN's.
And what if an user would like to use your site from an other PC?
You might want to use browser fingerprints (together with IP) it's safer, but then they must always use the same browser...
Conclusion: not a good idea.
So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.
I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.
Thoughts?
You can prevent DoS attacks from occuring in various ways.
Limiting the number of queries/second
from a particular ip address. Once
the limit is reached, you can send a
redirect to a cached error page to
limit any further processing. You
might also be able to get these IP
address firewalled so that you don't
have to process their requests at
all. Limiting requests per IP address
wont work very well though if the
attacker forges the source IP address
in the packets they are sending.
I'd also be trying to build some
smarts into your application to help
dealing with a DoS. Take Google maps
as an example. Each individual site
has to have it's own API key which I
believe is limited to 50,000 requests
per day. If your application worked
in a similar way, then you'd want to
validate this key very early on in
the request so that you don't use too
many resources for the request. Once
the 50,000 requests for that key are
used, you can send appropriate proxy
headers such that all future requests
(for the next hour for example) for
that key are handled by the reverse
proxy. It's not fool proof though. If
each request has a different url,
then the reverse proxy will have to
pass through the request to the
backend server. You would also run
into a problem if the DDOS used lots
of different API keys.
Depending on the target audience for
your application, you might be able
to black list large IP ranges that
contribute significantly to the DDOS.
For example, if your web service is
for Australian's only, but you were
getting a lot of DDOS requests from
some networks in Korea, then you
could firewall the Korean networks.
If you want your service to be
accessible by anyone, then you're out
of luck on this one.
Another approach to dealing with a DDOS is to
close up shop and wait it out. If
you've got your own IP address or IP
range then you, your hosting company
or the data centre can null route the
traffic so that it goes into a block
hole.
Referenced from here. There are other solutions too on same thread.
iptables -I INPUT -p tcp -s 1.2.3.4 -m statistic --probability 0.5 -j DROP iptables -I INPUT n -p tcp -s 1.2.3.4 -m rpfilter --loose -j ACCEPT
# n would be an numeric index into the INPUT CHAIN -- default is append to INPUT chain
more at...
Can't Access Plesk Admin Because Of DOS Attack, Block IP Address Through SSH?
Is there any way that a website can read a cookie in a way that the cookie is locked to that particular computer and that it wasn't somehow copied to another computer?
Assuming you don't trust the end point — no.
If you don't trust the user, then you can't be sure.
If you don't trust the computer (e.g. it might have malware installed), then you can't be sure.
If you don't trust the connection (i.e. it isn't secured with SSL), then you can't be sure.
You be sure by linking the cookie to an IP address, since:
Multiple computers can share an IP (e.g. via NAT)
One computer can cycle through multiple IPs (e.g. some large ISPs use a bank of proxy servers)
You could include a bunch of data gathered from the browser (e.g. the user agent string) as a hashed value in the cookie, but that would break if something changed the data you were checking against or the cookie was copied to another machine with identical data (while user agent strings can vary a lot, two computers can be configured identically, and there are plenty of circumstances where they are likely to be (e.g. in a company with a standard desktop install that includes standard versions of browsers and plugins).
The only thing you can do is to try to put as much data as possible in the cookie (browser user-agent,os, screen resolution,...). you have to scramble/encrypt the data.
if you read the cookie again sometime you can check if the values still match. but of course this is no 100% safe solution since all these data can be faked by a malicious user (if he knows what exactly he needs to change)
does anybody know agood way in granting a connection from one service to another, so that both services benefits fromeach other?
I would like to have an easy but never the less safe way to do a connection between my server and another server, but I don't know how to do that.
It should be ...
easy, so that neither the user nor the service providers have to waste alot of time
traffic effecient, so that traffic is not wasted and conenction is fast
encrypted, so that no person in between can use the transmitted data
and it should be an open and flexible standard, so that there could be more connections to other services (with my server in the middle of this star connection and no connection in between all providers) and that I don't have to pay a fee ;).
the example in the title is something I think about, because when you have a twitter account you somehow connect facebook to your account and facebook can show your twitterfeeds on your account.
but I don't want a provider to gather a lot of information beside the really important one that the user want to transmit. so I don't want the provide to get the username of my user and I don't really need to know how my user is named there.
It's like a post-office box. you just have to know where to put your letter, but you don't need to know the box owner's name.
and I don't want the mail-carrier to know what he is delivering, so it should be encrypted.
every clue how to do that would be fine, because I don't know anything about this :)
thank you in advance, Andreas
What you need is OAuth, check out the "Getting Started" guide to learn all about it
And the wiki entry