Re: Filtering by client IP address for Web App Sessions

[Steve Shah <sshah () planetoid org>]

On Wed, Feb 23, 2005 at 09:12:50AM -0600, Evans, Arian wrote:
> 2. Are there many ISPs or large organizations using megaproxies
> that swap client source IPs across entire classes of netblock (e.g.
> -like AOL does)?

I know of at least one significant ISP (run by one of the telcos)
that runs megaproxies.

> I've been telling people for years that you can't filter by source or
> even last octet netblocks and lately have been wondering if I'm dense
> and this is a US-centric bias of mine thanks to the ISP behaviors
> I've had to deal with over the years.

Having spent the last 6 years at various L4-7 companies, I can
tell you that you're right. For load balancing this shows up in
the form of wanting to do persistence based on client IP. 

Basically, relying on source IP for any transaction related 
tracking is risky. Client IP addresses move, load balanced forward
proxies can fail causing users to pop out of another proxy server,
or (most likely), you end up with a ton of users hitting one
server when the other servers sit idle. 

> From a filtering perspective, it's a great way to reverse DoS a 
site doing any kind of source IP based filtering. An attacker
needs to only launch an attack (even a trivial one) from behind
a significant NAT/proxy server that has a lot of users behind it
and if the site bans the IP, it ends up banning a significant 
number of users. In the US/AOL case, that could be a serious
segment of your user population. ACLs based on flood attacks are
also bad news -- spoof the source IP of a syn flood to come from
the AOL subnet and you can block a few million users in one shot.
If you just want to get someone fired without hurting all of the
Internet, launch a syn flood from the corporate NAT IPs so the
CEO thinks the web site is down. 

-Steve

-- 
Steve Shah
sshah () planetoid org - http://www.planetoid.org/
Beating code into submission, one OS at a time...