WebApp Sec mailing list archives
Re: Filtering by client IP address for Web App Sessions
From: Steve Shah <sshah () planetoid org>
Date: Wed, 23 Feb 2005 20:54:00 -0800
On Wed, Feb 23, 2005 at 09:12:50AM -0600, Evans, Arian wrote:
2. Are there many ISPs or large organizations using megaproxies that swap client source IPs across entire classes of netblock (e.g. -like AOL does)?
I know of at least one significant ISP (run by one of the telcos) that runs megaproxies.
I've been telling people for years that you can't filter by source or even last octet netblocks and lately have been wondering if I'm dense and this is a US-centric bias of mine thanks to the ISP behaviors I've had to deal with over the years.
Having spent the last 6 years at various L4-7 companies, I can tell you that you're right. For load balancing this shows up in the form of wanting to do persistence based on client IP. Basically, relying on source IP for any transaction related tracking is risky. Client IP addresses move, load balanced forward proxies can fail causing users to pop out of another proxy server, or (most likely), you end up with a ton of users hitting one server when the other servers sit idle.
From a filtering perspective, it's a great way to reverse DoS a
site doing any kind of source IP based filtering. An attacker needs to only launch an attack (even a trivial one) from behind a significant NAT/proxy server that has a lot of users behind it and if the site bans the IP, it ends up banning a significant number of users. In the US/AOL case, that could be a serious segment of your user population. ACLs based on flood attacks are also bad news -- spoof the source IP of a syn flood to come from the AOL subnet and you can block a few million users in one shot. If you just want to get someone fired without hurting all of the Internet, launch a syn flood from the corporate NAT IPs so the CEO thinks the web site is down. -Steve -- Steve Shah sshah () planetoid org - http://www.planetoid.org/ Beating code into submission, one OS at a time...
Current thread:
- Filtering by client IP address for Web App Sessions Evans, Arian (Feb 23)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- <Possible follow-ups>
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)