WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filtering by client IP address for Web App Sessions

From: Jason Coombs <jasonc () science org>
Date: Mon, 28 Feb 2005 11:40:25 +1300
exon wrote:

Evans, Arian wrote:


Question for those outside of the US of A:

In Europe, Asia, etc. do you have:


Sweden speaking.
I recently worked incident response involving an alleged screen scraping attack against a Web site run by a New Zealand firm. There was a rate limit imposed by the Web site operator based on client IP, and the attack circumvented the rate limit by originating from an ISP in New Zealand that proxies every TCP connection from a different IP in a variety of class C blocks.
The Web site operator wanted to file criminal charges and a lawsuit against the alleged attacker because the attacker circumvented the rate limit, which obviously was never a valid defense in the first place.
It isn't just Web developers who are clueless. Entire companies that depend on them, and all of the attorneys who work for such companies, also make very bad decisions when Web developers are clueless.
However, I share the sentiment expressed by the Web site operator. There is just no good reason for ISPs to rotate IPs per-connection, and any ISP that does this should be shut down as they are a public nuisance. 

Regards,

Jason Coombs
jasonc () science org
Previous By Date Next
Previous By Thread Next

Current thread: