WebApp Sec mailing list archives
Re: Filtering by client IP address for Web App Sessions
From: Paul Johnston <paul () westpoint ltd uk>
Date: Mon, 28 Feb 2005 15:19:02 +0000
Hi,
From a filtering perspective, it's a great way to reverse DoS asite doing any kind of source IP based filtering. An attacker needs to only launch an attack (even a trivial one) from behind a significant NAT/proxy server that has a lot of users behind itand if the site bans the IP, it ends up banning a significant number of users. In the US/AOL case, that could be a serious segment of your user population.
This is an interesting problem.While I advocate never using the IP address as part of session tracking, one use of the source IP address I do condone is mod_dosevasive. This is an Apache module that does some IP address based DoS protection; I imagine other web servers have similar functionality. Now, the choice is either use mod_dosevasive based on IP addresses, or don't use it at all. I reckon using it is better than not. Sure an attacker could bypass the restrictions to some extent by connecting from many IP addresses - but this definitily does raise the bar for attack.
So, the negative is the risk of a proxy user causing a DoS against other users of the same proxy. Well, I reckon in that case it's the responsibility of the proxy administrator to deal with the offending user. In general if you let someone do stuff coming from your IP address, you take on some amount of responsibility for their actions. Another thing to consider is that this way only that one proxy is DoS'ed. If there server has all its resources consumer, it is the entire Internet that is DoS'ed.
Best wishes, Paul -- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Filtering by client IP address for Web App Sessions Evans, Arian (Feb 23)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- <Possible follow-ups>
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)