Re: Filtering by client IP address for Web App Sessions

[Paul Johnston <paul () westpoint ltd uk>]

Hi,

> > From a filtering perspective, it's a great way to reverse DoS a 
> site doing any kind of source IP based filtering. An attacker
> needs to only launch an attack (even a trivial one) from behind
> a significant NAT/proxy server that has a lot of users behind it
> and if the site bans the IP, it ends up banning a significant 
> number of users. In the US/AOL case, that could be a serious
> segment of your user population. 
This is an interesting problem.

While I advocate never using the IP address as part of session tracking, 
one use of the source IP address I do condone is mod_dosevasive. This is 
an Apache module that does some IP address based DoS protection; I 
imagine other web servers have similar functionality. Now, the choice is 
either use mod_dosevasive based on IP addresses, or don't use it at all. 
I reckon using it is better than not. Sure an attacker could bypass the 
restrictions to some extent by connecting from many IP addresses - but 
this definitily does raise the bar for attack.

So, the negative is the risk of a proxy user causing a DoS against other 
users of the same proxy. Well, I reckon in that case it's the 
responsibility of the proxy administrator to deal with the offending 
user. In general if you let someone do stuff coming from your IP 
address, you take on some amount of responsibility for their actions. 
Another thing to consider is that this way only that one proxy is 
DoS'ed. If there server has all its resources consumer, it is the entire 
Internet that is DoS'ed.

Best wishes,

Paul

--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk