WebApp Sec mailing list archives
Re: Filtering by client IP address for Web App Sessions
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 28 Feb 2005 15:56:55 +0100
Evans, Arian wrote:
Question for those outside of the US of A: In Europe, Asia, etc. do you have: 1. Any significant user population of your web applications comprised of AOL (America online) users?
Don't know.
2. Are there many ISPs or large organizations using megaproxies that swap client source IPs across entire classes of netblock (e.g. -like AOL does)?
In Spain the major ADSL provider (Telefonica, some other ISPs that are not Telefonica use Telefonica's network even if they sell direct to the customer) uses a transparent proxy for web access (I believe they are Inktomi's Traffic-Server).
They started using it January 2003. Originally they used 80.58.33.235, 80.58.11.42, 80.58.37.107 and 80.58.33.170. Now it seems they use 80.58.1.42, 80.58.1.44, 80.58.1.45, 80.58.1.107, 80.58.47.44, 80.58.48.42 and 80.58.4.170 amongst others.
I haven't seen any public list of the IP addresses they use, if someone is interested I can provide a statistical breakdown of IP addresses based on web server logs. I can confirm that they use different class C networks all of which belong to the RIMA network (80.58.0.0/16)
I've been telling people for years that you can't filter by source or even last octet netblocks and lately have been wondering if I'm dense and this is a US-centric bias of mine thanks to the ISP behaviors I've had to deal with over the years.
Well, even you obviously can't filter by source if using proxies, but what about the Via, Forwarded, X-Forwarded-For or Client-ip header? I've actually seen few reverse proxies that take this into account when providing a way to define IP-based filtering rules, but I believe there is sense in blocking some pestering users through those headers if needed be.
Of course, this information can be faked (if not going through a proxy), but in the case of these transparent proxies IF the TCP/IP source belongs to one of the caching proxies the Client-ip header is more difficult to forge by a rogue user.
Regards JavierPS: From their (public) documentation they use it for Http (only port 80), Windows Media (port 1755), Real Networks (port 554) an QuickTime streaming (port 554 too)
Current thread:
- Filtering by client IP address for Web App Sessions Evans, Arian (Feb 23)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- <Possible follow-ups>
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)