RE: Script Based Attacks & Form Hacks

[Paul Laudanski <zx () castlecops com>]

On Fri, 22 Jul 2005, Serghei S. wrote:

> > 2) This type are a little harder to foil. However not impossible. For
> > external facing applications, I always send an email for
> > validation/verification. Till the user authenticates his/her address,
> > I keep the form data in a temporary table. The enteries in the temp
> > table have a life time of 1 hour, after that they get deleted. Also
> > make the email address / IP address the primary key in your temp
> > table. This will prevent one single machine from filling up the temp
> > table. It would have to be DDOS attack to fill up the TEMP table. But
> > then again, I set a max limit on the number of entries in the temp
> > table.
>
> You cannot limit by IP ... there are a lot of cases when hundreds of users
> are under one single IP ... like AOL members ...

Insofar as a unique ID is concerned, that statement is spot on.  However,
it doesn't have to be used in and of itself necessarily, the IP address
can be used as part of a multi-factorial "combination" key.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com