Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Filtering by client IP address for Web App Sessions

from [Jason Coombs] Network Security [Permanent Link]
Subject: Re: Filtering by client IP address for Web App Sessions
Date: Mon, 28 Feb 2005 11:40:25 +1300
exon wrote: 
Evans, Arian wrote:

Question for those outside of the US of A:

In Europe, Asia, etc. do you have:

Sweden speaking.

I recently worked incident response involving an alleged screen scraping attack against a Web site run by a New Zealand firm. There was a rate limit imposed by the Web site operator based on client IP, and the attack circumvented the rate limit by originating from an ISP in New Zealand that proxies every TCP connection from a different IP in a variety of class C blocks.

The Web site operator wanted to file criminal charges and a lawsuit against the alleged attacker because the attacker circumvented the rate limit, which obviously was never a valid defense in the first place.

It isn't just Web developers who are clueless. Entire companies that depend on them, and all of the attorneys who work for such companies, also make very bad decisions when Web developers are clueless.

However, I share the sentiment expressed by the Web site operator. There is just no good reason for ISPs to rotate IPs per-connection, and any ISP that does this should be shut down as they are a public nuisance.

Regards,

Jason Coombs
jasonc@science.org

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  storing SSNs, CCNs, password in the DB, Francesco
Next by Date:  RE: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], Michael Silk
Previous by Thread:  Re: Filtering by client IP address for Web App Sessions, exon
Next by Thread:  Re: Filtering by client IP address for Web App Sessions, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]