Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Filtering by client IP address for Web App Sessions

from [Javier Fernandez-Sanguino] Network Security [Permanent Link]
Subject: Re: Filtering by client IP address for Web App Sessions
Date: Mon, 28 Feb 2005 15:56:55 +0100
Evans, Arian wrote: 
Question for those outside of the US of A:

In Europe, Asia, etc. do you have:

1. Any significant user population of your web applications
comprised of AOL (America online) users?


Don't know.

2. Are there many ISPs or large organizations using megaproxies
that swap client source IPs across entire classes of netblock (e.g.
-like AOL does)?

In Spain the major ADSL provider (Telefonica, some other ISPs that are not Telefonica use Telefonica's network even if they sell direct to the customer) uses a transparent proxy for web access (I believe they are Inktomi's Traffic-Server).

They started using it January 2003. Originally they used 80.58.33.235, 80.58.11.42, 80.58.37.107 and 80.58.33.170. Now it seems they use 80.58.1.42, 80.58.1.44, 80.58.1.45, 80.58.1.107, 80.58.47.44, 80.58.48.42 and 80.58.4.170 amongst others.

I haven't seen any public list of the IP addresses they use, if someone is interested I can provide a statistical breakdown of IP addresses based on web server logs. I can confirm that they use different class C networks all of which belong to the RIMA network (80.58.0.0/16)


I've been telling people for years that you can't filter by source or
even last octet netblocks and lately have been wondering if I'm dense
and this is a US-centric bias of mine thanks to the ISP behaviors
I've had to deal with over the years.

Well, even you obviously can't filter by source if using proxies, but what about the Via, Forwarded, X-Forwarded-For or Client-ip header? I've actually seen few reverse proxies that take this into account when providing a way to define IP-based filtering rules, but I believe there is sense in blocking some pestering users through those headers if needed be.

Of course, this information can be faked (if not going through a proxy), but in the case of these transparent proxies IF the TCP/IP source belongs to one of the caching proxies the Client-ip header is more difficult to forge by a rogue user.

Regards

Javier

PS: From their (public) documentation they use it for Http (only port 80), Windows Media (port 1755), Real Networks (port 554) an QuickTime streaming (port 554 too)

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What is more secure?, Harry de Grote
Next by Date:  Re: Filtering by client IP address for Web App Sessions, Paul Johnston
Previous by Thread:  Re: What is more secure?, Harry de Grote
Next by Thread:  Re: Filtering by client IP address for Web App Sessions, Paul Johnston
Indexes:  [Date] [Thread] [Top] [All Lists]