Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Filtering by client IP address for Web App Sessions

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: Filtering by client IP address for Web App Sessions
Date: Wed, 2 Mar 2005 10:34:28 -0600 
That's interesting, but not a viable solution for the enterprise in the US.
Similar problems arise with multiple DoS solutions; think 'SynDefender'.

Apparently I mislead most but the use of the word 'filter'. Let's back up:

Repeatedly on this list and repeatedly IRL I have listened to people
recommend "track source" via mechanism X (header, IP packet,
whatever) for state management. This is done in various forms beyond
a simple IP in a state table; examples are things like a seed for a hashed
session token shoved in a cookie or elsewhere so the focus is not
really _on_the_IP_  *but*  _on_the_IP_changing_.

This has nothing to do with spoofing src which is just as easy to do
with SYN or UDP as it always was, and just as complicated to do for
a valid HTTP/SSL session as it has always been, though CISSPs
around the world are still quick to point out "you could spoof source"
regardless of protocol, condition, and ever having attempted it.

This also has nothing to do with NAT or PAT. I am talking about
SRC-swapping proxies and other mid-session SRC changes.

I have maintained that one should not and cannot use SRC IP for
session handling purposes because there are too many load balancing
issues, possibly BGP failover conditions, and dynamic megaproxies or
whatever you'd like to call them, that can cause IP SRC to dynamically
shift mid-session across entire netblocks as large as /8's and /16's.

They are out there, and there's enough of them to cause trouble if
an important part of your user population sources from them, and if
you've worked with enterprise applications for end users in the USA
you've had to deal with them. I've seen a small bit from Europe too,
and blocking them is simply not an option if they are your clients.

All I want to know is "how common is this abroad?"

I know there are a lot of countries that have ISPs doing this besides
"stupid Americans" and I know why we started doing this a long
time ago when Al Gore invented the Internet and it was completely
valid. I also suspect we might see this in emerging markets due to
economic factors (e.g.-Peru, Bolivia, Thailand, etc.) but this is purely
speculation on my part.

I appreciate very much those of you in-thread and off-line who
helped me out here, particularly those from countries whose traffic
I have little or no insight into.

Thanks again,

-ae

  


-----Original Message-----
From: Paul Johnston [mailto:paul@westpoint.ltd.uk] 
Sent: Monday, February 28, 2005 9:19 AM
To: Steve Shah
Cc: webappsec@securityfocus.com
Subject: Re: Filtering by client IP address for Web App Sessions


Hi,


From a filtering perspective, it's a great way to reverse DoS a 

site doing any kind of source IP based filtering. An attacker
needs to only launch an attack (even a trivial one) from behind
a significant NAT/proxy server that has a lot of users behind it
and if the site bans the IP, it ends up banning a significant 
number of users. In the US/AOL case, that could be a serious
segment of your user population. 


This is an interesting problem.

While I advocate never using the IP address as part of session 
tracking, 
one use of the source IP address I do condone is 
mod_dosevasive. This is 
an Apache module that does some IP address based DoS protection; I 
imagine other web servers have similar functionality. Now, the 
choice is 
either use mod_dosevasive based on IP addresses, or don't use 
it at all. 
I reckon using it is better than not. Sure an attacker could 
bypass the 
restrictions to some extent by connecting from many IP addresses - but 
this definitily does raise the bar for attack.

So, the negative is the risk of a proxy user causing a DoS 
against other 
users of the same proxy. Well, I reckon in that case it's the 
responsibility of the proxy administrator to deal with the offending 
user. In general if you let someone do stuff coming from your IP 
address, you take on some amount of responsibility for their actions. 
Another thing to consider is that this way only that one proxy is 
DoS'ed. If there server has all its resources consumer, it is 
the entire 
Internet that is DoS'ed.

Best wishes,

Paul

-- 
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Preventing direct URL access in a J2EE environment, RSnake
Next by Date:  Re: ISA Server and SQL Injection, christopher
Previous by Thread:  Re: Filtering by client IP address for Web App Sessions, Paul Johnston
Next by Thread:  WASC-Articles: 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' By Amit Klein, robert
Indexes:  [Date] [Thread] [Top] [All Lists]