Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Combatting automated download of dynamic websites?

from [Serg Belokamen] Network Security [Permanent Link]
Subject: Re: Combatting automated download of dynamic websites?
Date: Tue, 30 Aug 2005 11:23:17 +1000 
Bottom line is, your can't do it. 

Could monitor by number of requests from a given IP or number of
requests in a given time interval and drop anything outside the
ranges/ACL's but all of this measure can be circamvented, not to
mention resource intensive for the system that is being protected.

SOL mate :(

  Serg

On 30/08/05, Jayson Anderson <sonick@sonick.com> wrote:

I've not yet seen recursion-prevention implementations that can provide
unencumbered service to valid customers while effectively denying access
to leisurely yet persistent recursive gets. You can definetely prevent
the aggressive recursion that is default wget behavior, but a
combination of lazy and determined I've yet to see confounded.....

On Mon, 2005-08-29 at 10:18 +0200, Matthijs R. Koot wrote:

Hi folks,

Which preventive or repressive measures could one apply to protect
larger dynamic websites against automated downloading by tools such as
WebCopier and Teleport Pro (or curl, for that matter)?

For a website like Amazon's, I reckon some technical measures would be
in place to protect against 'leakage' of all product information by such
tools (assuming such measures are justified by calculated risk). The
data we publish online are important company gems which we want to be
accessible by any visitor, but to be protected against systematic
download in either non-intentional context (like Internet Explorer's
built-in MSIECrawler) or intentional context (WebCopier, Teleport, ...).

Consider this:
detailpage.html?bid=0000001
detailpage.html?bid=0000002
detailpage.html?bid=0000003
(...)

Or with multiple levels:
detailpage.html?bid=0000001&t=1
detailpage.html?bid=0000001&t=2
detailpage.html?bid=0000002&t=1
detailpage.html?bid=0000002&t=2
(...)

In specific, I was wondering if it's possible and sensible to limit the
allowed number of requests for certain pages per minute/hour. At the
same time, the data displayed by detailpage.html should be indexable by
Google, so the data itself can't be hidden behind a user login and it's
not possible to use any client-side scripting as Google doesn't
interpret it. I'm using Apache 2 on RedHat 4 Enterprise and know about
mod_throttle (which doesn't work with Apache 2) and mod_security (which
also offers some 'throttling' functionality, regression, but is only
able to work with individual requests and can't remember request sequences).

I'd also suppose that dealing with proxy servers of large ISPs, like
AOL, is a big caveat.

Any ideas?

Best regards,
Matthijs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: sql injection for MS Access, Mutallip ABLIMIT
Next by Date:  RE: sql injection for MS Access, Ofer Maor
Previous by Thread:  Re: Combatting automated download of dynamic websites?, Jayson Anderson
Next by Thread:  Re: Combatting automated download of dynamic websites?, bugtraq
Indexes:  [Date] [Thread] [Top] [All Lists]