WebApp Sec mailing list archives
RE: Filtering by client IP address for Web App Sessions
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 2 Mar 2005 10:34:28 -0600
That's interesting, but not a viable solution for the enterprise in the US. Similar problems arise with multiple DoS solutions; think 'SynDefender'. Apparently I mislead most but the use of the word 'filter'. Let's back up: Repeatedly on this list and repeatedly IRL I have listened to people recommend "track source" via mechanism X (header, IP packet, whatever) for state management. This is done in various forms beyond a simple IP in a state table; examples are things like a seed for a hashed session token shoved in a cookie or elsewhere so the focus is not really _on_the_IP_ *but* _on_the_IP_changing_. This has nothing to do with spoofing src which is just as easy to do with SYN or UDP as it always was, and just as complicated to do for a valid HTTP/SSL session as it has always been, though CISSPs around the world are still quick to point out "you could spoof source" regardless of protocol, condition, and ever having attempted it. This also has nothing to do with NAT or PAT. I am talking about SRC-swapping proxies and other mid-session SRC changes. I have maintained that one should not and cannot use SRC IP for session handling purposes because there are too many load balancing issues, possibly BGP failover conditions, and dynamic megaproxies or whatever you'd like to call them, that can cause IP SRC to dynamically shift mid-session across entire netblocks as large as /8's and /16's. They are out there, and there's enough of them to cause trouble if an important part of your user population sources from them, and if you've worked with enterprise applications for end users in the USA you've had to deal with them. I've seen a small bit from Europe too, and blocking them is simply not an option if they are your clients. All I want to know is "how common is this abroad?" I know there are a lot of countries that have ISPs doing this besides "stupid Americans" and I know why we started doing this a long time ago when Al Gore invented the Internet and it was completely valid. I also suspect we might see this in emerging markets due to economic factors (e.g.-Peru, Bolivia, Thailand, etc.) but this is purely speculation on my part. I appreciate very much those of you in-thread and off-line who helped me out here, particularly those from countries whose traffic I have little or no insight into. Thanks again, -ae
-----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Monday, February 28, 2005 9:19 AM To: Steve Shah Cc: webappsec () securityfocus com Subject: Re: Filtering by client IP address for Web App Sessions Hi,From a filtering perspective, it's a great way to reverse DoS asite doing any kind of source IP based filtering. An attacker needs to only launch an attack (even a trivial one) from behind a significant NAT/proxy server that has a lot of users behind it and if the site bans the IP, it ends up banning a significant number of users. In the US/AOL case, that could be a serious segment of your user population.This is an interesting problem. While I advocate never using the IP address as part of session tracking, one use of the source IP address I do condone is mod_dosevasive. This is an Apache module that does some IP address based DoS protection; I imagine other web servers have similar functionality. Now, the choice is either use mod_dosevasive based on IP addresses, or don't use it at all. I reckon using it is better than not. Sure an attacker could bypass the restrictions to some extent by connecting from many IP addresses - but this definitily does raise the bar for attack. So, the negative is the risk of a proxy user causing a DoS against other users of the same proxy. Well, I reckon in that case it's the responsibility of the proxy administrator to deal with the offending user. In general if you let someone do stuff coming from your IP address, you take on some amount of responsibility for their actions. Another thing to consider is that this way only that one proxy is DoS'ed. If there server has all its resources consumer, it is the entire Internet that is DoS'ed. Best wishes, Paul -- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Re: Filtering by client IP address for Web App Sessions, (continued)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)