nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 19 Jan 2013 18:33:33 -0600
On 1/18/13, Matt Palmer <mpalmer () hezmatt org> wrote:

Primarily abuse prevention.  If I can get a few thousand people to do
something resource-heavy (or otherwise abusive, such as send an e-mail
somewhere) within a short period of time, I can conscript a whole army of
unwitting accomplices into my dastardly plan.  It isn't hard to drop


You can prevent this without cookies.  Include a canary value in the
form;  either a nonce stored on the server,  or a  hash of a secret
key, timestamp, form ID, URL, and the client's IP address.

If the form is submitted without the correct POST value,  if their IP
address changed,  or after too many seconds since the timestamp,
then redisplay the form to the user,  with a request for them to
visually inspect and confirm the submission.




exploit code on a few hundred pre-scouted vulnerable sites for drive-by



- Matt

--
-JH
Previous By Date Next
Previous By Thread Next

Current thread: