Dynamic Hack Protection

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Dynamic Hack Protection

Post by mrvanjohnson »

I am looking for some feedback on an idea I have been working out in my head to help protect a website some hackers. Right now it’s only a theory and I would like to know what other people think of it.

I have been working on an online application with tons of forms to manage things. I have written a fairly nice and tight validation class that has saved me a ton of time for data validation. But as I create more and more pages it annoys me more and more to think of some script kiddies or cracker pounding away and different pages try a variety of attacks to exploit something. I don’t only want to protect against them, but I also want to punish them for even trying, which sparked an idea.

In the current validation class I created a function for handling error messages when user inputs doesn’t jive with what it should have been, what if I added to that function the ability to check through an array of what I would consider BIG NO-NO inputs. Things like <script> or a tick ‘ or a string like ../../../ or anything ending with a .exe (which being the main developer and administrator of the site I know has no business being addressed) I'm talking blatant hacks that people run through. What would happen is in the error function it would add the error message to the error array and display it as normal, no different to your casual user who might have inputted incorrect data. But if one of the BIG NO-NO strings is entered, it grabs the IP address of the client and adds it to a table in the database. If you happen to hit on let’s say 5 BIG NO-NO strings within a 24 hour period, that clients IP address is then added to a black list which is then check by every page before displaying it’s content.

Then the site kind of becomes smart and learns how to protect itself. Yes, the cracker could change his IP address but he would then still only have 5 attempts before they would need to change the IP address again.

My initial concerns are the IP addresses. I haven’t really looked into it to much but does every visitor to a site truly have a IP address semi unique associated with them. I understand companies that do dynamic IP address leaves the possibility open to user A trying to crack the site and getting blocked them user B ( a totally different person) inherits the IP address from user A because they use the same ISP, in turn blocking him. This doesn’t concern me too much because it’s not like this site is going to be anything like MSN or PHP.net or devnetwork.net, it’s an online application with a specific purpose to manage certain things and should only need to be accessed by a few hundred people. Even if the general site used this theory and handled ten thousand hits a day I don’t think it would be a big issue. You may think about purging IP address from the Black List after a given amount of time to help prevent this. But I also heard that people hitting your site from a dial up AOL use a very limited IP range, does any know if this is true. Or that some Cox networks will always send their traffic through a gateway which is what actually shows up as hitting the site. I’m also not sure what I would do about people spoofing an IP address or if that is even a big concern for this theory.

Anyways, any feed back on this idea would be great. If you think it’s doable or if you see a glaring flaw in the thinking that I am missing. Anything.

To forums Admin – I stuck this in the Advance Theory and Design forum because I didn’t want to bother the general public with my mindless dribble but if you would like to move it be my guest. Thanks
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

I am no expert on this but I just wanted to comment that my ISP, Telstra in Australia, uses similar IP addresses. It follows

aaa.aaa.bbb.bbb

Where the a's are always the same but the b's differ.

Just thought I would let you know.
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Post by mrvanjohnson »

Yeah that is pretty typical. Depending on the Block Class you own certain numbers will always be the same. This is how IP addresses work. There is a Class A, Class B, and Class C. Class A which I don't know if any one entity owns has the largest range of IP addresses it can distribute from, B is less and C is even fewer (C is 254 not including broadcast - I belileve, it's been awhile since MCSE classes :-) ). But I'm not going to go into an entire IP address tutorial explaining all the octets and how they translate.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

IP isn't entirely useless, but isn't exactly much help.

If the hacker has a static IP, and he isn't very persistent, you can probably block him but anyone can toddle off to the nearest internet cafe, try out a new ISP etc etc.

I don't think it's good practice to block whole ranges just to cut out one user with a dynamic IP.

Believe it or not, users of the AOL nightmare can actually have different IPs within the same session.
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Post by mrvanjohnson »

you can probably block him but anyone can toddle off to the nearest internet cafe, try out a new ISP etc etc
Yeah but this is a pretty good deterrent. And when they get to the Cafe they'll only have another 5 chances to crack in.
I don't think it's good practice to block whole ranges just to cut out one user with a dynamic IP.
I agree, I don't think I would do this. It would definitely be a full IP address.
AOL nightmare can actually have different IPs within the same session
YIKES....
stephenv
Forum Newbie
Posts: 2
Joined: Thu Oct 09, 2003 7:33 pm

md5(ip + browserinfo)

Post by stephenv »

A suggestion would be a hash of their IP and their browser, you could also set a cookie for the noob hackers (amazingly this catches a lot).
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Since anonymous proxy lists are cheap enough you can't rely on ip-blocking. Browser hash doesn't give any bit of protection.

I'd suggest using mod_secure under Apache to filter out potentially dangerous script parameters... it brings another headache, though.

PS: IP blocking can help in emergency situations, such as DDoS attack from thousands hosts... but that's another story. Do not use ip-blocking in normal environment, because the malicious hacker can exploit it to perform DDoS :)
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

You don't (or I missed it completely) mention if you own the server and/or if you are strictly thinking about securing PHP only.

I belive that php wont be easy to secure as stand alone. Perhaps mod's to Apache or even the server itself would be in order? In Apache you can also customwrite logging, so that you log the crackers for later punishment.

Another idea is using SSL to secure the layers (not sure this applies in this case, no experience with it), and/or by having some sort of registration requirement to use the application you created.
Post Reply