Page 1 of 1

Dynamic Hack Protection

Posted: Tue Oct 07, 2003 3:50 pm
by mrvanjohnson
I am looking for some feedback on an idea I have been working out in my head to help protect a website some hackers. Right now it’s only a theory and I would like to know what other people think of it.

I have been working on an online application with tons of forms to manage things. I have written a fairly nice and tight validation class that has saved me a ton of time for data validation. But as I create more and more pages it annoys me more and more to think of some script kiddies or cracker pounding away and different pages try a variety of attacks to exploit something. I don’t only want to protect against them, but I also want to punish them for even trying, which sparked an idea.

In the current validation class I created a function for handling error messages when user inputs doesn’t jive with what it should have been, what if I added to that function the ability to check through an array of what I would consider BIG NO-NO inputs. Things like <script> or a tick ‘ or a string like ../../../ or anything ending with a .exe (which being the main developer and administrator of the site I know has no business being addressed) I'm talking blatant hacks that people run through. What would happen is in the error function it would add the error message to the error array and display it as normal, no different to your casual user who might have inputted incorrect data. But if one of the BIG NO-NO strings is entered, it grabs the IP address of the client and adds it to a table in the database. If you happen to hit on let’s say 5 BIG NO-NO strings within a 24 hour period, that clients IP address is then added to a black list which is then check by every page before displaying it’s content.

Then the site kind of becomes smart and learns how to protect itself. Yes, the cracker could change his IP address but he would then still only have 5 attempts before they would need to change the IP address again.

My initial concerns are the IP addresses. I haven’t really looked into it to much but does every visitor to a site truly have a IP address semi unique associated with them. I understand companies that do dynamic IP address leaves the possibility open to user A trying to crack the site and getting blocked them user B ( a totally different person) inherits the IP address from user A because they use the same ISP, in turn blocking him. This doesn’t concern me too much because it’s not like this site is going to be anything like MSN or PHP.net or devnetwork.net, it’s an online application with a specific purpose to manage certain things and should only need to be accessed by a few hundred people. Even if the general site used this theory and handled ten thousand hits a day I don’t think it would be a big issue. You may think about purging IP address from the Black List after a given amount of time to help prevent this. But I also heard that people hitting your site from a dial up AOL use a very limited IP range, does any know if this is true. Or that some Cox networks will always send their traffic through a gateway which is what actually shows up as hitting the site. I’m also not sure what I would do about people spoofing an IP address or if that is even a big concern for this theory.

Anyways, any feed back on this idea would be great. If you think it’s doable or if you see a glaring flaw in the thinking that I am missing. Anything.

To forums Admin – I stuck this in the Advance Theory and Design forum because I didn’t want to bother the general public with my mindless dribble but if you would like to move it be my guest. Thanks

Posted: Tue Oct 07, 2003 5:09 pm
by Paddy
I am no expert on this but I just wanted to comment that my ISP, Telstra in Australia, uses similar IP addresses. It follows

aaa.aaa.bbb.bbb

Where the a's are always the same but the b's differ.

Just thought I would let you know.

Posted: Tue Oct 07, 2003 5:23 pm
by mrvanjohnson
Yeah that is pretty typical. Depending on the Block Class you own certain numbers will always be the same. This is how IP addresses work. There is a Class A, Class B, and Class C. Class A which I don't know if any one entity owns has the largest range of IP addresses it can distribute from, B is less and C is even fewer (C is 254 not including broadcast - I belileve, it's been awhile since MCSE classes :-) ). But I'm not going to go into an entire IP address tutorial explaining all the octets and how they translate.

Posted: Tue Oct 07, 2003 5:59 pm
by McGruff
IP isn't entirely useless, but isn't exactly much help.

If the hacker has a static IP, and he isn't very persistent, you can probably block him but anyone can toddle off to the nearest internet cafe, try out a new ISP etc etc.

I don't think it's good practice to block whole ranges just to cut out one user with a dynamic IP.

Believe it or not, users of the AOL nightmare can actually have different IPs within the same session.

Posted: Tue Oct 07, 2003 6:09 pm
by mrvanjohnson
you can probably block him but anyone can toddle off to the nearest internet cafe, try out a new ISP etc etc
Yeah but this is a pretty good deterrent. And when they get to the Cafe they'll only have another 5 chances to crack in.
I don't think it's good practice to block whole ranges just to cut out one user with a dynamic IP.
I agree, I don't think I would do this. It would definitely be a full IP address.
AOL nightmare can actually have different IPs within the same session
YIKES....

md5(ip + browserinfo)

Posted: Thu Oct 09, 2003 7:33 pm
by stephenv
A suggestion would be a hash of their IP and their browser, you could also set a cookie for the noob hackers (amazingly this catches a lot).

Posted: Mon Nov 03, 2003 6:13 pm
by Weirdan
Since anonymous proxy lists are cheap enough you can't rely on ip-blocking. Browser hash doesn't give any bit of protection.

I'd suggest using mod_secure under Apache to filter out potentially dangerous script parameters... it brings another headache, though.

PS: IP blocking can help in emergency situations, such as DDoS attack from thousands hosts... but that's another story. Do not use ip-blocking in normal environment, because the malicious hacker can exploit it to perform DDoS :)

Posted: Tue Nov 04, 2003 4:31 pm
by JAM
You don't (or I missed it completely) mention if you own the server and/or if you are strictly thinking about securing PHP only.

I belive that php wont be easy to secure as stand alone. Perhaps mod's to Apache or even the server itself would be in order? In Apache you can also customwrite logging, so that you log the crackers for later punishment.

Another idea is using SSL to secure the layers (not sure this applies in this case, no experience with it), and/or by having some sort of registration requirement to use the application you created.