Dynamic Hack Protection
Posted: Tue Oct 07, 2003 3:50 pm
I am looking for some feedback on an idea I have been working out in my head to help protect a website some hackers. Right now it’s only a theory and I would like to know what other people think of it.
I have been working on an online application with tons of forms to manage things. I have written a fairly nice and tight validation class that has saved me a ton of time for data validation. But as I create more and more pages it annoys me more and more to think of some script kiddies or cracker pounding away and different pages try a variety of attacks to exploit something. I don’t only want to protect against them, but I also want to punish them for even trying, which sparked an idea.
In the current validation class I created a function for handling error messages when user inputs doesn’t jive with what it should have been, what if I added to that function the ability to check through an array of what I would consider BIG NO-NO inputs. Things like <script> or a tick ‘ or a string like ../../../ or anything ending with a .exe (which being the main developer and administrator of the site I know has no business being addressed) I'm talking blatant hacks that people run through. What would happen is in the error function it would add the error message to the error array and display it as normal, no different to your casual user who might have inputted incorrect data. But if one of the BIG NO-NO strings is entered, it grabs the IP address of the client and adds it to a table in the database. If you happen to hit on let’s say 5 BIG NO-NO strings within a 24 hour period, that clients IP address is then added to a black list which is then check by every page before displaying it’s content.
Then the site kind of becomes smart and learns how to protect itself. Yes, the cracker could change his IP address but he would then still only have 5 attempts before they would need to change the IP address again.
My initial concerns are the IP addresses. I haven’t really looked into it to much but does every visitor to a site truly have a IP address semi unique associated with them. I understand companies that do dynamic IP address leaves the possibility open to user A trying to crack the site and getting blocked them user B ( a totally different person) inherits the IP address from user A because they use the same ISP, in turn blocking him. This doesn’t concern me too much because it’s not like this site is going to be anything like MSN or PHP.net or devnetwork.net, it’s an online application with a specific purpose to manage certain things and should only need to be accessed by a few hundred people. Even if the general site used this theory and handled ten thousand hits a day I don’t think it would be a big issue. You may think about purging IP address from the Black List after a given amount of time to help prevent this. But I also heard that people hitting your site from a dial up AOL use a very limited IP range, does any know if this is true. Or that some Cox networks will always send their traffic through a gateway which is what actually shows up as hitting the site. I’m also not sure what I would do about people spoofing an IP address or if that is even a big concern for this theory.
Anyways, any feed back on this idea would be great. If you think it’s doable or if you see a glaring flaw in the thinking that I am missing. Anything.
To forums Admin – I stuck this in the Advance Theory and Design forum because I didn’t want to bother the general public with my mindless dribble but if you would like to move it be my guest. Thanks
I have been working on an online application with tons of forms to manage things. I have written a fairly nice and tight validation class that has saved me a ton of time for data validation. But as I create more and more pages it annoys me more and more to think of some script kiddies or cracker pounding away and different pages try a variety of attacks to exploit something. I don’t only want to protect against them, but I also want to punish them for even trying, which sparked an idea.
In the current validation class I created a function for handling error messages when user inputs doesn’t jive with what it should have been, what if I added to that function the ability to check through an array of what I would consider BIG NO-NO inputs. Things like <script> or a tick ‘ or a string like ../../../ or anything ending with a .exe (which being the main developer and administrator of the site I know has no business being addressed) I'm talking blatant hacks that people run through. What would happen is in the error function it would add the error message to the error array and display it as normal, no different to your casual user who might have inputted incorrect data. But if one of the BIG NO-NO strings is entered, it grabs the IP address of the client and adds it to a table in the database. If you happen to hit on let’s say 5 BIG NO-NO strings within a 24 hour period, that clients IP address is then added to a black list which is then check by every page before displaying it’s content.
Then the site kind of becomes smart and learns how to protect itself. Yes, the cracker could change his IP address but he would then still only have 5 attempts before they would need to change the IP address again.
My initial concerns are the IP addresses. I haven’t really looked into it to much but does every visitor to a site truly have a IP address semi unique associated with them. I understand companies that do dynamic IP address leaves the possibility open to user A trying to crack the site and getting blocked them user B ( a totally different person) inherits the IP address from user A because they use the same ISP, in turn blocking him. This doesn’t concern me too much because it’s not like this site is going to be anything like MSN or PHP.net or devnetwork.net, it’s an online application with a specific purpose to manage certain things and should only need to be accessed by a few hundred people. Even if the general site used this theory and handled ten thousand hits a day I don’t think it would be a big issue. You may think about purging IP address from the Black List after a given amount of time to help prevent this. But I also heard that people hitting your site from a dial up AOL use a very limited IP range, does any know if this is true. Or that some Cox networks will always send their traffic through a gateway which is what actually shows up as hitting the site. I’m also not sure what I would do about people spoofing an IP address or if that is even a big concern for this theory.
Anyways, any feed back on this idea would be great. If you think it’s doable or if you see a glaring flaw in the thinking that I am missing. Anything.
To forums Admin – I stuck this in the Advance Theory and Design forum because I didn’t want to bother the general public with my mindless dribble but if you would like to move it be my guest. Thanks