Caching proxy servers... catching users who manipulate IP's

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sbskater10
Forum Newbie
Posts: 2
Joined: Fri Dec 16, 2005 5:32 pm

Caching proxy servers... catching users who manipulate IP's

Post by sbskater10 »

Hello,

A website I run has a function that adds a count to a page once a day per IP. This is used to help determine the payout for the user.

The problem is if someone is using one of the proxy ip programs they can change their ip and keep refreshing the page. This is fraud and is not permitted, so I would like to stop it as best I can.

I understand their most likely isn't a 100% rock solid solution to this, but even eliminating some of these people would be very helpful.

Thanks,

Jason
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hmmm...

* Tie users to sessions
* Run analysis programs to help determine fraud
* Analyze the request headers (i.e. User Agent)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

See above...

The problem is that IPs are not a unique identifier of users. I know that's the common perception - but its completely false. You should tie a user to a unique session id (this is passed from their Cookie no matter how they change their IP. The problem with this is that they could simply delete the cookie for your sites domain on every request. Unfortunately User Agent is little better.

At best, these will limit the impact of proxies, since most users will be unaware of how or why deleting cookies and changing their user agent strings is necessary to prevent them being recognised even after switching IPs.

That leaves analysis. You need to keep track of unusual levels of unique clicks. Pehaps set an upper limit above which you will get notified by the PHP application, either email or just some log entry stored on a database you can review.

You can also attempt to block the use of anonymous proxies - quite a few ways of doing that. If you do follow that route and scan for known public proxies - I would suggest you be aware that there are legitimate public proxy users (it seems endemic in Australia for reasons unknown...)

As you can see - there's no easy solution. Anything that require unique clicks can be tampered with to one degree or another. There are a number of gaming sites which have simply given up and allow people to publicise automatic clicker programs in Java or other. KingsOfChaos.com is an obvious example - games there are skewed towards whoever are aware of clicker programs and know where to find them - there are even two purpose built clicker bots for that one game!
Post Reply