struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Perry" <d.pe...@netcase.co.uk>
Subject RE: [slightly OT] defensive strategy
Date Tue, 13 Apr 2004 10:38:31 GMT
There are lots of ways to counter this. The simplest is a combination of
session + cookie. Most people wont know how to / have any desire to delete
the cookie.

IPs are useful, but be careful:
- Some of the big ISPs (eg freeserve in the uk) have 'hidden' proxy servers,
so if popular you may get more than one vote per hour from the same ip
legitimately.
- NAT - more that one person on a private NATed network may vote in close
proximity!

If you are really concerned with it, then put a limit on number of requests
from an ip like you suggest.

The most secure method i would suggest is to store each vote in the database
with the ip. Converting the IP to an int will speed things up a lot! You can
then implement a limiter and take a proactive blocking approach, or add an
alerter, and take a reactive approach to mass votes!

Daniel.

-----Original Message-----
From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
Sent: 13 April 2004 11:23
To: Struts Users Mailing List
Subject: [slightly OT] defensive strategy


Sorry for posting this OT question but I've got an issue that people on
this list are very likely to have tackled:

I am developing a traditional online survey app, the kind of thing that
alot of people must have done. I am wondering how to protect it from
script-kiddies who might want to see if they can bombard it with fake
votes.

It's basically public and anyone can take part in the surveys it will run.

I put a switch to check for a flag in the session so that people don't
vote more than once from the websites where the surveys will be deployed.

But I am worried that kids writing scripts will not be stopped by
session flags. Is it worth writing an algorithm to store the IP
addresses used for the last hour? Or can they spoof IP addresses?

If it is useful noting the IP addresses, how best should I store them?
In a hashtable in application scope? In the database? In a session EJB?

Thanks!





--
struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message