WebApp Sec: Re: Filtering by client IP address for Web App Sessions

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Filtering by client IP address for Web App Sessions

From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 28 Feb 2005 15:56:55 +0100

Evans, Arian wrote:

Question for those outside of the US of A:

In Europe, Asia, etc. do you have:

1. Any significant user population of your web applications
comprised of AOL (America online) users?


Don't know.

2. Are there many ISPs or large organizations using megaproxies
that swap client source IPs across entire classes of netblock (e.g.
-like AOL does)?

In Spain the major ADSL provider (Telefonica, some other ISPs that arenot Telefonica use Telefonica's network even if they sell direct tothe customer) uses a transparent proxy for web access (I believe theyare Inktomi's Traffic-Server).

They started using it January 2003. Originally they used 80.58.33.235,80.58.11.42, 80.58.37.107 and 80.58.33.170. Now it seems they use80.58.1.42, 80.58.1.44, 80.58.1.45, 80.58.1.107, 80.58.47.44,80.58.48.42 and 80.58.4.170 amongst others.

I haven't seen any public list of the IP addresses they use, ifsomeone is interested I can provide a statistical breakdown of IPaddresses based on web server logs. I can confirm that they usedifferent class C networks all of which belong to the RIMA network(80.58.0.0/16)

I've been telling people for years that you can't filter by source or
even last octet netblocks and lately have been wondering if I'm dense
and this is a US-centric bias of mine thanks to the ISP behaviors
I've had to deal with over the years.

Well, even you obviously can't filter by source if using proxies, butwhat about the Via, Forwarded, X-Forwarded-For or Client-ip header?I've actually seen few reverse proxies that take this into accountwhen providing a way to define IP-based filtering rules, but I believethere is sense in blocking some pestering users through those headersif needed be.

Of course, this information can be faked (if not going through aproxy), but in the case of these transparent proxies IF the TCP/IPsource belongs to one of the caching proxies the Client-ip header ismore difficult to forge by a rogue user.


Regards

Javier

PS: From their (public) documentation they use it for Http (only port80), Windows Media (port 1755), Real Networks (port 554) an QuickTimestreaming (port 554 too)

By Date By Thread

Current thread:

Re: Filtering by client IP address for Web App Sessions, (continued)
- Re: Filtering by client IP address for Web App Sessions Steve Shah (Feb 28)
  - Re: Filtering by client IP address for Web App Sessions Paul Johnston (Mar 01)
- Re: Filtering by client IP address for Web App Sessions exon (Feb 28)
  - Re: Filtering by client IP address for Web App Sessions Jason Coombs (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Frank Knobbe (Feb 28)
- Re: Filtering by client IP address for Web App Sessions Javier Fernandez-Sanguino (Mar 01)
- RE: Filtering by client IP address for Web App Sessions Amichai Shulman (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Griffiths, Ian (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Scovetta, Michael V (Feb 28)
- RE: Filtering by client IP address for Web App Sessions Evans, Arian (Mar 03)