|
Best IP Spoofing defense?
IP Spoofing: A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
The http protocol was not designed for security.. I played a basic IP spoofer & it scared the shit out of me.. TONS of sites/video feeds are indeed insecure.. What is the best defense? No Replies.. hmmm.. I didn't think there would be any.. Looks like a fix-it script would make bank!!! The huge security holes remind me of what started all the password sites.. |
Just ignore ip source-routes in all your packets, have the routers do their damn job.
How would IP spoofing make video viewable? Are you sure you're not thinking of HTTP Referer spoofing? b. |
Quote:
|
Well there's a goddamn big difference between the two.
Yes, http referring spoofing is a problem. There are solutions, but like most things HTTP related they're ugly. Your best option is to setup and use transparent session handling, like PHP does native since PHP4. (or was it 3?) If the user has cookies disabled all your URL's are rewritten to include the sessionid in the request. No HTTP referer checking for intra-site authentication is just stupid. The real problem is in inter-site handoffs of authenticated users. This is problem which still needs a proper solution. |
Quote:
JDog |
Referrer based authentication is just plain stupid. Especially if your feed suppier charges you for bandwidth. Unfortunately most suppliers and customers seem more concerned with ease of setup than security.
Holio used to offer (and may still) a token based authentication system for some of their feeds (but you had to ask for it). If I recall correctly, you had to pass your account number, the current time, and a hash of the preceeding and a shared secret. Seemed to work pretty well. |
It works great for us. We have not been hacked once, since I programmed the new security just over a year ago. It works great. I would never go with referers. HTTP spoofing is so easy. We use to get hacked all the time.
JDog |
JDog, have you had any problems with getting your client to implement it? How much work is involved for you on ever new client?
Presumably you have a private key involved, or what stops someone from taking your description above and h4x0ring it now? :) IGallery now offers this setup on their feeds as well. b. |
Check this out.
http://www.paysitepowertools.com/os-multimodauth.html This guy posts on here, but doesn't seem to push his software. It seems like a valid solution, although the price sucks ass. On the other hand, anyone using referrer based protection knows what a PITA it can be. Especially with surfers who's ISP blocks referral headers. ;) So the price may be reasonable if your have enough bitchy members, and referral spoofers. |
Quote:
It is my own secret key with the elements involed, I do have other things that multiply into the hash, which I'm not going to post the exact hash here. But with every new client all I have to do is edit the one line of the script that I made for clients before I give it to them. The perl script that I made is aprox 12 lines. If the client wants a php script, it is aprox 3 lines. I think I implemented this in about 1 days work. And the whole program works. If you want to catch me online, my ICQ is 177385133. I will let you know more, but for security reasons, I won't go into details about my script. JDog |
Icqin' u shortly Jdog
|
| All times are GMT -7. The time now is 02:54 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123