[vox-tech] Security & IP

ME vox-tech@lists.lugod.org
Wed, 19 Feb 2003 09:49:01 -0800 (PST) 

I think you may have problems with this if my memory is correct on an issue.

Some ISP (like AOL) use distributed application layer proxy servers.
Within an "application layer session" a single user from one computer may
appear to come from multiple IP addresses. (Not talking a TCP session, but
a session where a person sits at a computer, and navigates around your web
site clicking on one link then another.) This may lead to problems with
implementing your code.

Have you considered using SSL to help protect your program from highjacking?

(More comments below)

Alan H. Lake said:
> I'm creating a PHP program that I'd like to protect against an attempt
> to "hijack" a session.  I want to insure that the IP address of the
> machine using the session is the same as that which started the
> session.  The approach that I'm using is that, if the session's IP is
> not stored in the session file, I'll store it.  If it is, I check to see
> whether it matches the current IP.  If the two don't match, I think I've
> been hijacked.

(Im not so sure this will work universally. See above.)

> The problem is that I'm getting a false alarm because the 4th node of
> the current IP doesn't always match that of the IP that started the
> session.  The other three nodes do match.

The 4th octet of an IP address cannot be relied upon for proof of lack of
highjacking. When the Internet was built using classed networks, you could
determine the site/owner of a netblock based on the first octet's value.
This is not the case anymore. Even if you could assume two IP addresses
are from the same netblock, you can't be certain that the second IP is not
really an attempt at highjacking. Actually, this can be the reverse, as a
person sharing the first person's subnet may be able to sniff session
information from that target and then highjack the session. (Still talking
application layer "session" without SSL NOT a TCP one.)

> Here are my questions.  Do I have adequate protection if I check just
> the first three nodes?

In my opinion, using only the first 3 octets of an IP address is not
sufficient.

> Is there a better way to detect such an attempt?

Use of SSL to help protect the session.

You might look into cookies, but they have other issues in cases like
shared workstations a the public area.

> The PHP code that I am using to get the IP addresses is this:
>   if (getenv(HTTP_X_FORWARDED_FOR))
>     $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
>   else
>     $ipaddr = $REMOTE_ADDR;

Of course, my recollection of the way that AOL does things could be wrong,
or incorrect, but I *think* it is correct. I dont use AOL and have no
first-hand knowledge of this (with a sniffer or whatever) but when this
has come up before in meetings, nobody has stated it was not the case when
it was mentioned.

Your idea is quite creative and inventive. :-)

(Nothing comes from not trying, perhaps you will find a way yet.)

-ME


-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant