[vox-tech] Security & IP

[Alan H. Lake]

What's $.02 to you is worth $2M to me.  Thanks.

I hear you say the https will probably give me the protection I need. 
I'm planning to use that in production.  I'll also use $REMOTE_ADDR with
this test.

On Wed, 2003-02-19 at 13:13, Micah J. Cowan wrote:
> On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote:
> > I'm creating a PHP program that I'd like to protect against an attempt
> > to "hijack" a session.  I want to insure that the IP address of the
> > machine using the session is the same as that which started the
> > session.  The approach that I'm using is that, if the session's IP is
> > not stored in the session file, I'll store it.  If it is, I check to see
> > whether it matches the current IP.  If the two don't match, I think I've
> > been hijacked.
> 
> Well, since this method only protects someone from attackers with other
> world-visible IP addresses, leaving no protection from attackers who
> might be behind the same proxy, or attackers who have access to a
> router between your server and the user--and since there are easier
> methods--I wouldn't really have bothered with this, but...
> 
> > 
> > The problem is that I'm getting a false alarm because the 4th node of
> > the current IP doesn't always match that of the IP that started the
> > session.  The other three nodes do match.
> > 
> > Here are my questions.  Do I have adequate protection if I check just
> > the first three nodes?  Is there a better way to detect such an attempt?
> 
> I can't figure out how this could be: is a proxy choosing between a
> group of IPs at whim for masquerades? I can't think of why this would be...
> 
> But to answer your question: no. It leaves the victim susceptible to
> attack by up to 254 other users. Still better than *everybody*, but
> it's still just limited protection.
> 
> > The PHP code that I am using to get the IP addresses is this:
> >   if (getenv(HTTP_X_FORWARDED_FOR))
> >     $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
> >   else
> >     $ipaddr = $REMOTE_ADDR;
> 
> You should just use $REMOTE_ADDR. In this case, you *do* want the IP
> of the ISP's proxy server, since that's the only IP address that you are
> actually in contact with. This still leaves the user open to attack
> from others on the same ISP.... But I'll bet that's why you're getting
> different IPs for the same session: Maybe the ISP is setting
> X-Forwarded-For: for some requests and not others; or maybe it is
> setting them erroneously. Either way, you will get different results
> each time. But (I'm pretty sure) you can't get different IPs for
> $REMOTE_ADDR if you're being accessed by the same machine for a
> session.
> 
> As I've pointed out a couple times, there are still, in pretty much
> all cases, groups of users who can "hijack" the session, if you are
> vulnerable to such attacks. A better idea is just to use a fairly
> random selection process for the session id, with enough bits that one
> couldn't hijack the session without knowing the id. As to those who
> are along the route such that they *can* see the id, blocking by IP
> only affords limited protection, since IP-spoofing is a possibility in
> that case.
> 
> In most cases, it's simply not worth worrying about people who can spy
> "on-route", since that is usually only a theoretical vulnerability
> (i.e., few crackers actually practice this, or are in a position
> to). In those cases where extreme security must be exercised, you can
> use HTTPS, or a challenge-response-style authentication for every HTTP
> request.
> 
> HTH; just my $0.02,
> Micah
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

________________________________________________________________________
Alan H. Lake
Lake Information Works   
6999 Dolan Road
Glouster, OH  45732-9003 
Phone: 888-806-4201
Fax:   309-279-8695 
Cell:  916-276-0913
Email: alan.lake@lakeinfoworks.com
Site:  www.lakeinfoworks.com