P
Paul Hale
Hi,
I’m seeking advice (rather than a solution) for a few security concerns I
have regarding an ASP.NET application I am developing. My web app will
basically track hits to the site and every x number of hits will
automatically receive a small prize. Obviously this throws up a few security
concerns as I want to minimise the risk of people running scripts and
automated programs against the site in order to maximise their chances of
winning. My aim is to record each IP address that hits the site and auto
block that IP address for a few minutes. Then that IP address is free to have
another attempt. If and when an IP address wins the IP address is auto
blocked for a few days.
My thought process so far is as follows...
Main Risk.
• Programmer writes an executable app that automatically loads the html for
the site. The program detects if the “hit†was a winning “hit†and if so
informs the programmer. If not a winning hit the program \ script hits the
site again until a winning hit is achieved.
Possible Resolutions to minimise risk.
• Record IP address of hit. If more than x hits detected from same IP
address within set timescale auto block access.
The above is maybe a step in the right direction but a programmer using a
dynamic IP could auto renew their IP address in-between each hit. My
thoughts then lead me to wonder if dynamic IP addresses have anything in
common which I could analyse? I.e. If someone renewed their IP address
(assuming they used the same ISP) would the new IP address be issued on the
same subnet? If so my code could auto block a complete subnet of IP’s for a
temporary period if it detected unusual activity from the same subnet?
Users will not have to register to access the site. Ideally I would like
users to visit the landing page of the site and instantly be informed if they
have won or not. However, the more I think about this the more difficult it
will be to stop people scripting against the site. Therefore my thoughts lead
me to another security measure to minimise the scripting risk.
• Implement a graphic based security code entry system. This would be
similar to the System Microsoft use to create a hotmail account. Seems to be
a popular security measure these days. Visiting users would have to enter a
random security code that is presented in graphic format before they can
enter the site.
Can anyone offer me any advice on the effectiveness of these graphic based
security code entry systems? Is anyone aware of a professional .NET component
I could purchase or would I have to write my own?
My last security concern is people who “spoof†their IP addresses. Is this
some kind of urban myth or is it possible to achieve this? I’m not really
interested in how it’s achieved but would be very interested in how to detect
a spoofed IP address.
I apologise for the length of this post. As you can see I have some basic
security concerns. No doubt I have overlooked some potential risks as well.
If anybody could point out any other shortfalls I need to consider I would be
much obliged.
Any advice or pointers at all would be very much appreciated.
Regards,
Paul.
I’m seeking advice (rather than a solution) for a few security concerns I
have regarding an ASP.NET application I am developing. My web app will
basically track hits to the site and every x number of hits will
automatically receive a small prize. Obviously this throws up a few security
concerns as I want to minimise the risk of people running scripts and
automated programs against the site in order to maximise their chances of
winning. My aim is to record each IP address that hits the site and auto
block that IP address for a few minutes. Then that IP address is free to have
another attempt. If and when an IP address wins the IP address is auto
blocked for a few days.
My thought process so far is as follows...
Main Risk.
• Programmer writes an executable app that automatically loads the html for
the site. The program detects if the “hit†was a winning “hit†and if so
informs the programmer. If not a winning hit the program \ script hits the
site again until a winning hit is achieved.
Possible Resolutions to minimise risk.
• Record IP address of hit. If more than x hits detected from same IP
address within set timescale auto block access.
The above is maybe a step in the right direction but a programmer using a
dynamic IP could auto renew their IP address in-between each hit. My
thoughts then lead me to wonder if dynamic IP addresses have anything in
common which I could analyse? I.e. If someone renewed their IP address
(assuming they used the same ISP) would the new IP address be issued on the
same subnet? If so my code could auto block a complete subnet of IP’s for a
temporary period if it detected unusual activity from the same subnet?
Users will not have to register to access the site. Ideally I would like
users to visit the landing page of the site and instantly be informed if they
have won or not. However, the more I think about this the more difficult it
will be to stop people scripting against the site. Therefore my thoughts lead
me to another security measure to minimise the scripting risk.
• Implement a graphic based security code entry system. This would be
similar to the System Microsoft use to create a hotmail account. Seems to be
a popular security measure these days. Visiting users would have to enter a
random security code that is presented in graphic format before they can
enter the site.
Can anyone offer me any advice on the effectiveness of these graphic based
security code entry systems? Is anyone aware of a professional .NET component
I could purchase or would I have to write my own?
My last security concern is people who “spoof†their IP addresses. Is this
some kind of urban myth or is it possible to achieve this? I’m not really
interested in how it’s achieved but would be very interested in how to detect
a spoofed IP address.
I apologise for the length of this post. As you can see I have some basic
security concerns. No doubt I have overlooked some potential risks as well.
If anybody could point out any other shortfalls I need to consider I would be
much obliged.
Any advice or pointers at all would be very much appreciated.
Regards,
Paul.