CGI REMOTE_ADDR, FORMS and IP Spoofing

Report · May 11, 2007

I have an e-mail form that I'm trying to limit the abuse of.

One of the things that I have done is to reduce the ease of IP spoofing when submitting to a page with form variables, by forcing the submitter to CFLOCATE to another page with a one-off URL variable. The form variables are stored in a struct scoped at the application level and not passed directly to the 2nd page, and my assumption is that they have to use their correct IP address for the first page because else there is no way of knowing the random URL variable to get to the 2nd. The URL variable is random and can only be used once.

The weird thing is that when I'm comparing the REMOTE_ADDR from the first page to the 2nd page I'm sometimes seeing mismatches on submissions that appear to be genuine. Considering that it's an instantenous forward from the first page to the 2nd I can't think of any legitimate reason why their IP address would change between requests

Is there any reasonable explanation of why this would happen?

Report · May 11, 2007

Post some of the code and where you think its not working.

Report · May 11, 2007

turtle7 wrote:
> Is there any reasonable explanation of why this would happen?

their service provider might be swapping IPs for whatever reason (AOL comes to
mind). ours (in bangkok) will between "normal" HTTP calls & HTTPS ones (took
forever to figure that one out).

not knowing your app's intention, i think if somebody's spoofing IPs they
probably won't swap between calls.

Report · May 14, 2007

You seem to be correct PaulH. All of the users that have changing IPs also have AOL e-mail addresses.

Very strange though, wonder why they would do that.

Report · May 14, 2007

"Very strange though, wonder why they would do that."

AOL just gives their users whichever IP is available when they login. Cable ISP's usually let you keep your IP for months/years but they don't tell you when it's changing, you find out the hard way.

"what I wanted to stop was people/bots submitting form variables directly to the action page with fake IP addresses"

If you're trying to keep the person from doing this check the HTTP_REFERER to see if it comes from your server before going any further. The request should come from your web server and the submitting form right?

Report · May 14, 2007

HTTP_REFERER is easily faked, if you use this for authentication you're in for a rude awakening.

>> AOL just gives their users whichever IP is available when they login.

This is not between logins, this is their IP address changing during an instantenous forward to a second page.
ie, they request a page, but instead of seing anything their browser is redirected to a second page.
their request for the first page used IP "a". their request for the 2nd page they are redirected to (less than a second later) uses IP "b". see the strangeness? 2 requests generally less than a second apart with a different IP address?

Report · May 11, 2007

Re-examine your code logic. It might not be water-tight. Could your code be doing something like

request from client1at IP1
create globally available unique ID1
request from client2at IP2
redirect client2

What do you use to guarantee a one-to-one correspondence between the IP in the form page and the unique identifier on the second page? Lock? Session scope? Request scope? If necessary, create a new id by appending the IP to the current id.

Report · May 14, 2007

just to answer your question BKBK

what I do is -

1) create random variable x
2) store value of x and ip address and all form variables in application scoped query object
3) cflocate to page2.cfm?request = x
4) retrieve the values from the application scoped query by matching x = URL.record
5) remove the matching row from the application scoped query object
6) compare current IP to retrieved IP

my theory was that you could not spoof your ip address and still get to the 2nd page, because you need to use your correct ip address if you want to get the value of x, which is the only way your request will be processed on page 2

the value of x is sufficiently large and the traffic of this site is sufficiently low that while possible for a mismatch to occur, it is so unlikely as to be impossible

what I wanted to stop was people/bots submitting form variables directly to the action page with fake IP addresses, so that I could not easily/automatically ban their IP addresses or identify multiple posts as coming from the same poster.

Report · May 14, 2007

Just out of curiosity - did you consider using a captcha? If so, what made you decide to roll your own solution instead of the captcha?

Report · May 14, 2007

well, I considered it. I wanted it to be easy, perhaps that was naive of me but it is a commercial site and I don't want to put people off since if they e-mail their friends/family a link to the page they're viewing it could help with a sale.

I suppose my options are
a) don't care if doesn't work for AOL users and leave as is (not really a good option).
b) use some sort of captcha (hate those things, but...)
c) just remove the feature (don't want to because people actually use it)

it basically functions like NPRs e-mail page button (see http://www.npr.org/templates/story/story.php?storyId=4703895 for example). Just a simple little form to e-mail a link to someone - hmmm, they don't use captcha either, I wonder what they use to stop abuse.

Report · May 14, 2007

2) store value of x and ip address and all form variables in application scoped query object
3) cflocate to page2.cfm?request = x

This resembles the kind of logic I alerted you to. Application scope is global, by which I mean an application-scoped variable is generally available to every user. It might therefore happen that the current value of that variable pertains to user A. Hence user B would get the variable Application.(query object containing x_A and IP_A) after being redirected to page2.cfm?request = x_B. It is a possibility you should rule out.

Report · May 14, 2007

Hi BKBK,

I appreciate your effort to help - I am confident however that there is not a case of retrieving the wrong record and that in fact I am correct that they are returning different IP addresses.

let's say that on Page1.cfm I create a random number X between 0 and 100 million.
I insert a record into an application scoped query object, and I KEY that record by X
this is followed by a CFLOCATE to a second page - Page2.cfm?record=X

you see that there is a URL variable in the CFLOCATE that contains the value of X

then I do something like, SELECT * FROM APPLICATION.qryObj WHERE request_id = URL.record (of course using cfqueryparam, yadda yadd).

If that's not clear then perhaps I'm just not that good at explaining, but trust me, I have a lot of experience writing in Coldfusion, and specifically applications that are used by large numbers of users at the same time, and I have a very good understanding of scopes and how to make methods/functions safe.

each request gets a row in the Application scoped query object, and I'm not simply retrieving the last record insert into the query object, I'm retrieving it based on a unique key that is generated only once for a specific request.

no other user has access to X. it is impossibly small chance that they would, and then I delete that row out of the query object as I process it in page2.cfm

Report · May 15, 2007

Hi Turtle7,

I have re-read my posts. They either contain a suggestion you could take or leave, or a question you could answer with a simple yes or no. All hints and suggestions are about the subject, nothing else.

I was already aware of PaulH's response. I, too, find dynamically allocated IPs to be the most plausible answer. However, two troublesome matters remained. First, a redirect is too short. In your own words, "Considering that it's an instantenous forward from the first page to the 2nd I can't think of any legitimate reason why their IP address would change between requests". Second, you give the impression this happens too often to be merely incidental.

Please accept that I do not have any doubts about your Coldfusion ability. What you placed before us is a challenging puzzle. Hence my suggestion to look away from the beaten track.

Report · May 15, 2007

BKBK - no offense give or taken I hope.

I did take your advice and looked through my code carefully, and then through the logs that I keep - the code seems logically sound even with a thorough reading and the logs show that this happens even if there's only one submission (everytime any of the pages in the process are invoked I log all CGI, FORM, APPLICATION, VARIABLE, REQUEST, URL values - so I have a good idea of how closely spaced requests are)

Adobe Community

CGI REMOTE_ADDR, FORMS and IP Spoofing