13 Replies Latest reply on May 15, 2007 9:36 AM by turtle7

    CGI REMOTE_ADDR, FORMS and IP Spoofing

    turtle7 Level 1
      I have an e-mail form that I'm trying to limit the abuse of.

      One of the things that I have done is to reduce the ease of IP spoofing when submitting to a page with form variables, by forcing the submitter to CFLOCATE to another page with a one-off URL variable. The form variables are stored in a struct scoped at the application level and not passed directly to the 2nd page, and my assumption is that they have to use their correct IP address for the first page because else there is no way of knowing the random URL variable to get to the 2nd. The URL variable is random and can only be used once.

      The weird thing is that when I'm comparing the REMOTE_ADDR from the first page to the 2nd page I'm sometimes seeing mismatches on submissions that appear to be genuine. Considering that it's an instantenous forward from the first page to the 2nd I can't think of any legitimate reason why their IP address would change between requests

      Is there any reasonable explanation of why this would happen?
        • 1. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
          CFMXPrGrmR Level 2
          Post some of the code and where you think its not working.
          • 2. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
            Level 7
            turtle7 wrote:
            > Is there any reasonable explanation of why this would happen?

            their service provider might be swapping IPs for whatever reason (AOL comes to
            mind). ours (in bangkok) will between "normal" HTTP calls & HTTPS ones (took
            forever to figure that one out).

            not knowing your app's intention, i think if somebody's spoofing IPs they
            probably won't swap between calls.

            • 3. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
              BKBK Adobe Community Professional & MVP
              Re-examine your code logic. It might not be water-tight. Could your code be doing something like

              request from client1at IP1
              create globally available unique ID1
              request from client2at IP2
              redirect client2

              What do you use to guarantee a one-to-one correspondence between the IP in the form page and the unique identifier on the second page? Lock? Session scope? Request scope? If necessary, create a new id by appending the IP to the current id.




              • 4. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
                turtle7 Level 1
                You seem to be correct PaulH. All of the users that have changing IPs also have AOL e-mail addresses.

                Very strange though, wonder why they would do that.
                • 5. CGI REMOTE_ADDR, FORMS and IP Spoofing
                  turtle7 Level 1
                  just to answer your question BKBK

                  what I do is -

                  1) create random variable x
                  2) store value of x and ip address and all form variables in application scoped query object
                  3) cflocate to page2.cfm?request = x
                  4) retrieve the values from the application scoped query by matching x = URL.record
                  5) remove the matching row from the application scoped query object
                  6) compare current IP to retrieved IP

                  my theory was that you could not spoof your ip address and still get to the 2nd page, because you need to use your correct ip address if you want to get the value of x, which is the only way your request will be processed on page 2

                  the value of x is sufficiently large and the traffic of this site is sufficiently low that while possible for a mismatch to occur, it is so unlikely as to be impossible

                  what I wanted to stop was people/bots submitting form variables directly to the action page with fake IP addresses, so that I could not easily/automatically ban their IP addresses or identify multiple posts as coming from the same poster.
                  • 6. CGI REMOTE_ADDR, FORMS and IP Spoofing
                    CFMXPrGrmR Level 2

                    "Very strange though, wonder why they would do that."

                    AOL just gives their users whichever IP is available when they login. Cable ISP's usually let you keep your IP for months/years but they don't tell you when it's changing, you find out the hard way.

                    "what I wanted to stop was people/bots submitting form variables directly to the action page with fake IP addresses"

                    If you're trying to keep the person from doing this check the HTTP_REFERER to see if it comes from your server before going any further. The request should come from your web server and the submitting form right?
                    • 7. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
                      turtle7 Level 1
                      HTTP_REFERER is easily faked, if you use this for authentication you're in for a rude awakening.

                      >> AOL just gives their users whichever IP is available when they login.

                      This is not between logins, this is their IP address changing during an instantenous forward to a second page.
                      ie, they request a page, but instead of seing anything their browser is redirected to a second page.
                      their request for the first page used IP "a". their request for the 2nd page they are redirected to (less than a second later) uses IP "b". see the strangeness? 2 requests generally less than a second apart with a different IP address?

                      • 8. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
                        insuractive Level 3
                        Just out of curiosity - did you consider using a captcha? If so, what made you decide to roll your own solution instead of the captcha?
                        • 9. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
                          turtle7 Level 1
                          well, I considered it. I wanted it to be easy, perhaps that was naive of me but it is a commercial site and I don't want to put people off since if they e-mail their friends/family a link to the page they're viewing it could help with a sale.

                          I suppose my options are
                          a) don't care if doesn't work for AOL users and leave as is (not really a good option).
                          b) use some sort of captcha (hate those things, but...)
                          c) just remove the feature (don't want to because people actually use it)

                          it basically functions like NPRs e-mail page button (see http://www.npr.org/templates/story/story.php?storyId=4703895 for example). Just a simple little form to e-mail a link to someone - hmmm, they don't use captcha either, I wonder what they use to stop abuse.
                          • 10. CGI REMOTE_ADDR, FORMS and IP Spoofing
                            BKBK Adobe Community Professional & MVP
                            2) store value of x and ip address and all form variables in application scoped query object
                            3) cflocate to page2.cfm?request = x


                            This resembles the kind of logic I alerted you to. Application scope is global, by which I mean an application-scoped variable is generally available to every user. It might therefore happen that the current value of that variable pertains to user A. Hence user B would get the variable Application.(query object containing x_A and IP_A) after being redirected to page2.cfm?request = x_B. It is a possibility you should rule out.




                            • 11. CGI REMOTE_ADDR, FORMS and IP Spoofing
                              turtle7 Level 1
                              Hi BKBK,

                              I appreciate your effort to help - I am confident however that there is not a case of retrieving the wrong record and that in fact I am correct that they are returning different IP addresses.

                              let's say that on Page1.cfm I create a random number X between 0 and 100 million.
                              I insert a record into an application scoped query object, and I KEY that record by X
                              this is followed by a CFLOCATE to a second page - Page2.cfm?record=X

                              you see that there is a URL variable in the CFLOCATE that contains the value of X

                              then I do something like, SELECT * FROM APPLICATION.qryObj WHERE request_id = URL.record (of course using cfqueryparam, yadda yadd).

                              If that's not clear then perhaps I'm just not that good at explaining, but trust me, I have a lot of experience writing in Coldfusion, and specifically applications that are used by large numbers of users at the same time, and I have a very good understanding of scopes and how to make methods/functions safe.

                              each request gets a row in the Application scoped query object, and I'm not simply retrieving the last record insert into the query object, I'm retrieving it based on a unique key that is generated only once for a specific request.

                              no other user has access to X. it is impossibly small chance that they would, and then I delete that row out of the query object as I process it in page2.cfm
                              • 12. CGI REMOTE_ADDR, FORMS and IP Spoofing
                                BKBK Adobe Community Professional & MVP
                                Hi Turtle7,

                                I have re-read my posts. They either contain a suggestion you could take or leave, or a question you could answer with a simple yes or no. All hints and suggestions are about the subject, nothing else.

                                I was already aware of PaulH's response. I, too, find dynamically allocated IPs to be the most plausible answer. However, two troublesome matters remained. First, a redirect is too short. In your own words, "Considering that it's an instantenous forward from the first page to the 2nd I can't think of any legitimate reason why their IP address would change between requests". Second, you give the impression this happens too often to be merely incidental.

                                Please accept that I do not have any doubts about your Coldfusion ability. What you placed before us is a challenging puzzle. Hence my suggestion to look away from the beaten track.





                                • 13. Re: CGI REMOTE_ADDR, FORMS and IP Spoofing
                                  turtle7 Level 1
                                  BKBK - no offense give or taken I hope.

                                  I did take your advice and looked through my code carefully, and then through the logs that I keep - the code seems logically sound even with a thorough reading and the logs show that this happens even if there's only one submission (everytime any of the pages in the process are invoked I log all CGI, FORM, APPLICATION, VARIABLE, REQUEST, URL values - so I have a good idea of how closely spaced requests are)