BotScout

General Category => BotScout Discussion => Topic started by: MysteryFCM on May 26, 2009, 05:09:22 PM

Title: NRIP in the database?
Post by: MysteryFCM on May 26, 2009, 05:09:22 PM
Mike,
Was testing the integration of the SBST into Coppermine, and noticed BotScout was blocking it, even though I was using an internal IP (in the 192.168.x range), so checked, and you seem to have some NRIP IP's in the database?

http://www.botscout.com/search.htm?sterm=192.168.0.&stype=q
Title: Re: NRIP in the database?
Post by: Mike on May 26, 2009, 07:17:27 PM
Yep....they spoofed their IP address. The IPs come straight from the REMOTE_ADDR var. After a little research, I found this (one of many):

======================================
REMOTE_ADDR and REMOTE_HOST not safe for use in security

There was some discussion today on CF-Talk about using CGI variables to secure an application and some confusion as to which CGI variables can be spoofed and if some are safe. Particularly thereís interest in blocking out specific IP addresses from accessing a web-application.

After some testing, I confirmed that even REMOTE_ADDR, the clientís IP address, and REMOTE_HOST, the clientís host name, can be spoofed very easily. ColdFusion can do this with the CFHTTP and CFHTTPPARAM tags and Iím sure other tools are available.

These spoofs worked with JRunís built-in web server and through IIS. Iíve also spoofed REMOTE_HOST previously with an iPlanet installation to demonstrate poor security in a clientís application.

So if youíre thinking about using CGI variables to secure a site, you need to think again. If you need to secure by IP address, then do it at the router and not in application code.

http://rewindlife.com/2004/04/20/remote_addr-and-remote_host-not-safe-for-use-in-security/
======================================

So, I dunno....I guess I can remove those entries if you think they should be taken out.

Clearly they aren't real IPs, but then again, if that's what the remote client is reporting then we *know* that they're spoofing 'em, right? The only exception to this would be when someone is doing local testing like you were.

Whaddya think?




Mike,
Was testing the integration of the SBST into Coppermine, and noticed BotScout was blocking it, even though I was using an internal IP (in the 192.168.x range), so checked, and you seem to have some NRIP IP's in the database?

http://www.botscout.com/search.htm?sterm=192.168.0.&stype=q
Title: Re: NRIP in the database?
Post by: MysteryFCM on May 26, 2009, 07:36:34 PM
The only time it's an issue is as you said, when we're testing, so I can easily filter that out if I have to :)