Quote:
Originally posted by charly
Can you get a login/password system to recognise an IP address?
so you know who is logging in and where from.
|
This doesn't work thanks to large ISPs such as AOL. If you check your logs you'll see an alarming number of logins coming from certain IPs - most of them are the mega-ISPs. Block an AOL proxy, you've just killed all of your AOL users at random - some get in, some don't, based on their proxy (which they have no choice on). Same applies to user-chosen proxies.
There is a range - say, 25 IPs - that you can say, OK, this is beyond AOL level usage. Pennywize lets you do that - ProxyPass is more sophisticated and drops AOL from its calculations. This can backfire because some of these abusers recognize this fact and can mask their IPs successfully.
More serious than simple password sharing, which just amps your bandwidth, is a proxy attack. For obvious reasons, I won't detail exactly what this exactly is, but it relies on using authenticated requests and cancelled requests. It's happened to us on more than one occasion.
Your server load goes through the roof - to the point where SSH and web dies pretty much - bandwidth is stable, nothing in any error log, no idea of where it's coming from. Server dies.
Apache has some shitty code in it. ProxyPass is designed to block this sort of attack and has done so with decent success for us. This DoS is amazingly effective and damned difficult to block without something like ProxyPass.
Password trading is small-time and easy to block, this other attack is brutal and ruthless.
-doug