GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Want to do a "User/IP address Bandwidth Test", possible..?

raymor · 02-16-2005, 12:08 PM

Any decent stats program such as Webalizer will show you that info.
Some stats programs, including webalizer, have a lot of different reports
that can be turned on and off in the config so it's fairly likely that your
current reporting program can do that for you and all you need to do
is turn on those reports in the config.

When you do, it pretty likely that you'll be amzed at how big of a problem
it really is and you'll change your mind about shelling out $100 for
some real security.

Typical proxy blockers aren't that great, as you seemed to indicate.
The load they put on your system is a problem, they don't block
most of the types of proxies that are actually used by the people you
want to stop, but they do block proxies that migt occasionally be used
by a legit member. The solution there is two fold. First, you get a security
solution designed by someone who was actually paying attention
in security 101 and properly distinguishes between authentication
and authorization. You authenticate (and check for proxies) once,
when they login, so that solves your load problem. I completely amazes
me that amost all ofthe "security" approaches marketed for web sites
screw up this very basic principle. That's not advanced computer science, it's literally
taught within the first few weeks (or chapters) of any security course or book.
Also you don't use some silly proxy list or header check as the one and
only criteria, blocking or allowing based on whether or not they SAY that they
are a proxy. Rather what you want to do is use all methods at your disposal
to find out not only IF it's a proxy, but what kind of proxy it is, then
use that information IN COMBINATION with other information about this
login attempt and previous attempts to make a decsion based on
ALL of the available data combined. Again, it amazes me that while these
two idea are so simple and so basic most systems get it wrong on one
or both counts. This lack of any reasonably designed system is why we
were forced to develop Strongbox a few years ago, to provide a security
solution that at least gets the key elements correct.

02-16-2005, 12:08 PM
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Any decent stats program such as Webalizer will show you that info. Some stats programs, including webalizer, have a lot of different reports that can be turned on and off in the config so it's fairly likely that your current reporting program can do that for you and all you need to do is turn on those reports in the config. When you do, it pretty likely that you'll be amzed at how big of a problem it really is and you'll change your mind about shelling out $100 for some real security. Typical proxy blockers aren't that great, as you seemed to indicate. The load they put on your system is a problem, they don't block most of the types of proxies that are actually used by the people you want to stop, but they do block proxies that migt occasionally be used by a legit member. The solution there is two fold. First, you get a security solution designed by someone who was actually paying attention in security 101 and properly distinguishes between authentication and authorization. You authenticate (and check for proxies) once, when they login, so that solves your load problem. I completely amazes me that amost all ofthe "security" approaches marketed for web sites screw up this very basic principle. That's not advanced computer science, it's literally taught within the first few weeks (or chapters) of any security course or book. Also you don't use some silly proxy list or header check as the one and only criteria, blocking or allowing based on whether or not they SAY that they are a proxy. Rather what you want to do is use all methods at your disposal to find out not only IF it's a proxy, but what kind of proxy it is, then use that information IN COMBINATION with other information about this login attempt and previous attempts to make a decsion based on ALL of the available data combined. Again, it amazes me that while these two idea are so simple and so basic most systems get it wrong on one or both counts. This lack of any reasonably designed system is why we were forced to develop Strongbox a few years ago, to provide a security solution that at least gets the key elements correct. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids