detect a fake ip address

Izi

Izi

Izi

Soldato
Joined
9 Dec 2007
Posts
2,718
Hi,

Does anyone know of a way to detect a fake IP address connecting to a server through HTTP?

We keep trying to be Blind SQL injected every few minuets from apparently different IP addresses.

Does any one have an solutions on this?

here is a typical attempt:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

OR.. does any one else know a good way to protect against SQL injection?
 
There's no such thing as a 'fake' IP address in this context - IP spoofing only works if you don't want to receive any data back (for instance a UDP flood). No good for connecting to SQL. I would suggest contacting the abuse contact for the netblock (www.ripe.net / www.arin.net / www.apnic.net to look up).

To prevent SQL injection you need to validate your user input before you use it in SQL - as well as checking for special characters, check it's the data you're actually expecting (that a date is actually a date, etc).

HTH :)
 
It won't be a "fake" IP, it will be a botnet. There isn't a huge amount you can do about stopping attempts, a lot of people will just hit any site that look like they use querystrings or open form posts. Is your code vunerable to sql injection? Is it ASP/ASP.Net/PHP/Something else?
 
Adz said:
There's no such thing as a 'fake' IP address in this context - IP spoofing only works if you don't want to receive any data back (for instance a UDP flood). No good for connecting to SQL.
Click to expand...

Going through an onion router network, like Tor, will mask the attacker's IP address while allowing two-way traffic.
 
thanks for the replies.

i do of course do checks on inputs, so the websites are hopefully safe! although some inputs have gone un-checked and have been injected before.

I was just wondering what everyone else did for this sort of thing. do you have a generic function which checks inputs?
 
eXor said:
Going through an onion router network, like Tor, will mask the attacker's IP address while allowing two-way traffic.
Click to expand...

Sure the IP which the server would see then is a member of the Tor network (and thus exists) even though its not the one belonging to the user. Adz is talking about UDP being a stateless protocol though (i.e you can spoof the source ip address to anything you want, even private non-routable subnet ips) because you don't care about the response back again. In the case of a conn to an SQL server this is pointless really unless your trying to DoS it.

There is no generic function, you need to make sure your code is secure by writing it properly (either drop erronious input entierly or escape it properly) in the first place.
 
Last edited:
If your getting a lot of SQL injection attacks try running a application firewall like modsecurity. It won't get your bandwidth back, but it should help avoid the botnet finding a successful attack.

akakjs
 
thought said:
thanks for the replies.

i do of course do checks on inputs, so the websites are hopefully safe! although some inputs have gone un-checked and have been injected before.

I was just wondering what everyone else did for this sort of thing. do you have a generic function which checks inputs?
Click to expand...

Don't check. Parametrize. Then use stored procedures on your database and don't allow any direct SQL queries. If you do it properly, it's impossible to be SQL injected, notwithstanding the db vendor screwing up and having a bug.

For parameters, if you're using c# .net, do this:
Code: 
public string GetEmployeeName(string employeeId) {
            SqlConnection conn = GetConn();
            SqlCommand cmd = conn.CreateCommand();
            cmd.CommandText = "select EmployeeName from Employee where EmployeeId=@EmployeeId";
            cmd.Parameters.AddWithValue("@EmployeeId", employeeId);
 
growse said:
Don't check. Parametrize. Then use stored procedures on your database and don't allow any direct SQL queries. If you do it properly, it's impossible to be SQL injected, notwithstanding the db vendor screwing up and having a bug.

For parameters, if you're using c# .net, do this:
Code: 
public string GetEmployeeName(string employeeId) {
            SqlConnection conn = GetConn();
            SqlCommand cmd = conn.CreateCommand();
            cmd.CommandText = "select EmployeeName from Employee where EmployeeId=@EmployeeId";
            cmd.Parameters.AddWithValue("@EmployeeId", employeeId);
Click to expand...

I was going to post something similar.. that's why I asked what language it was in :)

If it's an oldschool ASP app and vunerable all over the place (as a lot are), you can knock up an include file that checks the querystring and either fixes it or response.ends.
 
You must log in or register to reply here.
Back
Top Bottom