• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Flood protection, and perl script protection?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
boytheo
Just Arrived
Just Arrived


Joined: 02 Aug 2006
Posts: 0


Offline

PostPosted: Wed Aug 02, 2006 6:17 pm    Post subject: Flood protection, and perl script protection? Reply with quote

Hi people,

This is my first post here. And more importantly I haven't really done much with security in the past.

I'm making a perl script that can register an application. The app connects to the cgi script over http, sending some params like "?serial=1234&mode=4321".

The idea is, that if the serial is already registered, we'll send back a "you can't register" response. If it is free and is a valid serial, we'll allow them to register.

We check serials via a database, done with mysql.

I've done a little reading up on making network based scripts secure. Here is what I'm doing already:

* tainted my variables via the -T option
* checking for over long string parameters
* stripping out non-alpha-numerics to avoid SQL injects.

My biggest worry right now, is with flooding. I don't want an attack on my perl script!

For example, what if they try to shut out other connectitons by opening a socket and just refusing to drop it? Or... what if they try to brute force register all serial number combinations? Or what if they use a distributed zombie-bot attack? That last one worries me because I can't imagine a simple way to deal with this, as there could be thousands of IPs to block and I need to allow them a few connection attempts to avoid locking out users who just mistype a serial.

Any ideas for good flood protection with a perl script that has access to a database?

Is there anything else I should worry about?
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Sun Aug 06, 2006 9:19 pm    Post subject: Reply with quote

I thought maybe people with more knowledge would answer this, but since nobody has, I can give my two cents worth.

Quote:

what if they try to brute force register all serial number combinations?


Make the serial large enough that brute forcing is not feasable. Crackers will then release cracks that bypass the need for serial number anyway. Not too much you can do about it. The best situation is to get users to register for some additional support. If someone wants support, verify that they have a unique, valid id. That's about the best you can hope for.

Quote:
That last one worries me because I can't imagine a simple way to deal with this, as there could be thousands of IPs to block and I need to allow them a few connection attempts to avoid locking out users who just mistype a serial.


Well, you really can't. In order to block an IP number, something has to check and see if the IP number is allowed to connect. That is more along the lines of something your ISP would need to do.

I have an application to make sure that a particular IP doesn't hit my server more than 3 times in a day, but if I had a million requests come in at the same time, my app would still have to look at all requests to see if they were unique, and it would use all of the bandwidth that I have.

Quote:
Any ideas for good flood protection with a perl script that has access to a database?


Are you saying that your Perl script performs both functions? It checks the incoming connections, and it connects to the database? If you are worried about an attack on your script, it should be decoupled from the logic that interacts with the database. If will be a little more difficult to take out your server, or crash your database.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register