Reputation: 2255
prevent brute force attack by blocking IP address
Im building a site where users enter promo codes. There is no user authentication, but i want to prevent someone entering promo codes by brute force. I'm not allowed to use captcha, so was thinking of using an IP address blocking process. The site would block a user's IP address for X amount of time if they had X failed attempts at entering the promo code.
Is there any glaring issues in implementing something like this?
Upvotes: 2
Views: 2696
Answers (4)
Reputation: 38555
I don't think there is one solution that will solve all your problems, but if you want to slowdown a brute force attack just adding a delay of a few hundred milliseconds in the page load will do a lot!
You could also force them to first visit the page where you enter the code, there you could add a hidden field with a value and store the same value in the session, when the user validates the code you compare the hidden field to the session value.
This way you force the attacker to make two requests instead of just one, you could also measure the time between those two requests and if its below a set amount of time you can more or less guarantee its a bot.
Upvotes: 1
Reputation: 1045
-if it's not linked to a shop DO NOT CONSIDER THIS-
tought about placing an hidden tag on your orders? not 100% foolproof but it will discourage some bruteforces.
all you got to check is if the hidden tag pops up with tons of promocodes you block the order.
i would still recommand you to set some kind of login.
Upvotes: 0
Reputation: 2232
Blocking IP addresses is a bad idea because that IP address might be the address of a corporate http proxy server. Most corporates/institutes connect to internet using a gateway. In such a case, the IP address you see is of the gateway and N number of users might be behind that. If you block this IP address because of nuisance caused by one user in that network, IP based blocking will also make your site unavailable for other N users. This is true where ever a bunch of computers are NATed behind a single router.
Scenario 2: What if say X users in that same network did inadvertently provide an incorrect code within your limit of Y minutes. All users in that network again get blocked to enter any more codes.
You can use cookie based system, where you store the number of attempts in past Y minutes in an cookie (or in session variable on server side) and validate it each time. However, this isn't foolproof again as a user who knows your implementation can circumvent that as well.
Upvotes: 2
Reputation: 1347
If you're IIS 7 there's actually an extension that help you to do precisely what you're talking about.
http://www.iis.net/download/DynamicIPRestrictions
This could save you from trying to implement this through code. As for any "glaring issues", this sort of thing is done all the time to prevent brute force attacks on web applications. I can't think of any reason why a real user would need to try to enter in codes in the same manner a computer that's issuing a brute force attack would. Testing any and all possible user experiences would hopefully get you past any issues that might pop up.
Upvotes: 1
Related Questions
- Best way to restrict access by IP address?
- Block IP range on asp.net
- Block User IP after 5 unsuccessful login attempts?
- How to block specified IP address programmatically in c#
- Blocking list of IP addresses in ASP.NET web application/website
- IIS7 - Question about blocking all IP addresses from accesing my site
- How to block IP address or IP classes in ASP.NET
- how to block certain ip's (users) to access my website?
- Blocking access to site by banned IP addresses
- Can I ban an IP address (or a range of addresses) in the ASP.NET applicaton?