During a recent DDoS attack on a DNS, my site was unable to continue to function.
While the main site remained up and running, I was unable to connect to an external API on a different domain, leading the site to become completely unusable.
The data is fetched using PHP:
file_get_contents(API_PATH)
I currently call the API using the domain name, but I'm able to use the IP address if required.
Are there any advantages/disadvantages of calling the API by IP?
Is there anything else I should be aware of before making this change?
Your machine probably cached the resolved host, and has not updated it yet. You would need to flush the DNS cache.
It is not a good idea to use an IP address. While the DNS provider might be attacked, it is more likely that the IP is changed. I mean, rarely is a DNS provider attacked in such a large scale like the recent one, and it is definitely more common to see a website to have its IP address changed (although it shouldn't always happen normally). Therefore, you may want to use an IP address during a DNS attack (although your own DNS provider might be attacked as well), but not as the normal condition. If you want to be safe, fallback to use a cached IP address if the domain fails to resolve; but writing that kind of code is meaningless anyway, since it is rarely useful.
If you use an IP address:
You can't move the service to a different server without updating all the client code
You can't use some forms of load balancing
You can't use the hostname to distinguish between multiple services hosted on the same IP address
There really is not much difference in using the DNS name or IP address in your API calls.
However, If you ever change the service provider, you will have to update both your DNS settings (such as your A records) and the IP address in your code, you would not have to do this otherwise.
Other than that, pretty much good to go, unless someone else thinks of any other reason.
I assume you want to mitigate the impact of the recent DNS DDoS attacks.
Advantages:
Your website still functions. Although that may not matter too much because nobody will be able to even visit your website.
Disadvantages:
What if the API changes its IP address?
What if the API does load balancing using DNS (e.g. it may resolve to different IPs at different times)?
What if the API uses a CDN?
I do not recommend it.
Related
I'm trying to make a website. I want to be safe from 'IP address hacking'.
Is there any full proof way to be safe from IP address hacking by php?
How can i hide my server's IP address by php?
Is there a [fool-proof] way to be safe from IP address hacking by php?
No1. The same applies to other web server technologies as well.
However, if you follow "best practice" for securing your PHP site, you should be relatively safe. In this case, "best practice" would include:
Making sure that you following the relevant advice on how to write secure PHP code.
Applying all relevant security patches in a timely fashion.
Avoiding complication 3rd-party applications, libraries, plugins, etc that have a dubious record as far as security is concerned ... or that are old and/or poorly maintained.
But I'm not a PHP developer / security expert. I suggest you Google for articles on securing PHP ... or buy a book.
How can i hide my server's IP address by php?
You can't.
If you want your server's IP address to be hidden, that has to be implemented at the networking level. The most obvious way to hide the IP address is to change it to a private IP address; i.e. an address in one of the ranges listed here:
http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
Another way to do it would be to put it behind a firewall that blocked incoming traffic; e.g. TCP connects.
HOWEVER, if you hide your server's IP address using a firewall or a private IP address, that means that external clients (for whom the IP is hidden) won't be able to use your server (directly).
A final option would be to implement a "reverse proxy" between your server and the clients. HTTP requests sent to the reverse proxy are then relayed to the server the responses are passed back. Note that the IP address of the reverse proxy cannot be hidden ... for the reasons given above.
1 - Actually there is one way. Disconnect the server from all networks! Unfortunately, that defeats the purpose of implementing a web server in the first place ...
I have website and have one page for receiving some news (newly registered users, activity, etc.) and is restricted for everyone except for my IP (Page for only me to view).
I'm interested if there is a way that someone else can "fake" my IP and view this file?
P.S. I am aware of other ways of doing this.
Usually, you dont get fixed IPs, most provider give dynamic IPs. So if you restart your Router, your IP will change and make it impossible to access the page again. If you get a fixed IP, it should work. He can ofc. modify the IP, but then he wont get the response back.
Converting my comments to an answer.
It depends on how you are trying to get the client's IP address. If you are:
only using $_SERVER['REMOTE_ADDR'] to get the ip address
don't have a shared ip address
don't use a (shared) proxy
You should be just fine, because a possible attacker can technically spoof the ip address, but that would not work because, (as Andrey) rightfully pointed out to me the tcp handshake would simply fail.
Some caveats:
Your IP may change at some point effectively locking yourself out.
When you are behind a proxy / internal -> external router / vpn / otherwise shared ip other people in the same network might also have access
Never ever ever use $_SERVER['HTTP_X_FORWARDED_FOR '] because this can be spoofed easily.
Is there a safe way, to identify a device which might be behind a Router (so the IP is not unique) in PHP?
Background: I have several embedded devices (self programmed & adaptable) which contact a webserver (php+mysql) with status updates. These updates are then - if the source is confirmed - saved to the database.
As I understand it $_SERVER['REMOTE_ADDR'] usually can be trusted (except some IIS configuration where it may - under special circumstances - wrongfully return 127.0.0.1; but different story)
Anyhow since I use SSL, the IP address really should not be a problem, because there a handshake is required and if the IP is faked or simply wrong, the connection should not be established
For now I require IP addresses to be whitelisted by admin, for an status update to be acceppted
The device additionally sends the MAC address via $_POST to identify the different modules with identical IP address (I know this can very easily be forged, and right now will be trusted if the IP address is trusted)
So first of all I am not sure if the IP address in itself is enough for it to be safe from attacks from the outside
Secondly if the device is behind a router, it will have the same IP address as every PC/device on that network. So about anyone there could forge a status update with a fake MAC address (simply as post variable), and since the IP address is whitelisted it will be trusted
So is there any way of confirming the identity of a device, or do you know a better way of doing this?
Aside: Going the other way, and have the webserver poll the different devices might be an option, but since there might be many (> 2000) devices of which we need the very last status (change) I thought it to be inefficient.
IP addresses can be spoofed, MAC addresses can be forged, so theses methods are not sufficient. The general approach is to assign a key to each client device (possibly the same key to all devices, even if this probably a bad idea). The "key" can be anything from a predefined string (weak, think username/password) to a signed certificate (strong, think SSL).
Both can be implemented either at the application level (by PHP) or at server level. If your application runs on Apache httpd server, I would rather recommend using its built-in features as it supports both approaches.
I'm a user of a certain forum, but recently my IP adress has been being blocked.That's not my fault but some users probalbly broke the rule and his ISP or IP address is same or close to mine, so I was enmeshed.
I rent a web server, so now I try to post comments to the forum from my server, but it fails.
When I post a comment using a form in the site, the error says that the referer was wrong.
I tried header() function using PHP but it doesn't work.
I tries to change referer but still it doesn't work.
I think if I could have a client in my web server, the IP and host change in posting comments, without changing referer information.But I don't know how to do this.
The restriction is temporary, maybe a few weeks, so I don't necessarily need a perfect and permanent solution.
Is there any ways to solve this problem?
If they're blocking you based on IP address, then it's the web IP address of your local network that they're blocking. If they've decided to block a range of IPs then you have a larger problem depending on your host.
A few things you can try:
Chances are (unless this is a work account) that you're using a dynamic ip address from your host. A lot of work accounts use a dynamic IP too, but you would need access to the modem (since you're probably not the corporate network administrator). Sometimes to get a new IP address from a completely different range by unplugging your cable or DSL modem and plugging it back in after about 30 seconds. Most electronics clear instantaneously (unless they have an onboard battery backup), but in the case of network components they purposely build in a few seconds of wait time in DHCP servers before providing a completely different IP address. Usually when I'm having a problem on my local network or doing an upgrade and unplug my modem after about 10 minutes of work when I plug my modem back in I have a new IP so I have to go through all of the trouble of re-whitelisting myself everywhere (so I know this works).
You could try connecting to the boards through your cell phone if you can tether your cell phone to your workstation or desktop. This will provide you with an IP address through the cell phone carrier's network (Note: it might violate the TOS).
You could do as #Bergi suggested and use a proxy. Some web browsers (like Opera) allow you to specify a proxy in the browser without forcing all of your desktop traffic to a different network. You can obtain a proxy server address from several resources, but this is one of my favorites. Be sure to use an HTTPS proxy in order to have the best defense against someone packet filtering and catching your credentials. People can still capture the initial handshake for SSL and decrypt your communications (so make sure this is what you want to do.)
You can try to force inject headers into the message board and make your server post for you. Good forum software will check the referrer and the user_agent to see if you are a "real person" (however real the programmer felt you needed to prove). If there is a CAPTCHA you will need to be able to see the image, hear the sound, or use a plug-in to break it. (This will require research). Chances are your web server is using a static IP, so there is nothing to prevent the board from blocking this one as well. (You will not be able to change it.) If the web host has strict guidelines about using their servers for this sort of thing it might *cost you your account*. I will not provide an example for this on this board. But you can check out a book called WebBots, Spiders, and Screen Scrapers.
If I throw both of these two into a database, is that enough to prevent a site visitor from spoofing that they are coming from a different IP address?
$ip1 = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip2 = $_SERVER['REMOTE_ADDR'];
Short answer - no. You can never guarantee a link between an IP and a person. For almost all practical purposes though, yes, that's good enough.
Unless you're really expecting someone to go to significant lengths to hide their IP, you should be fine.
It really depends on what you're trying to do as to whether it's good enough or not.
Edit: Just seen your comment on the first post. An option for that is to look at Evercookies - they're extremely invasive and unethical, but they do do a very good job, so it's your call.
HTTP_X_FORWARDED_FOR is an HTTP header, so it can be easily spoofed. REMOTE_ADDR is an environment variable provided by the web server as specified in the CGI specification. It can't be easily spoofed. So there's no real point in caching either one.
If someone is spoofing the HTTP_X_FORWARDED_FOR header using a compromised proxy server, then there's not much you can do about that.
However, it should be easier to trust that a non-proxied request isn't spoofed since, unless the attacker is on the same subnet, they're limited to a blind spoofing attack, which requires them to guess the sequence and acknowledge numbers of the TCP connection. This is very difficult to do on modern networks. And even if they managed to do this, they wouldn't be able to receive any data routed to the spoofed IP, so it would be easy to filter out any blind spoofing attacks.
These days, it's not really possible (ok, nothing is impossible, but it does require very specific circumstances and has limited applications) for someone to actually use a spoofed IP to make an anonymous TCP connection to a web server. At most packet spoofing is used for DDoS and flood attacks.
Nope, it's very easy to spoof X-FORWARDED-FOR, which is literally sent as a header. Try making an account system or have it rely on email or something. You cannot trust IP alone.
Given your above comment, $_SERVER['REMOTE_ADDR'] will most likely suffice since they'd have to change IPs every time they wanted to perform that action, which would involve proxying or most likely Tor.
No, you may only avoid using some proxy servers.
There are still options that allows you to "hide" your real IP (and many people like they privacy), such as:
VPN
NAT
ssh and for example links
port forwarding
connection from work, school, bar, friend...
...
IP logging helps you just again some kind of users anyway (and many of them uses dynamic ips from their provides pools so without court order you will never know who's that and ban many people with him/her) but against admin with 150 machines available...
When any user visit your site with a proxy server in that case both value are different.You can get the IP address using HTTP_X_FORWARDED_FOR server variable.So in that case 'HTTP_X_FORWARDED_FOR' was posted by proxy server, which describe the client IP, while 'REMOTE_ADDR' describe the IP of proxy server.
When any user visit your site without any proxy server in that case you can get the IP address using REMOTE_ADDR server variable. So in that case HTTP_X_FORWARDED_FOR and HTTP_VIA will not be available.