ASP.NET Security Advice

Discussion in 'ASP .Net Security' started by Paul Hale, Nov 10, 2006.

  1. Paul Hale

    Paul Hale Guest


    I’m seeking advice (rather than a solution) for a few security concerns I
    have regarding an ASP.NET application I am developing. My web app will
    basically track hits to the site and every x number of hits will
    automatically receive a small prize. Obviously this throws up a few security
    concerns as I want to minimise the risk of people running scripts and
    automated programs against the site in order to maximise their chances of
    winning. My aim is to record each IP address that hits the site and auto
    block that IP address for a few minutes. Then that IP address is free to have
    another attempt. If and when an IP address wins the IP address is auto
    blocked for a few days.
    My thought process so far is as follows...

    Main Risk.
    • Programmer writes an executable app that automatically loads the html for
    the site. The program detects if the “hit†was a winning “hit†and if so
    informs the programmer. If not a winning hit the program \ script hits the
    site again until a winning hit is achieved.

    Possible Resolutions to minimise risk.
    • Record IP address of hit. If more than x hits detected from same IP
    address within set timescale auto block access.

    The above is maybe a step in the right direction but a programmer using a
    dynamic IP could auto renew their IP address in-between each hit. My
    thoughts then lead me to wonder if dynamic IP addresses have anything in
    common which I could analyse? I.e. If someone renewed their IP address
    (assuming they used the same ISP) would the new IP address be issued on the
    same subnet? If so my code could auto block a complete subnet of IP’s for a
    temporary period if it detected unusual activity from the same subnet?

    Users will not have to register to access the site. Ideally I would like
    users to visit the landing page of the site and instantly be informed if they
    have won or not. However, the more I think about this the more difficult it
    will be to stop people scripting against the site. Therefore my thoughts lead
    me to another security measure to minimise the scripting risk.

    • Implement a graphic based security code entry system. This would be
    similar to the System Microsoft use to create a hotmail account. Seems to be
    a popular security measure these days. Visiting users would have to enter a
    random security code that is presented in graphic format before they can
    enter the site.

    Can anyone offer me any advice on the effectiveness of these graphic based
    security code entry systems? Is anyone aware of a professional .NET component
    I could purchase or would I have to write my own?

    My last security concern is people who “spoof†their IP addresses. Is this
    some kind of urban myth or is it possible to achieve this? I’m not really
    interested in how it’s achieved but would be very interested in how to detect
    a spoofed IP address.

    I apologise for the length of this post. As you can see I have some basic
    security concerns. No doubt I have overlooked some potential risks as well.
    If anybody could point out any other shortfalls I need to consider I would be
    much obliged.

    Any advice or pointers at all would be very much appreciated.


    Paul Hale, Nov 10, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nate
    Yan-Hong Huang[MSFT]
    Feb 18, 2004
  2. Patrick
    Steven Cheng[MSFT]
    Oct 1, 2004
  3. Asun Friere
    Paul Boddie
    Aug 27, 2003
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Dinis Cruz
    Oct 11, 2003
  5. Dinis Cruz
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    Oct 17, 2003
  6. Bill Zack

    ASP.NET security advice wanted

    Bill Zack, Nov 2, 2003, in forum: ASP .Net Security
  7. Michael Randrup
    Henning Krause [MVP]
    Mar 27, 2006
  8. Kursat
    Dominick Baier
    May 7, 2007