TCP/IP question
-
Is there any API to block IP’s from connecting to the server? Problem details I have developed client/server application. For security it is Username/password protected. To prevent or “minimize” brute force attacks and Denial Of Service it check for failed logins and logs IP from failed attempts for x min, if 3 failed attempts are reached in the x minutes it blocks the IP for y minutes. It uses a global linked list to log the IPs and this is where the problem is. The global List is like a bottleneck since it is shared among other threads. First: To minimize code execution is there any way to block the IP in the operating system level to minimize code execution since if the attacking IP is allowed to re-connect to the server again it can easily cause a DOS. Second: I could only come up with a globally linked list to hold the IP is there any better way to do this. Thanks for any help
G_S
-
Is there any API to block IP’s from connecting to the server? Problem details I have developed client/server application. For security it is Username/password protected. To prevent or “minimize” brute force attacks and Denial Of Service it check for failed logins and logs IP from failed attempts for x min, if 3 failed attempts are reached in the x minutes it blocks the IP for y minutes. It uses a global linked list to log the IPs and this is where the problem is. The global List is like a bottleneck since it is shared among other threads. First: To minimize code execution is there any way to block the IP in the operating system level to minimize code execution since if the attacking IP is allowed to re-connect to the server again it can easily cause a DOS. Second: I could only come up with a globally linked list to hold the IP is there any better way to do this. Thanks for any help
G_S
The below might help. http://www.codeproject.com/tools/firewallpapi.asp[^]
-
Is there any API to block IP’s from connecting to the server? Problem details I have developed client/server application. For security it is Username/password protected. To prevent or “minimize” brute force attacks and Denial Of Service it check for failed logins and logs IP from failed attempts for x min, if 3 failed attempts are reached in the x minutes it blocks the IP for y minutes. It uses a global linked list to log the IPs and this is where the problem is. The global List is like a bottleneck since it is shared among other threads. First: To minimize code execution is there any way to block the IP in the operating system level to minimize code execution since if the attacking IP is allowed to re-connect to the server again it can easily cause a DOS. Second: I could only come up with a globally linked list to hold the IP is there any better way to do this. Thanks for any help
G_S
G_S wrote:
To minimize code execution is there any way to block the IP in the operating system level to minimize code execution since if the attacking IP is allowed to re-connect to the server again it can easily cause a DOS.
The short answer to your question is No. At least, not in the manner you appear to want it. If you want to limit server access, turn on a firewall and security software package (external to your app) that will monitor all ports for such behavior. There is no OS-level APIs to set up this kind of security.
G_S wrote:
I could only come up with a globally linked list to hold the IP is there any better way to do this.
Why is the list of "bad" IPs shared with multiple threads? I would probably use a BST instead of a list, and definately do not make it global. By switching to a BST, you will probably see a significant speed increase. If you absolutely must share it with several threads for whatever reason, you might try using a more complex semaphore to allow as many threads to read it at a given time (so long as no thread is trying to write to it), but only allow 1 writing thread.
If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
-
G_S wrote:
To minimize code execution is there any way to block the IP in the operating system level to minimize code execution since if the attacking IP is allowed to re-connect to the server again it can easily cause a DOS.
The short answer to your question is No. At least, not in the manner you appear to want it. If you want to limit server access, turn on a firewall and security software package (external to your app) that will monitor all ports for such behavior. There is no OS-level APIs to set up this kind of security.
G_S wrote:
I could only come up with a globally linked list to hold the IP is there any better way to do this.
Why is the list of "bad" IPs shared with multiple threads? I would probably use a BST instead of a list, and definately do not make it global. By switching to a BST, you will probably see a significant speed increase. If you absolutely must share it with several threads for whatever reason, you might try using a more complex semaphore to allow as many threads to read it at a given time (so long as no thread is trying to write to it), but only allow 1 writing thread.
If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac
Zac Howland wrote:
There is no OS-level APIs to set up this kind of security
This is what I was looking for to block incoming IPs at the OS level.
Zac Howland wrote:
Why is the list of "bad" IPs shared with multiple threads?
The list is shared to minimize connection time the connection is accepted a new thread is fired up and the resulting thread checks the “bad” List and also serves the connection. The number of threads is limited but you get the idea. thank you for the advice
G_S
-
The below might help. http://www.codeproject.com/tools/firewallpapi.asp[^]
-
Zac Howland wrote:
There is no OS-level APIs to set up this kind of security
This is what I was looking for to block incoming IPs at the OS level.
Zac Howland wrote:
Why is the list of "bad" IPs shared with multiple threads?
The list is shared to minimize connection time the connection is accepted a new thread is fired up and the resulting thread checks the “bad” List and also serves the connection. The number of threads is limited but you get the idea. thank you for the advice
G_S
Without knowing the requirements for the application, here is the mostly likely way I would approach the problem, then. - Create the BST in the main thread, and pass a pointer to it as part of each thread's data (using appropriate protection -- either critical sections or a reading-sempaphore-type setup). - After Accept is called (spawning the new connection), the thread first checks the BST to see if the IP for the connection is bad. If it is, it closes the connection immediately; if not, it continues on. You could also use a hash table instead of a BST and have the IP be the key, and a something useful as the value (e.g. the number of failed connections?). This would decrease your searching time even more.
If you decide to become a software engineer, you are signing up to have a 1/2" piece of silicon tell you exactly how stupid you really are for 8 hours a day, 5 days a week Zac