0

We have a B2C application. We have some URL's that are not secure and some scripts are continuously hitting that URL's.

Precondition:

  1. We don't want to implement security on that URL's.
  2. We don't want to use Captcha

I have a Public url easily accessible to all users, behind the scene that url is accessing some service. Now i am getting unexpected users on my public url that are using my services for their personal sake. I don't want to add security on my services. I want to restrict those user's on the basis of IP address or some other mechanism. That's easy to block static IP's but i am not sure how to restrict dynamic IP's. Please help.

prasingh
  • 452
  • 4
  • 18
  • use an HTTP header to identify the sender of the request. Browser requests would not include the header so should fail. – NickJ Aug 24 '15 at 12:35
  • How can anyone provide recommendations based on a one sentence description of your architecture? – charlietfl Aug 24 '15 at 12:41
  • Apologies for short description. I have a Public url easily accessible to all users, behind the scene that url is accessing some paid service. Now i am getting unexpected users on my public url that are using paid services. I don't want to add security on my paid services. I want to restrict those user's on the basis of IP address or some other mechanism. That's easy to block static IP's but i am not sure how to restrict dynamic IP's. Please help – prasingh Aug 24 '15 at 12:45
  • Allow paid service access only after login. Remove paid service access in public url. – Ravindra babu Aug 24 '15 at 17:15

1 Answers1

1

I can think of one quick solution : You can limit the number of requests from a single IP Address at web server level.

For example, if you are using Apache, below configuration will take care of it.

<Directory /home/*/public_html> -- You can change this location
    MaxConnPerIP 1  
    OnlyIPLimit audio/mpeg video
</Directory>

You can visit this link for more details :Limit Requests for IP

Any webserver will provide this type of feature with a different configuration or rule set

Ravindra babu
  • 37,698
  • 11
  • 250
  • 211
  • What about the dynamic IP's? – prasingh Aug 24 '15 at 12:34
  • If your client/company can spend money, https://www.neustar.biz/services/ddos-protection provides solution for D-DOS attack – Ravindra babu Aug 24 '15 at 13:24
  • Static or Dynamic IP does not matter to web server. You are not hard coding IP address at web server rules. Number of requests from a particular IP can be restricted at web server level – Ravindra babu Aug 24 '15 at 13:31
  • First of all thanks for your time. We have one scenario, I request the URL with my mobile device then that time our ip is say xyz. Before requesting the same url again I switchedof the mobile device then request the same URL again. then I found that its having different IP... It is one of the scenario that I found, similarly we can many others. – prasingh Aug 24 '15 at 16:07
  • Both will be treated as different requests. Still I can't see issue with per connection limit. – Ravindra babu Aug 24 '15 at 17:12
  • This won't help. Suppose earlier dynamic ip xyz assigned to me and i am blocked by the system, later i got new ip after restarting my mobile. In the same time some other genuine user got my blocked ip then he won't be able to perform any operation because he is blocked on the system. – prasingh Aug 25 '15 at 07:25
  • Allow paid service access only after login. Remove paid service access in public url. In this case, you can configure the limit at user level – Ravindra babu Aug 25 '15 at 08:20
  • Currently we are using the solution suggested by use.. But in future w'll move the service at backend, w'll remove the public access to that service. Thanks for your time – prasingh Sep 05 '15 at 11:58