ansaurus

Question

How to make sure about the ip of the visitor?

Answer 1

+5 A:

The short answer is that it's impossible to stop a determined attacker if a single unverified visit is the only thing required to alter the order of your story. You may want to think about implementing a registered user voting system.

However, You can collect several pieces of information and combine all of them:

1) User Agent
2) IP Address
3) X-Forwarded-For header (if available)

Often times attackers will be lazy and not cycle through different user agents. If you setup your system to process visit information at a certain interval (and not in real-time), you could potentially filter out large collections of visits occuring at the same time with the same exact user agent.

You could always download databases of proxies from websites such as antiproxy.com, but the truth is that most well planned attacks today come from botnet nodes which have yet to be documented. It is fully possible for your website to be targeted by an attack with heterogeneous traffic which is indistinguishable from normal visitors.

At the very least, I would suggest changing your implementation so that users can vote on stories and require a captcha.

Robert Venables 2009-05-16 13:05:12

@novatrust Thanks for explaining, I have changed my code to treat all users with same "user agent" as spam and also all users with same ip as spam and I will try use x-forwarded-for as well. changing the system to voting system will make it very complicated in my case.but the that thing I am not sure about? do we have unique users agents?Thanks

ahmed 2009-05-16 17:04:44

User agents are not unique, though often times they can be unique enough. Example: 300 hits within one minute all advertising the same exact version of firefox, browser toolbars, and installed .NET framework, with the same exact formatting. This is unlikely, and may indicate malicious activity.

Robert Venables 2009-05-16 17:22:25

Answer 2

+1 A:

With PHP you can check the $_SERVER ["HTTP_X_FORWARDED_FOR"] variable against the IP adress for a little more assurance that the client is who he says he is. This will help identify people through some proxies.

Sam152 2009-05-16 13:05:59

Answer 3

A:

You cannot reliably detect an IP.

It may be coming through a proxy or it may be spoofed.

Konstantinos 2009-05-16 13:07:31

Or - let's face it - it may just be real! Imagine a team of nerds behind a single gateway. One of them tosses a nice URL into IRC...

innaM 2009-05-16 13:18:38

Answer 4

+1 A:

I use this function sometimes. But as others have said, it can be tough to get the correct IP 100 per cent of the time.

I can't remember where I got the function from, but it seems to be fairly common on the internet.

function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}

Coffee Cup 2009-05-16 13:20:42

I don't think that is going to get you the real IP - simply the first one that is set from the order of testing. It is not even comparing $_SERVER['HTTP_X_FORWARDED_FOR'] to $_SERVER['HTTP_CLIENT_IP'] for a match, a suggested in some answeres.

BrynJ 2009-05-16 13:27:32

ansaurus

tags:

views:

answers:

How to make sure about the ip of the visitor?

related questions