Vikas Gupta: Software architect

Archive for the ‘Site Improvement’ Category

Captcha usage pattern to prevent bot attack

Posted by Vikas Gupta on November 21, 2009

In one of the projects, we had a requirement of preventing bot attacks without captcha. After hitting the wall on freely available solutions, I thought of staying with captcha, but in a different way.

To devise a solution, I thought that most users would not register account on the same website again at least with in a day, may be a year also. So, using this fact, the proposed solution was to display the captcha only when the user is registering again on the website. In this way, we could avoid irritating the user by showing the captcha, but if needed, we can again activate captcha for second or subsequent captcha.

The proposed solution brought an interesting challenge. How would we determine whether the request is coming from the same machine? HttpServletRequest.getRemoteAddr() gives you the client local IP. But, if you are behind NAT, you might not get different IPs for different machine.

In order to resolve the above mentioned issue, we can use X-FORWARDED-FOR, which is a HTTP header that is inserted by proxies to identify the IP address of the client. It can also be added to requests if application servers are proxied by proxy servers. In this case, the request IP address is always a local address and the client IP address must be extracted from the request. Since proxies can be chained – for example if the client’s request is already made through a proxy – the X-FORWARDED-FOR header can contain more than one IP address, separated by commas. In this case, the first one should be used.

The solution is still not full proof, because headers can be tampered easily. To rescue comes a module of Apache http server, which is mod_remoteip,
Thanks to this, request.getRemoteAddr(), request.getRemoteHost(), request.isSecure(), request.getScheme() and request.getServerPort() will expose the values transmitted by X-Forwarded-For and X-Forwarded-Proto rather than the values of the preceding proxy / load balancer.

The above mentioned Apache module works on an open source project, RemoteIpValve, and, XForwardedFilter. The RemoteIpValve and the XForwardedFilter have been integrated in the Tomcat Project. The RemoteIpValve will be available in the forthcoming Tomcat 6.0.21 version, whereas, XForwardedFilter has been renamed RemoteIpFilter and will be integrated in Tomcat 7.

Thanks to all those who worked on RemoteIpValve and RemoteIpFilter.


Posted in Site Improvement, Usability | Tagged: , , | Leave a Comment »