• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Nonce usage to prevent bot attacks

 
Ranch Hand
Posts: 227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ,

I am using JSP , J2EE application (Not struts) i want to prevent bot attacks from happening in my form , i am planning to do the below for my form,

1. Generate a random token and set it in hidden field of the form  in JSP
2. During form submission store the random number set in hidden form field in DB
3. Compare the submitted token is matching with the one from DB to see whether it matches , if is not matches it is a bot attack.

Please let me know whether what is mentioned above is correct? if not please let me know how we can handle it in a better way?

1. Also how we can generate the random token number in java and how this can be set in hidden form field
2. Where we need to handle the comparison logic?

Any examples/tutorials on this is really helpful. Thanks in advance.
 
Saloon Keeper
Posts: 10308
217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are describing a CSRF-token, and it won't do much to prevent bots from interacting with your site. What it does is prevent users from unwittingly performing dangerous actions by executing requests forged by an attacker, for instance, by clicking on a link in an e-mail message. If this is what you mean, you should look at the built-in CSRF protection mechanism that your web application framework of choice offers.

If you want to prevent bots, you need to detect whether the user is a human. Various technologies like Captchas are available for this.

If you mean something else by "bot attack", you need to describe precisely what you mean.
 
Rithanya Laxmi
Ranch Hand
Posts: 227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephen. We are looking at Captcha - ReCaptcha, but there is an email from the customer to look for a Tokenizer approach to prevent any bot attacks to the corresponding page. Are you saying Tokenizer approach wont work here as it cant prevent bot attacks and cant detect it is human?


1. Nounce to generate a random number Token .
2. Token gets created, compare the token on the server at the submit button selection to see whether it matches.

This above can be done thru CSRF- Token to prevent bot attacks from the site? if So this will serve our purpose, any examples/tutorials which are having how to implement this in JSP, Servlet?

Also , please let me know whether the below approach wont work by preventing Bot attacks,

1. Setting up Honey Trap on the JSP, create a Hidden Field which a user won’t see e.g. middle name.
2. If someone tries to attack the form will be filled along with middle field which can be rejected on validation.

Not sure how the hidden form field will be visible for the user to fill the value? if not how in this case the hidden middle name field will be having value entered?

Please clarify
 
Stephan van Hulst
Saloon Keeper
Posts: 10308
217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rithanya Laxmi wrote:there is an email from the customer to look for a Tokenizer approach to prevent any bot attacks to the corresponding page. Are you saying Tokenizer approach wont work here as it cant prevent bot attacks and cant detect it is human?


Ignore what they said about any kind of approach to solve their security concerns. Ask the customer what their security concerns are, specifically what they mean by "bot attack". HOW you are going to address their concerns is not for them to worry about, as long as it is the correct approach. Using a CSRF token to prevent bots from interacting with the site is NOT the correct approach.

This above can be done thru CSRF- Token to prevent bot attacks from the site?


No. A bot that is custom written to attack your site will not care about CSRF tokens. CSRF tokens are used to prevent normal users from accidentally performing actions they didn't intend to perform. It is good to have, but it doesn't relate to bots.

if So this will serve our purpose, any examples/tutorials which are having how to implement this in JSP, Servlet?

Setting up Honey Trap on the JSP


This may work for simple bots, but sophisticated bots will detect hidden fields and ignore them. If you hide fields by moving them outside of the view, then this might hurt your SEO as some search engines discourage this technique.

Before we give you any advice, you must give an exact description of "bot attacks". If you're not sure, ask your customer.
 
Rithanya Laxmi
Ranch Hand
Posts: 227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephen again and for your wonderful advice.

Our form which is a critical one for the user to enter the details and post is under robot attack couple of times where thousands of SPAM emails and bad requests are created/triggered from a suspected IP addresses which try to hack some data through it. In order to over come that we are pursuing an option of using a Captcha vs Tokenizer Mechanism.

I completely agree Captcha is there for a purpose and it is more suitable for the above problem, what client also want to know whether it can be served from Token mechanism through Java code? if that is the case then we dont have to evaluate any Captcha product and go with a simple Token approach. Please let me know your opinion on the same and which one will fit the above requirement.


Thanks in advance.
 
Stephan van Hulst
Saloon Keeper
Posts: 10308
217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why does the customer think that anything to do with tokens will prevent automatic form submission? Have you asked them what made them consider this approach?

Whether Captcha is appropriate depends on how often the form is used. For instance, it's great for registration forms, but it can get annoying if they have to be used for every interaction with the website.

If it's DDoS attacks that you're worried about, your customer might want to pay for a DDoS mitigation service, which handles these attacks before they reach the site.
 
Rithanya Laxmi
Ranch Hand
Posts: 227
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephen,

Yes it is a DDOS attack, for the DDOS attack they were checking whether can we go with Token vs Captcha approach. That is the mitigation step they are looking at. Considering it is a DDOS attack which is one best suited here ? we want to a take a better decision so that we dont choose the wrong approach here and then back track which can be hard. Please let me know whether Token or Captcha is well suited here considering we need a secure solution that should work regardless of how intelligent and clever the bot/DDOS attacks are.

Also we should go with the token approach on which scenarios? whether it is well suited to prevent duplicate form submission and prevent simple bots only?

Thanks in advance.
 
Stephan van Hulst
Saloon Keeper
Posts: 10308
217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Like I've already explained before, CSRF-tokens are used to prevent users from performing actions they were tricked into performing by clicking links in malicious e-mails or websites. That's the scenario you use them for. It has nothing to do with bots.

Captchas are NOT appropriate to prevent DDoS attacks. They're used to prevent bots from performing some kind of action in your website repeatedly, such as registering accounts. DDoS attacks don't target your website, but the hardware running the site. Any measures you take at the website level will already be too late. An example of a DDoS attack is where a botnet floods your DNS with requests, causing legitimate requests to be unable to reach your server.

To prevent a DDoS attack, you need to route the requests through a network that has a huge amount of capacity, and can filter out illegitimate requests before it passes the legitimate requests on to the server that hosts your website. To set up such a network can be very costly, so unless your customer is very big and very rich, they might want to get a subscription with another provider of DDoS mitigation services.

Take a look here: https://en.wikipedia.org/wiki/DDoS_mitigation
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!