Main » 2011 » Март » 16 » Internet voting the concept of protection from nakrutok
12:24
Internet voting the concept of protection from nakrutok
I must say that the whole topic is in the nature of the concept, because with this theme, I encountered another side of the barricades and ideas until the code is not implemented.

So, you needed to Internet voting "Miss Carbine Telecom, Lower Ukropolsk - 2012. The first thing you will certainly encounter - this is cheating on the part of the contestants, if someone you could really interested in their competition, and to be very very honest, his prizes.

To get started you need to properly formulate the purpose of protection - "make the most of a tough bind to vote in the counter to a real person."

The most beautiful and technically difficult at the moment the need to resolve - is the binding vote to the cellular phone. So we just recorded in interest club with Vkontakte and "classmates", gives users an attack of paranoia and at the same time doing everything expensive and elegant. More can and denezhek some money, if paid to do a vote. :) But we are good guys, it's not for us.

Only that's not all like the word "expensive". Well, there are other solutions to the problem. Who cares - welcome a cat.



I must say that all the other technological protection measures do not provide 100% guarantee of protection and really necessary. The only thing that can be done - it is possible to complicate the life potential nakruchivalschikam.

Method number 1: binding vote to ip-address.


Why:

+ With one ip address more than once does not really progolosuesh.

Disadvantages:

Image spoils the different types of proxy and Nat. Exactly where the second cut off from voting any part of legitimate users. Most likely you do not need.

Method number 2: collecting statistics on who came to the request header.


Why:

+ If the bot does not change the value of User-Agent or had only a few options, the party vote is already under suspicion. Even if the options are many, we can construct a histogram and see the resulting distribution. For example, I very confuse Google.Chrome share of 80% for single Vasiliy Pupkin. You can still compare the histogram to the average web site or with histograms of other participants to account for particular audience of the site.

+ Particularly need to monitor the header Referer. Iframe pasted on the side, visited web-based resources can instantly raise someone's rating to the skies. It is very cheap and good solution, though, and easily fixed. It is best to strictly limit Referer page with a form to send voice.

+ More tips to draw attention to the values ??of the header Accept-Encoding (a browser typically there is gzip) and the Connection (here we must wait for the keep-alive). Bots are often too lazy to implement them.

Disadvantages:

There are some smart bots that realistically replace headers and have thoughtful Rend. Realize such a bot is not difficult.

Method number 3: duplicate count of attendance (and counting) on ??the client-side.


Why:

+ massive bot-script is not sharpened specifically for your site probably does not get this protection. At least I have not seen in public'e things ready, able honestly to load the page and process its scripts and pictures.

+ You can count the attendance of the page with a form even embedding itself counter to js or flash, and ready to use Google.Analytics. If voters in 2000, and the number of hosts 200, then it is suggestive.

Disadvantages:

A man with his head quickly realized that the majority of client-side counters working on the notorious http. It remains to incite the sniffer on the web page and see who goes where and why, do not even have to climb into the code of the page itself. By the way, then evil hatskery can forget about the delay in implementation of js, associated with the rendering and execution of the js, and the very order of requests. That this can be caught.

Method number 4: Add a hidden form field rendomny id, checked with dispatch. Also remember the ip-address to another hidden field of the same form. Plus, watch availability and value of the session, and mark the visitor cookies, keeping the database a bunch of cookies-ip.


Why:

+ An attacker must perform a minimum of two requests and do not forget to see the hidden form fields.

+ Too many socks make a new server ip address in each socket-connection. If you want to make two requests (the page with the form and submit this form), then problems may arise.

Disadvantages:

There is a mechanism for keep-alive, which in theory allows us to make several requests over a single socket-connection. I do not want to lie to himself closely with this theme did not work.

Random number, session cookies and easily bypassed.

Method number 5: Watch for the content that asks the visitor when loading pages.


Why:

+ Bota is usually interested only in the html page and css, js and images he can completely ignore it.

Disadvantages:

Again, sniffer, in tandem with the brain easily bypass this protection. On the other hand have yet to guess what it is.

Method number 6: to see that the ip come to you.


Why:

+ Ip address, issued by the proxy can sometimes resolve into something interesting. For example, you can get a domain name that clearly indicates it belongs to the proxy-brotherhood. Or if someone decided to use Tor, most likely you will be able to admire the domain of one of the famous universities.

+ Often the vote can be geographically localized and see whether the ip-address of the desired region. Is not it strange that on your competition "Miss Carbine Telecom, Lower Ukropolsk - 2012" there were voices from Mexico? ;)

Disadvantages:

Hatsker can buy proxy corresponding geographic area, and completely anonymous, but it's expensive.

The bottom line.


Bypass the security posed by the above methods, in any case it is possible. Another question is whether the attacker will guess what it is, as costs and not suffocate if its a toad in a moment of truth. For example, the purchase of proxy servers, like writing a script to cheat at a particular site is quite real and not the little money. On the other hand the development of security also costs money, and besides, the prize has some value (not only for vanity as contestants fight;). More logical to use and economic protection, making, for example, the cost of circumvention of protection above the cost of the prize. It is unlikely that if there are many who want you to cheat. ;)

P.s. The article does not claim to ultimate truth. Those who want to add something, or constructively criticize - you are welcome in the comments.
Views: 511 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: