How to detect IP spoofing

[Perikles]

Hi all
I have a forum and have problems with an user. These user is from Canada and he is putting a lot of energy to bother forum people. If I ban the user ISP the user go to a cyber cafe and continue bothering. As long as the user is the only one I have in Canada, I plan to ban all Canada ( for a while ). BUT .. the user is now altering his IP to appear as he is in Colombia, Amsterdam, etc.
Anyone knows how I can detect a false IP ( in apache, PHP or Perl ) ? How can I prevent this ?

Thanks

[Gwaihir]

His IP will probably not be false, as truly spoofing an IP is a LOT of work and not truly feasible for communicating more than a few crucial bits of data (like the info one could use to then enter from an unspoofed IP).

He is probably using a proxy (a different one each time), which makes you see the IP of the proxy. Some of these will still allow you to find the "true" originating IP address in the data, but I wouldn't get your hopes up, as he is probably using an anonymizing one (i.e. one that doesn't show that originating address).

The above ground of these are paid services (at least if you want to be able to log on to a forum). I think some folk are keeping an up to date list of those, so you could simply ban them all. However, as it is unlikely that he can afford many such subscriptions, he is either using just one or two of them, or using an underground version: some sort of zombie network of pcs infected with some form of virus / trojan. If that's the case you'll probably find him a really hard nut to keep out.

Back to the simpler side: I do assume you do not allow guests to post, sent messages to members and / or find members e-mail addies, right?

[Vin DSL]

How can I prevent this ?

Depends on the software you're using...

IP is one way. Username is another. Banning eMail addies works pretty good -- makes them do a lot of work, registering for new accounts. Then, you can always deny proxies. Deny referers. One of my favorites is to leave the account intact, but suspend it...

I dunno. It's a cat n' mouse game. After a while, they'll get tired of it -- they always do...

[Perikles]

Thank you for your response, Gwaihir

I have very strong reasons to believe that this guy is only using a very simple program to trick the IP source address of the packets. I not believe he's paying for a proxy. He's not a hacker.
And yes, I have the basic security in the forum ( only registered members can post, send private messages, etc )

I wonder if Apache (who writes the logs I see) can be tricked so easy ..

[phluidphil]

As the others have stated, he is probably using a Proxy server, there are thousands out there in many many countries that are *free* to use. Like Vin said you just need to increase his work factor by inactivating the account and making him signup with more free email addresses. There is no way to stop someonet that is determined to be an a-hole from being one.

Now, if a forum could have an ALLOW only rule by which you only allow users with X IP address to post and partcipate that would be a lot easier than allowing everyone and just blocking X IP when a user is bad.

[Vin DSL]

Now, if a forum could have an ALLOW only rule by which you only allow users with X IP address to post and partcipate that would be a lot easier than allowing everyone and just blocking X IP when a user is bad.

phpBB (and I assume most other web boards) has a 'group' feature. That allows only X ppl to read/submit, et cetera, in the forums.

On my web site, not only do I require ppl to be registered to participate in the forums, but I have it setup so the registration needs to be authorized by myself. There are 470 ppl applications waiting to be okayed right now. You can see that in the stats on the login box, on the top right-side of my home page...

http://www.lenon.com/

[Vin DSL]

I not believe he's paying for a proxy. He's not a hacker...

I use this one all the time -- for free (limited functionality)...

https://www.megaproxy.com/freesurf/

[Ron]

I don't think you can post from meaproxy... any freebies you know of that allow form submission (ie allow you to post at phpbb forums)?

[Gwaihir]

As the others have stated, he is probably using a Proxy server, there are thousands out there in many many countries that are *free* to use.

Really? Am I just so bad at finding any? Could you post a few, for the more legitimate uses such as checking up on weird routing issues?

So far all I too know / have found is this, see:

I don't think you can post from meaproxy... any freebies you know of that allow form submission (ie allow you to post at phpbb forums)?

[Gwaihir]

I have it setup so the registration needs to be authorized by myself. There are 470 ppl applications waiting to be okayed right now.

And how do you judge the legitimacy of those?

I.e. so far I think that method is just a royal pain in the <bliep> for webmaster and wannabe user alike. I'd love to hear how it can be made effective.

[Vin DSL]

I don't think you can post from meaproxy... any freebies you know of that allow form submission (ie allow you to post at phpbb forums)?

There are a zillion of them out there...

Doing a quick Google Search:

http://uhingoknights.com/nph-proxy.cgi (1000's of these are around)

http://anonymouse.org/anonwww.html

http://www.pureprivacy.com/

http://www.proxyweb.net/

http://www.guardster.com/

[Vin DSL]

And how do you judge the legitimacy of those?

Mostly gut instinct... but, for instance, when someone registers, it sends an eMail notification to me, as well as one to the user. If the user's mail bounces, I know they're a bogey.

Sometimes the username is evilbish69lesbo or whatever. They are automatically denied. Or, I'll get addies like 6ballgames2005@casino.co.uk -- gone!

Personally, I'll go through the hassle to keep ppl like that away from my forums...

[Gwaihir]

Thanks for the proxy list. I'll likely be using one or two of them in future.

Mostly gut instinct... but, for instance, when someone registers, it sends an eMail notification to me, as well as one to the user. If the user's mail bounces, I know they're a bogey.

That part I've got covered by sending the user an activation link in that e-mail. If it bounces won't be activated.

As for the other ones: amazing that folk is silly enough to try to get in with stuff like that. I guess I'm fortunate it hasn't happened at a site I'm involved with yet. If it does I suppose there's always still the "remove account" option.

[Galen]

Well, first of all, your users should be absolutely ignoring every single post he makes. You and your mods should be locking or deleting every topic he starts.

With those basics down, I'd say it's time to have a little fun with him at his expense. Give him a custom rank; something like "I have a small p****" and maybe change his username to something like "I'm a stupid troll" too. I find that making a troll look bad (while all the other users ignore him) can often be more effective than an outright ban. Of course, you can always just keep setting his account(s) to inactive and keep doing this to every account he registers. Eventually he'll get the idea that you're having fun making an a$$ of him and that's the only attention he's getting.

Rule #1 for your users though: DON'T FEED THE TROLL! Once you've gotten that established, the rest is just a matter of time and patience.

[Perikles]

Thank for all the responses.
I will try to ban all proxy I have notice and to implement a different registration schema.