Developers: Help With Proxy Detection

Hey guys

The .NET forums are down right now, and I need this answered fast haha. I remember there was a few developers here. Don’t worry if you don’t know .NET. I can figure out how to program it, I just need some ideas. Here’s the post:

I’ve been working on a website where contestants for a contest are posted, and each has their own vote button. People are allowed to vote 20 times per day.

I store IP addresses in an XML file with the date they last voted and how many votes they used.

What has happened now is that a few contestants are using the Tor network to change their IPs and give themselves a ton of votes. It’s a pretty big prize, and the contest is advertised a lot. So the obvious cheating is making the client look bad, me look bad, and has caused the contestants who don’t know how to cheat to stop voting.

What options do I have to stop this?

We don’t want to do user registration, because it’s obviously annoying, and also because it isn’t in the budget haha.

Blocking foreign IPs isn’t a good solution, because Tor can easily just change to Canada only exit nodes.

I don’t know too much about de-anonymizing Tor, but from what I’ve read, it is very difficult. For every way to detect it, there is a way for them to stop me from detecting it. A cool way would be to use client-side programs to get me their local IP, but unfortunately, it is likely they will be behind a router anyways.

As of now, I have no idea how we will get around this. I just added a field to the DB showing which contestant the IPs are voting for. That way, I can check the foreign IPs, and see who they are voting for. But if we disqualify someone based on that, it won’t be long before other cheaters just starting using Canada-only IPs.

Help would be much appreciated.

CAPTCHAs to prevent automated postings.

and;

Set a cookie on the client with a count of votes as well? This is easily hacked of course but if you bury it deep and assume not everyone is as savy as you and myself then it’ll stop a lot of false voting.

You can only have proper security with proper user registration but the above would be an easy hack.

Cheers,
Spry.

I love T-Nation forums. They have the answer to everything.

Addition: to make it more secure don’t just set the cookie value to a number.

Use a mapping of some sort.

Change this mapping regulary (be creative).

Require this cookie value in the form submission otherwise consider submission bad and discard.

But what’s to stop them from just deleting the cookies? When the contest started, I did use cookies. The guys just wrote firefox macros that deleted the cookies at the press of a button. That was when I switched to the IP database.

I thought about the CAPTCHA, but all it would do is slow them down a bit. With unlimited voting potential, they would still easily beat the other contestants.

I got a decent solution on another forum though. The Tor network actually provides a list of its active exit nodes. Iterating through that list in runtime would suck performance-wise. But what I think I will do is just write an offline program that will compare the list of IPs with the Tor list. If anyone gets over a few matches voting for them, I’ll call the client and recommend they be disqualified.

First thing I thought of was cookies, then an IP database. Neither will work easily or accurately against a determined user.

I found this php script that may be of some use (or at least point you in the right direction) although I’ve not tried it or read through the code in detail…

http://labs.involutive.com/2007/06/03/php-class-to-validate-socks4-sock5-and-proxies-using-curl-library/

There are hundreds of sites which allow anonymous surfing too which will of course be used after you lock down the tor IP’s. If the above script works for you then I suspect you’ll be as sorted as possible, but if not how about this…

Hunt out a list of sites that allow anonymous surfing.

Every few hours do an automatic whois of those sites to get their IP addresses.

Add those addresses to your list of tor exit nodes.

Update your IP Ban list on your web server accordingly.

Anyone accessing from one of those addresses should be forwarded to a web page explaining why they are not allowed to vote given their proxy settings.

If I get chance later I’ll see if I can knock up an ASP.NET script to do this.

Coming on this thread sure made me feel inadacquate.

There are proxy blacklists available which may help fend of a large number of false votes.

Some are commercial, some are free. Found a free one, but I do not know how effective it is:

http://iblocklist.com/list.php?list=bt_proxy

That list is normally used by peerguardian, however it is not hard to process it yourself.

I have also seen people go as far as writing a java applet which does the voting and records the users hardware configuration to detect duplicate votes.

Arghh I give up. My list of IPs is up to 2000 now, and they aren’t using any of them. I googled some of the IPs/hosts these guys are using, and found them in lists of free proxies. It’s amazing how many IPs there are to use. Getting good text blacklists is actually pretty hard. When I do find them, I have to do complicated regex expressions to get them down to straight line seperated lists of IPs.

Anyways, although it would be nicer to just block the bad IPs, I think we will just go ahead and disqualify the people using them. It just sucks because it isn’t necessarily the contestant doing it.

Here’s an interesting one though: one of the guys has been getting votes from a ton of IPs at a university. Coincidentally, it’s my university. I facebooked him, and he doesn’t go there. I guess he is getting a friend to vote from the university computers, and the outgoing IPs change per computer. It’s going to be really hard to justify disqualifying him based on that.