How to Spoof-proof Your Logins

Depending on which side of the consumer-business equation you are on, you might either expect to perform a transaction with another machine or you might expect a person to be on the other end of the transaction. When you run a business that requires legitimate user-accounts, you may be surprised to find that some of your accounts may belong to a single person—one using a skillfully-crafted script running on his machine to create many "virtual" accounts with your business. These accounts tie up your resources, bandwidth, and other time and materials.

The process by which such scripts create accounts is called identity spoofing, and—for most simple sites—can be accomplished rather easily. All the spoofer needs to do is to create an HTML form that contains fields identical to those in your login form and then "HTTP-POST" the data to your server, where your user-account creation process takes place. The problem is even worse if you allow your login forms to be processed via "HTTP-GET". After successfully creating an account once, there's nothing stopping the spoofer from automating the whole process.

With an automated script, spoofers can literally create hundreds of accounts with a single command. If your server doesn't validate the data, you risk being swamped by a huge amount of useless "virtual" accounts. If your server does validate it, the sheer number of requests can tie up your system resources and slow down or crash your application.

Another potential spoofing problem occurs because it's easy to write scripts that log in using the same user account from many different Web browsers. While this may not be a problem for some applications, it can waste resources and bandwidth, particularly when your business application allows clients to download files or other resources. Some applications check whether a user is already logged in before allowing them to create another instance of the application in their browser. Multiple-client attacks on these applications tie up resources such as database connections and system memory as the server repeatedly performs the login check.