Hacker News new | past | comments | ask | show | jobs | submit login

True. We use 12 rounds of bcrypt, though, so they should be at least moderately secure. It's the best solution we've found so far... we'd be happy to hear alternatives that allow us to generate secure hashes for the IPs and allow us to ban people by IP if necessary.

And yes, I know that 12 rounds of bcrypt doesn't mean much. It will delay brute force attacks, though.




If the only purpose is for IP blacklists (bans, dos, etc), then doing 12 rounds of bcrypt would be counter productive. It'd be a lot of CPU usage on your end. Especially if its done for every request.

A better approach would be something quicker to compute but that you can destroy equally easily. Generate a random token that cycles every X minutes/hours. The HMAC the remote IP and this secret. Use the result for bans/rolling rate limiting. If you keep the token only in memory then you don't have to worry about the IP lists being leaked as they won't be recoverable.


An even better approach would be a Bloom filter.


I've created an issue [1] to discuss this in GitHub - feel free to explain your ideas there and we'll figure out what would work best.

[1] https://github.com/MediaCrush/MediaCrush/issues/116


You can only keep the last three bytes of the IP address (e.g. x.1.2.3). And ban only for short time (for example 1-2 hours) when required.


Hm, not a bad idea. Thanks!


Ban all .gov and .mil known IPs. Ban all IPs owned by the MIC (KBB, BAA, Etc)


What makes you think these people aren't capable of purchasing or routing through commercially available address space?


They are certainly capable of paying for it... the facts show though that they are typically not good at shielding their source IP. The wikipedia edit from the senate IP, the tracking of the SAIC IP to NSA etc...

Its not a 100% guarantee - but it's a start.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: