Hacker Newsnew | comments | show | ask | jobs | submit login

They could use a proxy to "spoof" their IP. But there is no known way they could use IP spoofing to use any old IP address, as the voting app runs via HTTP, which runs over TCP, which requires a full connection, and the known spoofing attacks on TCP are blind, e.g. you can send but not receive data. So HTTP would not work over blind TCP spoofing.

I think that if one vote, or any small number of votes were allowed per IP, the attack would have been much more difficult, as there simply are not tens of thousands of readily available proxies, unless these people have access to a big botnet.

A downside to one vote per IP is that AOL and some organizations place their outgoing web traffic behind one or a small pool of IP addresses. So these users wouldn't have been able to vote.




> A downside to one vote per IP is that AOL and some organizations place their outgoing web traffic behind one or a small pool of IP addresses. So these users wouldn't have been able to vote.

That would not have been such a big problem. But be sure to play 'dead man' and maintain the illusion that every vote counts.

Eg here on Hacker News after you click on the vote-arrows Javascript manipulates the counts accordingly, but did you ever check whether your vote has had any effect on the "true" counts in the server? (Of course at Hackers News it has, because PG is not evil.)

Even more devious would be accepting the unwelcome votes, but also reversing each one of them after a random time has passed. This way the attackers get the see illusion, that their attacks succeed, but are fought back (or drown out in counter-votes from real people) only a few hours later.

-----


Sometimes your vote does not have an effect on the "true" count on the server. For example, try voting every comment on a page down, and then reload to see the real counts. This isn't "evil" per se.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: