|
|
|
|
|
|
|
|
Host-to-IP Anti-Spoofing is an iPrism v4.x feature flagging URL requests that do not resolve to the correct IP-address. Spoofing (pretending to be host-a when you are really host-b) occurs when the hostname of the HTTP request is inconsistent with the resolved IP-address. In other words, if the HTTP request says "www.yahoo.com" but tries to connect to the IP-address of "www.sex.com" the iPrism spoofing detector is triggered.
When this happens the user is redirected to a blocked page and may (depending on his profile) be able to override the block. If this override occurs, the host name of the request and the IP-address of where the request really went are added to the IP-Host map (part of filter-manager, as shown below). The IP-Host Map page shows a list of the spoofed names (good sites) and the incorrect IP-addresses they connected to (bad sites) so they can be investigated. The controls allow the administrator to delete one or more entries from this list when no longer needed.
Launch the Filter Manager to access the IP-Host map.
In iPrism v4.x, Anti-Spoofing safeguards are in place whether you are using Bridge or Proxy Mode. Anti-Spoofing measures have been added to the filter-list to check site ratings for URLs by their name and IP-address (v4.0). As of iPrism v4.1, DNS lookups are supported in addition to filter-list information, for improved IP-Address lookups. In most cases, the site-rating will be the same for both name and IP.
In the event a user is blocked from getting to a certain URL, it may be due to the site-rating being different for the URL name vs. the URL IP-Address.
If a user is blocked, you may want to do the following:
Find out the URL-name and IP-address the domain portion is resolving to. You might have the user do an nslookup on their machine. Do an nslookup on your machine. See if the resultant IP addresses match or not.
Check the site-rating for the URL domain name. Check the site-rating for the users IP-address and your IP-address. You are looking for a condition where the URL-name site rating is allowed, but the URL IP-Address site rating is not. This indicates a spoofing attempt.
Check site-ratings from:
The Web Interface (Block/Unblock Site > Check site ratings)
Appliance Manager (Filter Manager > Check site ratings)
If you get different site ratings as shown below, there may be some re-direction occurring to an incorrect IP-address, or that IP may have previously hosted content corresponding to the displayed rating shown for the IP.
Having checked the site-ratings and corresponding web-sites, if you feel the Anti-Spoofing is unnecessary or incorrect, you may:
Create a "Local Allow" for the IP-address to override the current IP-address site-rating, see:
or ...
Contact St. Bernard Software to report what you feel is a discrepancy, see:
How do I submit URLs for Review?
or ...
Disable Anti-Spoofing, see:
