Is it possible to spoof your IP... is testing ip addresses secure?

Question

I have some extra features on a site that employees can use but customers are not allowed to see.

The employees are all going to be on a series of domains.

What I do is get the user ip like so:

$user_ip = gethostbyname($_SERVER['REMOTE_ADDR']);

Then I get an array of all the ips for the domains the users will be on using gethostbyname

Then I check if the user is on one of the domains like so:

in_array($user_ip,$allowedIPS)

So if the user is on one of the domains they see additional features for internal use. Otherwise they just see what is meant for the general public.

My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?

Answer 1

It is impossible to spoof a TCP connection over the open internet due to the Three Way Handshake. However, it maybe possible to access this feature using CSRF.

PHP pulls $_SERVER['REMOTE_ADDR'] directly from Apache's TCP socket, there for it cannot be influenced by an attacker. And yes, i have looked at this code.

Answer 2

My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?

No, unless they also have access to the networks of one of the allowed IPs, or any of the allowed machines under one of the IPs is compromised and proxies traffic.

In your scenario, it seems good enough. Well, except the privileged users will not be allowed to access the content from other IPs without some kind of VPN.

Note that IP spoofing generally has a different meaning than the one you're using. It means only forge the source address of a packet. This by itself is worthless because to access the service, it would also be necessary to receive the response from the server. Even "IP spoofing" in this sense is rare today due to better routing.

Answer 3

IP spoofing is possible, if non-trivial.

Why don't you just have your employees log in to get access to employee-only features?

Answer 4

If you are going to do this, do it with apache config, not with code. You are basically re-inventing functionality the is built-in.

As to the direct question, as others have said, spoofing an IP is possible if non-trivial. Also hope you don't have any unsecure access wireless points.

EDIT: Apache access control instructions. This is my assuming you are using Apache due to PHP usage, if you are actually using IIS, its still a config driven setting but obviously different in its execution.