Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing IP spoofing

Tags:

php

If I throw both of these two into a database, is that enough to prevent a site visitor from spoofing that they are coming from a different IP address?

$ip1 = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip2 = $_SERVER['REMOTE_ADDR'];
like image 776
John Avatar asked Feb 10 '12 00:02

John


People also ask

How can IP spoofing be prevented?

To help prevent IP spoofing, you should use a VPN to hide your IP address. Then, monitor your network for suspicious activity with a firewall, which uses a packet filter that inspects IP packet headers. Only visit secure sites that use HTTPS protocol, and make sure to use strong passwords everywhere possible.

Does TCP prevent IP spoofing?

Some upper layer protocols have their own defense against IP spoofing attacks. For example, Transmission Control Protocol (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection.

What causes IP spoofing?

Beyond sharing data, IP addresses are also used to identify traffic sources to a system or server. IP spoofing occurs when a hacker tampers with their packet to change their IP source address.

What is IP anti spoofing?

IP address spoofing is the act of falsifying the content in the Source IP header, usually with randomized numbers, either to mask the sender's identity or to launch a reflected DDoS attack, as described below.

Does IPsec prevent IP spoofing?

Use authentication based on key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing. Use an access control list to deny private IP addresses on your downstream interface.

How is IP spoofing detected?

IP spoofing is detected by analyzing the packet headers of data packets to look for discrepancies. The IP address can be validated by its MAC (Media Access Control) address, or through a security system such as Cisco's IOS NetFlow, which assigns an ID and timestamp to each computer that logs onto the network.


3 Answers

Short answer - no. You can never guarantee a link between an IP and a person. For almost all practical purposes though, yes, that's good enough.

Unless you're really expecting someone to go to significant lengths to hide their IP, you should be fine.

It really depends on what you're trying to do as to whether it's good enough or not.

Edit: Just seen your comment on the first post. An option for that is to look at Evercookies - they're extremely invasive and unethical, but they do do a very good job, so it's your call.

like image 113
Joe Avatar answered Oct 16 '22 20:10

Joe


HTTP_X_FORWARDED_FOR is an HTTP header, so it can be easily spoofed. REMOTE_ADDR is an environment variable provided by the web server as specified in the CGI specification. It can't be easily spoofed. So there's no real point in caching either one.

If someone is spoofing the HTTP_X_FORWARDED_FOR header using a compromised proxy server, then there's not much you can do about that.

However, it should be easier to trust that a non-proxied request isn't spoofed since, unless the attacker is on the same subnet, they're limited to a blind spoofing attack, which requires them to guess the sequence and acknowledge numbers of the TCP connection. This is very difficult to do on modern networks. And even if they managed to do this, they wouldn't be able to receive any data routed to the spoofed IP, so it would be easy to filter out any blind spoofing attacks.

These days, it's not really possible (ok, nothing is impossible, but it does require very specific circumstances and has limited applications) for someone to actually use a spoofed IP to make an anonymous TCP connection to a web server. At most packet spoofing is used for DDoS and flood attacks.

like image 32
Lèse majesté Avatar answered Oct 16 '22 21:10

Lèse majesté


Nope, it's very easy to spoof X-FORWARDED-FOR, which is literally sent as a header. Try making an account system or have it rely on email or something. You cannot trust IP alone.

Given your above comment, $_SERVER['REMOTE_ADDR'] will most likely suffice since they'd have to change IPs every time they wanted to perform that action, which would involve proxying or most likely Tor.

like image 43
Cyclone Avatar answered Oct 16 '22 21:10

Cyclone