2

I have two questions:

1) In PHP, when a programmer uses the "REMOTE_ADDR" variable to get the IP address of the web client, that IP address is taken from a field in the HTTP header? Or from where?

2) If the IP address of the client is taken from the HTTP headers, can a web client "spoof" or "change" the HTTP headers to hide his real IP address?

Thank you very much.

Arcuspedes
  • 31
  • 1
  • 3

3 Answers3

5

REMOTE_ADDR is taken from the TCP/IP connection and it's very hard to spoof.

It could be inaccurate though, if your server is behind a reverse proxy. In that case you'd have to read X-Forwarded-For header, which can be spoofed easily if your proxy doesn't always override it.

Kornel
  • 97,764
  • 37
  • 219
  • 309
4

$_SERVER["REMOTE_ADDR"] : As said is taking the IP from the IP socket in the TCP connection... The way to spoof your real IP is easy using a remote server for example: 'TOR network'.

Example: If I want to send a request to the site server (but I need to spoof my IP) I use:

<?php

$ip = '127.0.0.1';
$port = '9051';
$auth = 'PASSWORD';
$command = 'signal NEWNYM';
$fp = fsockopen($ip,$port,$error_number,$err_string,10);
if(!$fp) { echo "ERROR: $error_number : $err_string";
    return false;
          } else {
                     fwrite($fp,"AUTHENTICATE \"".$auth."\"\n");
                     $received = fread($fp,512);
                     fwrite($fp,$command."\n");
                     $received = fread($fp,512);
                 }
 fclose($fp);
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, "http://whatismyip.org"); //ipimg.php
 curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
 curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch, CURLOPT_VERBOSE, 0);
 $response = curl_exec($ch);
 curl_close($ch);
 echo $response;
?>

This code demonstrate how I'm spoofing my IP using a TOR service that is using SOCKS5 / SOCKS4 to send requests to another server without using my real IP. I'm testing it with whatismyip.org to see the IP change.

Have fun.

Shlomi Hassid
  • 6,500
  • 3
  • 27
  • 48
  • Set the PASSWORD and the port number. I am getting nothing. Page tries to load for a while and then dies. Any ideas? – Mahder Mar 07 '15 at 13:55
  • 1
    Are you running the Tor server? Make sure Tor uses port 9050, Make sure your php is set to expose errors. Now try again and see what happen. – Shlomi Hassid Mar 07 '15 at 23:36
0

1) $_SERVER["REMOTE_ADDR"] comes straight from the TCP connection.

2) $_SERVER["REMOTE_ADDR"] can only be spoofed using a man in the middle attack on a non-SSL TCP connection (the SSL handshake has some protections against IP spoofing).

2) $_SERVER variables which come from HTTP headers are prefixed with HTTP_ and yes, if they contain IP addresses, they can be spoofed trivially by the caller. You should never trust $_SERVER["HTTP_*"] variables which contain IP addresses.

oxygen
  • 5,891
  • 6
  • 37
  • 69