Does server know where data are sent from? (whether spoofed ip address or normal one)

Question

I'm going to create my own website and want to prevent DDOS attack or that sort of things.

I know the sever can receive packets from spoofed ip address while an attacker cannot get the response since the spoofed ip address is not his. Is it possible to identify if the ip address is spoofed or real?

I'm not sure but I heard when a user send a packet to HTTP protocol a user and server need to handshake something. If the one sending a packet is spoofed, is there any sign on the server side so I can filter them?

Answer 1

When a TCP connection is used (as HTTP does), there is a three packet exchange ("the three-way handshake") that starts the connection. This makes address spoofing very much more difficult because if the initial reply doesn't make it back, then the handshake can't complete). (There is a "SYN Flood" attack where somebody just sends a large number of the first of the three packets and doesn't care about any replies).

When a UDP connection is used (as DNS, for example, does), then the first packet can be a data carrying packet. This makes address spoofing easier, particularly when you don't care about the reply OR the goal is to get the reply to go somewhere besides back to the sender (for example an "amplification attack").