3

Is it safe to restrict access to a site by IP?

I know there is something called "IP spoofing" - does this mean that (under some conditions) IP restriction is not accurate?

Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158

3 Answers3

2

If a client forges its source IP address, it will be very difficult to establish a TCP connection, because as @cdhowie noted in a comment below, the client would need to ACK the server's SYN + ACK back, which it will never receive.

Spoofed IP addresses are mostly dangerous for denial of service attacks, as the attacker would not care about receiving responses to the attack packets, and they would be much more difficult to filter since each spoofed packet appears to come from a different address.

Community
  • 1
  • 1
Daniel Vassallo
  • 337,827
  • 72
  • 505
  • 443
  • but the attacker could call methods on the service (even if he does not see the reponse) – Yaron Naveh Nov 20 '10 at 20:42
  • @Yaron: Not really on TCP-based protocols (like HTTP). To initiate a connection, the client needs to ack back: http://en.wikipedia.org/wiki/Three_way_handshake#Connection_establishment – Daniel Vassallo Nov 20 '10 at 20:48
  • @Yaron: Unlikely. In order to even set up the TCP connection, the spoofer would need to ACK the server's SYN+ACK. And he would need to ACK the specific 32-bit sequence number sent in the SYN+ACK packet, which he would never receive. As long as the host he is trying to attack picks sufficiently random initial sequence numbers, this attack is not practical. – cdhowie Nov 20 '10 at 20:50
  • @Yaron: Also, if you really wanted to ensure that IP spoofing isn't possible, run your service over HTTPS. The secure channel key exchange negotiation simply cannot be spoofed. – cdhowie Nov 20 '10 at 20:57
  • This doesn't apply to an attacker who is located somewhere on the path between your server and an allowed client. – caf Nov 25 '10 at 05:41
1

Not really. First, you would need to restrict all proxies, too, to be effective. More importantly, you may block legitimate users like this. It can be a quick-fix for some chronic issues, but in general it's not as effective as it seems.

icyrock.com
  • 27,952
  • 4
  • 66
  • 85
  • 1
    For white-listing it is much more effective, as the attacker cannot spoof all the routers on the Internet. If the attacker spoofs an IP, the response will not come back to the attacker, unless the attacker is on the same subnet as the legitimate users and their PC is shut down or he has control of some router in between. Maybe my point it - you have to trust somebody in between if you don't use end-to-end encryption. – icyrock.com Nov 20 '10 at 20:50
0

IP Spoofing is mostly possible on LAN. In my opinion it is not possible to restrict access to site per IP. I would rather consider applying some certificates/auth methods.

Here is an example. Read some theory here

klm_
  • 1,199
  • 1
  • 10
  • 26