-2

If IP addresses can be spoofed by creating false or manipulated http headers, and therefore it should not be relied upon in validating the incoming request in our PHP/ASP pages, how come servers take that and rely on it? For example, denying IPs or allowing them are all based on IP.

do servers get the IP information some other ( and more reliable ) way than say PHP/ASP gets it thru server variables?

Average Joe
  • 4,521
  • 9
  • 53
  • 81

2 Answers2

4

Servers are typically willing to rely upon the IP address of a connection for low-risk traffic because setting up a TCP session requires a three-way handshake. This handshake can only succeed if the IP address in the packets is routable and some machine is prepared to handle the connection. A rogue router could fake IP addresses but in general, it is more difficult to fake connections the further away from either endpoint the router is, so most people are prepared to rely on it for low-risk uses. (DNS spoofing is far more likely way to misrepresent a connection endpoint, for example.)

Higher-risk users must use something more like TLS, IPsec, or CIPSO (rare) to validate the connection end-point, or build user authentication onto the lower layers to authenticate specific connections (OpenSSH).

But the actual contents of the TCP session can be anything and everything -- and a server should not rely upon the contents of the TCP session (such as HTTP headers) to faithfully report IP addresses or anything else vital.

Community
  • 1
  • 1
sarnold
  • 102,305
  • 22
  • 181
  • 238
  • so, when an http request come in, are you saying that the server has a different way to check what the IP is? I thought that all the server got at that moment is the http headers - which we know can easily be spoofed. Please clarify... – Average Joe Jan 31 '12 at 15:02
  • wait a sec... wait a sec... I just realized that I mixed up referer's with the ip's in my mind... the code samples/snippets I have seen in the past all modified the header using PHP. ( http://www.mustap.com/phpzone_post_62_how-to-bypass-the-referer-se ). Since I also read that IP may also not be reliable, I thought IP can be spoofed *the same way* that is by modifying the headers in PHP. I just realized that's not possible. Thanks to Conrad, clearly saying that it cannot be done opened my eyes. So, it is still possible to fake an IP but not as easy as done in PHP. – Average Joe Jan 31 '12 at 15:12
  • The server will call the [`getpeername()`](http://pubs.opengroup.org/onlinepubs/7908799/xns/getpeername.html) function to retrieve the IP address of the connection directly from the TCP/IP stack. PHP chooses to export this address to scripts via the [`$_SERVER["REMOTE_ADDR"]`](http://php.net/manual/en/reserved.variables.server.php#refsect1-reserved.variables.server-indices) interface. – sarnold Jan 31 '12 at 21:34
2

IP addresses cannot be spoofed. The address is needed for the server to send a reply.

PHP gets the IP address for its $_SERVER global from the server (hence the variable name!), which determines the address from lower in the protocol stack.

EDIT:

sarnold makes a good point that, in principle, one could corrupt routing tables to misdirect traffic. (Indeed, I believe there was an incident of this in a Tier 1 router in Asia a couple years ago.) So I should clarify that my comment that "IP addresses cannot be spoofed" was narrowly tailored to point out that the server variables will always faithfully reflect the destination IP. What goes on beyond the the server's borders is another matter altogether.

Conrad Shultz
  • 8,748
  • 2
  • 31
  • 33