Search code examples
securityrequesthttprequestreferrer

referrer ip manipulation


Some applications are providing security only by accepting requests from certain IPs. Is this a good way of making that app secure. Is there any way to manipulate this referrer IP during request period?

getRemoteAddr, getRemoteHost and getRemotePort

Is there any way to set the values above when making the request?


Solution

  • Yes, it is possible to "spoof" the source IP of packets to make the request appear to be from a different IP address than it really is. However, this is not a concern because the three-way handshake of TCP will not complete if the IP address has been spoofed, with a few exceptions (such as the attacker sniffing packets and generating a response when the packet passes on the wire). Generally speaking though, it is very hard to do.

    This is not good security practice, however, even though it is typically reliable. The reason is that IP addresses can be assumed by anyone, and they are frequently changed in packets due to techniques like NAT and fire-walling.

    Consider that if you have two users on the same private network using NAT, and they both make requests to your server at the same time, your server will see the IP addresses as the same, with different source ports. The differentiating factor that allows routing to happen properly is the source port, not the IP address. To make this even less reliable, the source port will change on every new request, which can happen dozens of times during a single HTTP session.

    That being said, there is some benefit to IP filtering. You can make it much harder for someone from a certain country or area to connect by filtering by IP. This should not be your only security, but it can help because it is usually non-trivial to obtain a valid IP address from a a different range. Some organizations will block all non-US based IPs by default, for example. This is used in conjunction with user accounts. This makes it much more difficult for non-local attackers to reach the server.