Search code examples
web-servicessecurityip-addressspoof

How much effort does it take to spoof an Ip Address in a call to a webservice?


I don't want to know how... Just how complicated....

I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure?

Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer?

Update: Ok so from what I can tell.... I should create a Gettoken() method which checks the IPaddress and passes out a cryptographically significant token with a timeout to any valid IP address. This is then required by any other method before any kind of side effect is allowed.

Since an Attacker can't (likely) get the token without having a valid IP, he will be unable to validly call any of my "dangerous" webmethods ?


Solution

  • If you're trying to do something more complex than DDoSing or triggering a security hole, then spoofing is not the answer. What you need is a system that will front for your request, thus hiding the true origin of the request. Since we're talking about HTTP traffic, an Anonymous Proxy will do the trick.

    For the purposes of security you're referring to, it depends on whether or not actions can be taken. If the site is purely informational, then you are safe. If the site allows actions to be performed (e.g. update this, delete that), then consider adding at least password authentication.

    Another issue to keep in mind is that anyone controlling routers between your server and the IP address you wish to allow can intercept the packets. That would allow them to have complete two-way spoofed communication without your server realizing it. If you want the information to be truly secure, use HTTPS and an authentication scheme to prevent such interceptions from happening.