HTTP IP spoofing detection

[ik]

On Wed, Mar 14, 2012 at 16:28, Nadav Har'El <nyh at math.technion.ac.il> wrote:
> On Wed, Mar 14, 2012, ik wrote about "HTTP IP spoofing detection":
>> Hello,
>>
>> I'm trying to detect a layer 7 based HTTP request, and see if it
>> contain headers that provided as spoofed IP address.
>> Is there a way to detect what is the Ethernet that the request arrived
>> from at apace level ?
>
> Generally, endpoints on the Internet will have a hard time spoofing
> their IP address on connection-oriented protocols (like TCP-based HTTP
> is) because while sending a packet with a false "source IP" is easy,
> it's much more difficult to get back replies, when the victim sends them
> to the falsfied IP address, which routers across the internet won't
> route to the attacker.
>
> TCP in particular protects again "blind" connection setup (where the
> attacker cannot see replies) through its three-way handshake:
> The attacker can send a SYN packet with a false source address,
> and the server will reply to this false address with a SYN-ACK.
> This server reply contains a server-chosen random initial sequence number.
> The attacker will never receive this packet, so he'll not be able to
> respond to it with its own ACK, as needed, and the connection will
> NOT be established.
>
> Anyway, if you really need to authenticate remote machines,
> you should probably not do this based on their IP address, and rely on
> more secure methods (e.g., SSL). Or at least don't allow the first packet
> (an HTTP request) to do any damage.

Thank you, and everyone else for the answers.
It seems like I'm over thinking this issue.

I'll try to work on layer 3 instead.


>
> --
> Nadav Har'El                        |                 Wednesday, Mar 14 2012,
> nyh at math.technion.ac.il             |-----------------------------------------
> Phone +972-523-790466, ICQ 13349191 |A smart man always covers his ass. A wise
> http://nadav.harel.org.il           |man just keeps his pants on.

Ido