HTTP IP spoofing detection
shimi
linux-il at shimi.net
Wed Mar 14 14:23:56 IST 2012
On Wed, Mar 14, 2012 at 2:02 PM, ik <idokan at gmail.com> wrote:
> On Wed, Mar 14, 2012 at 13:30, shimi <linux-il at shimi.net> wrote:
> >
> > On Wed, Mar 14, 2012 at 1:23 PM, ik <idokan at gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> I'm trying to detect a layer 7 based HTTP request, and see if it
> >> contain headers that provided as spoofed IP address.
> >> Is there a way to detect what is the Ethernet that the request arrived
> >> from at apace level ?
> >>
> >> If so, how can I provide rules what to do according to an HTTP header
> >> fields ?
> >>
> >
> > You could look at the ARP cache by reading /proc/net/arp I guess.
> >
> > You ARE aware that Ethernet MACs, just like IPs, can be 'spoofed', right?
>
> Yes, but it's not what I need to work upon.
>
> >
> > If your LAN is insecure, secure your LAN. Don't run web applications on
> > unsecure networks...
>
> My web app require to work also over the internet, and not only LAN
> (client request), that's why I'm looking for a way to secure it
> further.
>
>
I suspected that's going to be your reply...
MAC is meaningless outside Layer 2.
You can't do anything MAC related for clients outside your subnet. All
Ethernet frames will arrive from the MAC of your router.
The way to secure a website over HTTP, for the last few decades, has been
by using SSL, signed by a mutually trusted CA.
If you want to authenticate the clients, there's an option to request a
client certificate during the SSL negotiation.
-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20120314/cd07c32f/attachment.html>
More information about the Linux-il
mailing list