HTTP IP spoofing detection
Nadav Har'El
nyh at math.technion.ac.il
Wed Mar 14 16:28:17 IST 2012
On Wed, Mar 14, 2012, ik wrote about "HTTP IP spoofing detection":
> Hello,
>
> I'm trying to detect a layer 7 based HTTP request, and see if it
> contain headers that provided as spoofed IP address.
> Is there a way to detect what is the Ethernet that the request arrived
> from at apace level ?
Generally, endpoints on the Internet will have a hard time spoofing
their IP address on connection-oriented protocols (like TCP-based HTTP
is) because while sending a packet with a false "source IP" is easy,
it's much more difficult to get back replies, when the victim sends them
to the falsfied IP address, which routers across the internet won't
route to the attacker.
TCP in particular protects again "blind" connection setup (where the
attacker cannot see replies) through its three-way handshake:
The attacker can send a SYN packet with a false source address,
and the server will reply to this false address with a SYN-ACK.
This server reply contains a server-chosen random initial sequence number.
The attacker will never receive this packet, so he'll not be able to
respond to it with its own ACK, as needed, and the connection will
NOT be established.
Anyway, if you really need to authenticate remote machines,
you should probably not do this based on their IP address, and rely on
more secure methods (e.g., SSL). Or at least don't allow the first packet
(an HTTP request) to do any damage.
--
Nadav Har'El | Wednesday, Mar 14 2012,
nyh at math.technion.ac.il |-----------------------------------------
Phone +972-523-790466, ICQ 13349191 |A smart man always covers his ass. A wise
http://nadav.harel.org.il |man just keeps his pants on.
More information about the Linux-il
mailing list