HTTP IP spoofing detection

HTTP IP spoofing detection

ik idokan at gmail.com
Wed Mar 14 21:49:39 IST 2012


On Wed, Mar 14, 2012 at 14:23, shimi <linux-il at shimi.net> wrote:
>
>
> On Wed, Mar 14, 2012 at 2:02 PM, ik <idokan at gmail.com> wrote:
>>
>> On Wed, Mar 14, 2012 at 13:30, shimi <linux-il at shimi.net> wrote:
>> >
>> > On Wed, Mar 14, 2012 at 1:23 PM, ik <idokan at gmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'm trying to detect a layer 7 based HTTP request, and see if it
>> >> contain headers that provided as spoofed IP address.
>> >> Is there a way to detect what is the Ethernet that the request arrived
>> >> from at apace level ?
>> >>
>> >> If so, how can I provide rules what to do according to an HTTP header
>> >> fields ?
>> >>
>> >
>> > You could look at the ARP cache by reading /proc/net/arp I guess.
>> >
>> > You ARE aware that Ethernet MACs, just like IPs, can be 'spoofed',
>> > right?
>>
>> Yes, but it's not what I need to work upon.
>>
>> >
>> > If your LAN is insecure, secure your LAN. Don't run web applications on
>> > unsecure networks...
>>
>> My web app require to work also over the internet, and not only LAN
>> (client request), that's why I'm looking for a way to secure it
>> further.
>>
>
> I suspected that's going to be your reply...
>
> MAC is meaningless outside Layer 2.
>
> You can't do anything MAC related for clients outside your subnet. All
> Ethernet frames will arrive from the MAC of your router.

Yes, "all I need" is to use layer 2 or 3 (ebtables or iptables) and
allow only sources and destinations of a valid known mac addresses
(router, switch etc...)


>
> The way to secure a website over HTTP, for the last few decades, has been by
> using SSL, signed by a mutually trusted CA.

I can only use self signed certificate for this, but I'll try to use
SSL all the way.

>
> If you want to authenticate the clients, there's an option to request a
> client certificate during the SSL negotiation.
>
> -- Shimi
>

Ido



More information about the Linux-il mailing list