How much effort does it take to spoof an Ip Address in a call to a webservice?
https://stackoverflow.com/questions/226316
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I don't want to know how... Just how complicated....
I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure?
Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer?
Update: Ok so from what I can tell.... I should create a Gettoken() method which checks the IPaddress and passes out a cryptographically significant token with a timeout to any valid IP address. This is then required by any other method before any kind of side effect is allowed.
Since an Attacker can't (likely) get the token without having a valid IP, he will be unable to validly call any of my "dangerous" webmethods ?
Solution
If you're trying to do something more complex than DDoSing or triggering a security hole, then spoofing is not the answer. What you need is a system that will front for your request, thus hiding the true origin of the request. Since we're talking about HTTP traffic, an Anonymous Proxy will do the trick.
For the purposes of security you're referring to, it depends on whether or not actions can be taken. If the site is purely informational, then you are safe. If the site allows actions to be performed (e.g. update this, delete that), then consider adding at least password authentication.
Another issue to keep in mind is that anyone controlling routers between your server and the IP address you wish to allow can intercept the packets. That would allow them to have complete two-way spoofed communication without your server realizing it. If you want the information to be truly secure, use HTTPS and an authentication scheme to prevent such interceptions from happening.
OTHER TIPS
Not that hard, just as easy as spoofing your ip address for any other communication http://en.wikipedia.org/wiki/IP_address_spoofing
But they aren't going to get the responses. The actual IP address they spoofed will.
You're right. If your server response needs to reach the client for a two-way communication to be established then a spoofed IP won't ever receive your response. However, you could suffer a denial-of-service attack from a spoofed IP as computing your response will consume some CPU on the server.
Part of our web service security is to require clients to use public key / private key encryption (xml digital signatures) to ensure non-repudiation to ensure that only allowed clients can access the service.
