On Wed, Mar 14, 2012, ik wrote about "HTTP IP spoofing detection": > Hello, > > I'm trying to detect a layer 7 based HTTP request, and see if it > contain headers that provided as spoofed IP address. > Is there a way to detect what is the Ethernet that the request arrived > from at apace level ?
Generally, endpoints on the Internet will have a hard time spoofing their IP address on connection-oriented protocols (like TCP-based HTTP is) because while sending a packet with a false "source IP" is easy, it's much more difficult to get back replies, when the victim sends them to the falsfied IP address, which routers across the internet won't route to the attacker. TCP in particular protects again "blind" connection setup (where the attacker cannot see replies) through its three-way handshake: The attacker can send a SYN packet with a false source address, and the server will reply to this false address with a SYN-ACK. This server reply contains a server-chosen random initial sequence number. The attacker will never receive this packet, so he'll not be able to respond to it with its own ACK, as needed, and the connection will NOT be established. Anyway, if you really need to authenticate remote machines, you should probably not do this based on their IP address, and rely on more secure methods (e.g., SSL). Or at least don't allow the first packet (an HTTP request) to do any damage. -- Nadav Har'El | Wednesday, Mar 14 2012, n...@math.technion.ac.il |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |A smart man always covers his ass. A wise http://nadav.harel.org.il |man just keeps his pants on. _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
