Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IP Address Spoofing

0 views
Skip to first unread message

dmcdo...@my-dejanews.com

unread,
May 14, 1999, 3:00:00 AM5/14/99
to
I have an ASP site that is tailored to suit groups of individuals based on
their IP address. Their IP address is retrieved from the
Request.ServerVariables("REMOTE_ADDR") which is then added to their Session
variable. This is used to determine the information content sent to that
user. What I want to know is can this IP address be spoofed ? As the tailored
sites contain sensitive information, it is critical that we don't leave
ourselves open to attack by this method. If it can, then what is the most
sucure way (apart from HTTPS) to host an ASP site ?

Thanks in advance
Declan


--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---

mdc

unread,
May 14, 1999, 3:00:00 AM5/14/99
to
On Fri, 14 May 1999 10:25:39 GMT, dmcdo...@my-dejanews.com wrote:

>I have an ASP site that is tailored to suit groups of individuals based on
>their IP address. Their IP address is retrieved from the
>Request.ServerVariables("REMOTE_ADDR") which is then added to their Session
>variable. This is used to determine the information content sent to that
>user. What I want to know is can this IP address be spoofed ? As the tailored
>sites contain sensitive information, it is critical that we don't leave
>ourselves open to attack by this method. If it can, then what is the most
>sucure way (apart from HTTPS) to host an ASP site ?

The IP address in ServerVariables can certainly be spoofed.
Check this URL for an intro to how spoofing is done
http://network.miami.edu/james/.spoof

Hosting a "secure" site, SSL or otherwise, is no protection
against IP spoofing. Secure sites are meant to prevent
sniffing, a totally separate attack.

Michael


David Saff

unread,
May 17, 1999, 3:00:00 AM5/17/99
to microsoft.public.inetser...@list.deja.com
dmcdo...@my-dejanews.com writes:
> What I want to know is can this IP address be spoofed ? As the tailored
> sites contain sensitive information, it is critical that we don't leave
> ourselves open to attack by this method. If it can, then what is the most
> sucure way (apart from HTTPS) to host an ASP site ?

IP addresses can always be spoofed. They are a good safeguard, but
will never protect you against a determined invader. IP + cookies is
a slightly better safeguard, but still supplies no absolute
safeguard. I don't know why HTTPS has been ruled out for your
solution, but I would suggest rethinking it. Share and Enjoy,

David Saff

mdc

unread,
May 18, 1999, 3:00:00 AM5/18/99
to
On Mon, 17 May 1999 14:20:32 +0100 (Eas), David Saff <ds...@tvisions.com>
wrote:

IP + cookies won't do anything to detect or foil IP spoofing
unless you're talking about a cookie that persists between
sessions. If the IP is spoofed in the routing table, then you've
formed a two-way link with the imposter and the cookie would
just get set on his machine. If the link isn't two-way (that is,
the imposter is just forging headers to lie about his IP), then
anything you send back to him will be mis-addressed and he
won't get it - a fairly useless spoof unless it's just a DOS attack.

HTTPS also wouldn't do anything about IP spoofing. It would
simply encrypt your link with the imposter. It guards against
sniffing, but not spoofing.

Michael

0 new messages