是否有可能欺骗HttpRequest.UserHostAddress(REMOTE_ADDR)? [英] Is it possible to spoof HttpRequest.UserHostAddress (REMOTE_ADDR)?
问题描述
作为保护Web应用程序的附加措施,我正在考虑实施客户端IP白名单。
As an additional measure for securing a web application, I'm considering implementing client IP whitelisting.
首选方式似乎是:在路由器上执行此操作。但是,在我的方案中,这是一个重要的管理负担。
The preferred way seems to be: do this at the router. However, this is a significant administrative burden in my scenario.
我想在网络服务器上的软件中这样做。有没有理由不安全?
I would like to do this in software, on the web server. Is there a reason why this is less secure?
推荐答案
从http请求中的源ip号检索HttpRequest.UserHostAddress从最终用户发送到您的服务器。 http请求分为几个ip包,源ip号是每个ip包中的一个字段。网上的任何人都可以在源字段中使用任何IP号码创建ip数据包并将其发送给您。
The HttpRequest.UserHostAddress is retrieved from the source ip number in the http request that is sent from the end user to your server. An http request is divided in several ip packets, and the source ip number is a field in each ip packet. Anyone on the net may craft ip packets with any ip number in the source field and send them to you.
但是,这种情况的有用性受到一定限制。当您响应http请求时,响应将发送到请求中的源IP号。攻击者除非能够在前往接收者的途中拦截响应,否则不会收到响应。例如:如果攻击者向您发送带有用户名和密码的登录请求,那么您可能会回复cookie。但由于cookie被发送到假源ip,攻击者永远不会看到它。
However, the usefullness of this is somewhat restricted. When you respond to an http request, the response is sent to the source ip number in the request. The attacker will not recieve the response unless he is able to intercept the response on its way to the reciever. As an example: If the attacker send you a login request with a username and password, then you probably respond with a cookie. But since the cookie is sent to the fake source ip, the attacker will never see it.
IP欺骗在技术上并不困难,但由于攻击者不会收到响应,它主要用于可以通过单个请求完成的攻击。
IP spoofing is not technically difficult, but since the attacker will not recieve the response, it is mostly used for attacks that can be done with a single request.
路由器和防火墙还可以保护您免受恶意ip包的恶意ip包。大多数防火墙将使用来自内部网络的源IP阻止来自外部网络的数据包。
Routers and firewalls may also protect you against malicious ip packets with false source ip's. Most firewalls will i.e. block packets from the external net with a source ip from the internal net.
这篇关于是否有可能欺骗HttpRequest.UserHostAddress(REMOTE_ADDR)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
