IP forgery of network security

At present, a lot of sites involved in some security loopholes, hackers easy to use IP forgery, session hijacking, XSS attacks, session injection and other means to endanger the site security. In the documentary "The Son of the Internet" (it is recommended to take a look at it). Allen Swartz (real people, God's presence) allegedly used the MIT network to download 1.5 million papers from JSTOR through IP forgery. This article through Firefox to see how a simple IP forgery is achieved.

1, the client IP is sent through the HTTP header to the server side of the

For example, when you open the URL www.baidu.com. Through Firebug can see the request head, the head includes the client information, such as cookies.

The code for the ClientIP obtained in the general background is:

PHP Code:

Private Function _get_client_ip () {$ip = $_server[' remote_addr '];if (isset ($_server[' http_client_ip ')) && Preg _match ('/^ ([0-9]{1,3}\.) {3} [0-9] {1,3}$/', $_server[' http_client_ip ')) {$ip = $_server[' http_client_ip '];

JSP Code:

Public String getipaddr (HttpServletRequest request) {       string ip = Request.getheader ("x-forwarded-for");       if (IP = = NULL | | ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {          IP = request.getheader ("Proxy-client-ip");       }       if (IP = = NULL | | ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {          IP = request.getheader ("Wl-proxy-client-ip");       }       if (IP = = NULL | | ip.length () = = 0 | | "Unknown". Equalsignorecase (IP)) {          IP = request.getremoteaddr ();       }       return IP;}

The code snippet is to get ClientIP, this program will try to check http_client_ip, http_x_forwarded_for, according to the previous principle, to the header at the beginning of Http_ belongs to the content sent by the client. So, suppose the Client forged Client-ip, X-forward-for, not be able to deceive the program, to achieve the purpose of "fake Ip"?

Forge this value? Suppose you would knock the code. and understand the HTTP protocol, directly forge the request header can be.

Or you can use Firefox 's moify Headers plugin.

2, Modify headers forged IP

After installing modify headers, add a x-forwarded-for, and fill in an IP, set to be available, open the corresponding webpage, the server will get to the spoofed IP.

3, how to protect the site IP forgery

How does the site filter out these fake IPs, since it can be forged through IP? It is a general practice to force the value of the x-forwarded-for to the client real IP on the application server, and to do the detailed research yourself.

There are many sites with this vulnerability in the network, especially for some polling class sites. Limit the repeat polling site by restricting the IP (an IP can only vote once, or an IP can only vote for a certain period of time).

This vulnerability may be exploited by others to forge IP. To break through such restrictions. So site developers should pay attention to this type of security.

This article part of the content of the blog constructs the HTTP request Header to achieve "spoofed source IP" ,

IP forgery of network security