tags:

views:

739

answers:

4
+1  Q: 

How much effort does it take to spoof an Ip Address in a call to a webservice?

I don't want to know how... Just how complicated....

I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure?

Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer?

Update: Ok so from what I can tell.... I should create a Gettoken() method which checks the IPaddress and passes out a cryptographically significant token with a timeout to any valid IP address. This is then required by any other method before any kind of side effect is allowed.

Since an Attacker can't (likely) get the token without having a valid IP, he will be unable to validly call any of my "dangerous" webmethods ?

+1  A: 

Not that hard, just as easy as spoofing your ip address for any other communication http://en.wikipedia.org/wiki/IP_address_spoofing

But they aren't going to get the responses. The actual IP address they spoofed will.

Nick  2008-10-22 15:34:40
So I should CheckIPAddress in a getToken Method and then pass out a token in that method. All other methods should require that token before any further processing. A spoofer would not get the token from the first call and so would not be able to call any other method?
Rory Becker  2008-10-22 15:38:13
Yes, but listen to the other people and the DDoS problem.
Nick  2008-10-22 15:45:47
Totally agree.... however.. isn't a DDoS fundamentally unsolvable?
Rory Becker  2008-10-22 15:50:15
most of the time IP spoofing is done blind, but to keep the communication flowing they have to knock out the original box, so it won't send RSTs, basically responding to the server with a WTF?! I didn't send that. and if they can drop a net monitor in the network somewhere, they have 2 way info
stephenbayer  2008-10-22 15:56:55
+3  A: 

If you're trying to do something more complex than DDoSing or triggering a security hole, then spoofing is not the answer. What you need is a system that will front for your request, thus hiding the true origin of the request. Since we're talking about HTTP traffic, an Anonymous Proxy will do the trick.

For the purposes of security you're referring to, it depends on whether or not actions can be taken. If the site is purely informational, then you are safe. If the site allows actions to be performed (e.g. update this, delete that), then consider adding at least password authentication.

Another issue to keep in mind is that anyone controlling routers between your server and the IP address you wish to allow can intercept the packets. That would allow them to have complete two-way spoofed communication without your server realizing it. If you want the information to be truly secure, use HTTPS and an authentication scheme to prevent such interceptions from happening.

64BitBob  2008-10-22 15:37:37
+1  A: 

You're right. If your server response needs to reach the client for a two-way communication to be established then a spoofed IP won't ever receive your response. However, you could suffer a denial-of-service attack from a spoofed IP as computing your response will consume some CPU on the server.

J Francis  2008-10-22 15:38:52
A: 

Part of our web service security is to require clients to use public key / private key encryption (xml digital signatures) to ensure non-repudiation to ensure that only allowed clients can access the service.

Paul Croarkin  2008-10-22 15:49:52

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?