Security implications of Request.ServerVariables("REMOTE_ADDR") vs Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Question

Let's say we're tracking the end-user IP for a web service:

ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If ip = "" Then
    ip = Request.ServerVariables("REMOTE_ADDR")
End If

I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.

If we're using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables("REMOTE_ADDR")?

For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?

Thanks in advance for your help.

Answer 1

REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

Answer 2

If the users are using a transparent proxy then the above code will get the real IP address. If they're using an anonymous proxy, though (like Anonymizer) then there's really no way to get the users actual IP address.