views:

318

answers:

7

I need to put together a small brief about the weaknesses behind limiting content to specific countries based on IP address.

Besides using proxy server located in another country, can you think of another way to circumvent such a system?

+1  A: 

You could buy that software that prevents you from broadcasting your IP address. I'm sure it works, I see it advertised in banner ads all over the place :)

On a more serious note, one way of bypassing this would be by using a caching server (google cache, wayback machine).

Eric Petroelje
+6  A: 

Basically, any solution that uses an intermediary is a proxy. Period.

All the "surf anonymously" sites are proxies, even if they use their own software.

You can use SSH and tunneling, but that is, in effect, a proxy as well, just a tunneled one. Same with VPN.

The only thing that doesn't require a proxy is source address spoofing, and that only works with one-way attacks, because no return data will be able to get to you.

Also, consider that Geo-Locating is not 100% accurate. I have IP addresses in Canada that show up as US addresses, and I've had US addresses that show up as Canada. I'm sure this is more common in other parts of the world.

Mystere Man
+1  A: 

I don't think you can. The machine you're talking to has to know where to send it's reply to; that's your IP address. The only way to hide that is to have it reply to someone that's not you who passes it on to you - ie. a proxy.

Tor is a good way of achieving anonymity in general, although it's not appropriate for circumventing the type of system you're talking about.

Peter
+1  A: 

Since your IP address is in each IP packet that goes over the network, and it is required for you to get the response back, you cannot prevent your real IP address from being detected at the server (other than by putting a proxy in between).

Some links that may be of interest to you:

Conflict between Sweden and Norway about surveillance (Sweden cannot reliably identify Norway IP traffic and exclude it from surveillance)

Herdict.com (which we built, I am happy to report)

cdonner
A: 

If the service is using a web based Geo IP lookup, then a successful MITM attack could trick the service into thinking that the IP address is valid. Of course this is much more involved, but definitely doable.

codelogic
+1  A: 

It depends on what level of the IP stack you are checking the IP, but on higher levels, you wouldn't need to even have a proxy server to have a different IP address show up. For example, modifying the TCP header would do it if that is what you are checking against.

Here's a link discussing spoofing: http://www.securityfocus.com/infocus/1674

Kevin
This is a good observation. Where do server variables get this value from?
BC
In most cases, I believe the HTTP header. I've always been told you have to lock IPs down at the router level to make sure that they can't be spoofed (using proxy servers not included as that makes the spoofed IP legitimate).
Kevin
I sniffed some IE to IIS requests and didn't see an IP header. I believe the server to be using the network ip.
BC
You're right. I was wrong. Here it explains how to spoof the IP address: http://en.wikipedia.org/wiki/IP_address_spoofing
Kevin
A: 

Don't forget VPNs (and, admittedly, NAT). I guess that could be classed as a proxy, too. It also requires having access to a suitable machine in another country.

Vatine