Get client ip address that is not spoofed

Question

I am using the following source code to get a client IP address,

Public Shared Function GetIPAddress() As String
    Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
    Dim sIPAddress As String = context.Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    If String.IsNullOrEmpty(sIPAddress) Then
        Return context.Request.ServerVariables("REMOTE_ADDR")
    Else
        Dim ipArray As String() = sIPAddress.Split(New [Char]() {","c})
        Return ipArray(0)
    End If
End Function

But I have found that HTTP_X_FORWARDED_FOR can be easily spoofed using X-FORWARDED-FOR HTTP header. Is it correct?

Can REMOTE_ADDR also be spoofed? If yea then what can rely upon as a security point of view?

Note: My only concern with clients that are receiving the response, not the one that spoofed the IP at the TCP level and will not get the response.

Answer 1

This obviously only applies to HTTP, as it is a HTTP header.

It furthermore relies on a proxy server that doesn't attempt to hide that it's a proxy server. It will not work with clients using VPN. It will not work for clients using a proxy that doesn't reveal itself. It will not work for clients who establish a TLS session using CONNECT through a proxy.

In short, it provides no real security, but may be useful for statistical purposes or similar. It's like politely asking the client who they are, and expecting them to answer truthfully.

You can rely on that REMOTE_ADDR is the host that actually sends you the traffic. That's basically ensured by the three way handshake of TCP/IP.

You cannot be sure who asked the remote address to initiate the connection. You cannot be sure if that remote host is a VPN terminator. You can't know if it's a proxy. You can't know if it's part of a botnet.