1

Suppose my app is hosted on multiple servers, within the same data center (say in AWS or DigitalOcean). To secure communication between these servers, I use iptable to whitelist each other's IP.

Question: is whitelisting IP secure enough to ensure the identity of the request? Or is it actually possible for a hacker server within the same data center to spoof IP, thus fooling me thinking it's one of my own servers.

Irfan434
  • 719
  • 5
  • 7
Saitama
  • 111
  • 1

2 Answers2

2

Most of the providers are actually pretty good in securing their networks, but IP whitelists are still not a way to "secure communication". Though they can be an additional security measure, you'll still have to roll encryption and authentication to secure the connection.

However, most of the cloud providers allow you to set up private networks. This will give you an IP space that is guaranteed to be "yours" and is not routed to the public internet. If you want "internal" communication between servers you should very much use that, instead of messing around with iptables and public IP addresses.

averell
  • 1,083
  • 7
  • 10
1

IP spoofing can be used to launch denial of service attacks, which could overload your server or, at least, rack up your AWS bill.

Also, if you're traffic is not encrypted (e.g. with HTTPS), then the data in transit is prone to man-in-the-middle attacks. Your data to and from the server can be read and modified.

Using a VPC (virtual private cloud) may simplify server to server communication.

Irfan434
  • 719
  • 5
  • 7
  • 1
    That first part isn't really accurate/applicable. A hacker doesn't have to spoof your IP address to mount a DOS attack, nor would they bother trying. Also, they can't *really* send data to a TCP/IP server when spoofing an IP. They certainly can send IP packets, but since a handshake is required to initialize a TCP/IP connection, the destination TCP/IP server will never receive any data from a request with a spoofed IP. An attacker could still use up network bandwidth, but without a handshake no data will be sent or received. – Conor Mancone Feb 22 '20 at 14:12
  • @ConorMancone Thanks, I've edit the answer. Would you say that IP spoofing makes no difference in this case? Would using a VPC provide additional security? – Irfan434 Feb 23 '20 at 02:12