0

I read different articles on the subject (Spoofing IP address), someone said:

Spoofing an IP is usually better suited to "fire-an-forget" scenarios like DDoS.

due to TCP two-way communication and its three-way handshake. That's okay but I've a scenario that I think is similar to this. Here it is:

A bug was recently found on my website in which a user could steal my paid contents by sending a POST request to one specific URL with an old and successful purchase information (user had to buy a product once/had to have a successful payment info) then he had access to content as system didn't check if current billing information is existed or not (It only checked if a purchase with that information was done successfully or not).

After finding this bug I restricted POST requests to get processed from a specific IP only (which is bank website IP) (and I didn't fix the logic of checking purchase information yet).

Now It came to my mind that if someone can fake his IP address as the bank IP address and gets access to my paid contents as before or not.

Is there any way that someone spoofs the request IP address here? if yes how?

Community
  • 1
revo
  • 123
  • 7

1 Answers1

1

The attacker can still spoof the IP address and use bank's IP address, but the response from your website will go to the spoofed IP address (bank's IP address) and not to the attacker's actual IP address.

Usually a TCP handshake is required to initiate a TCP connection. HTTP uses TCP. The attacker will send a SYN packet with spoofed IP(bank's IP), your website will then get this packet and send a ACK to the spoofed IP(bank's IP). The machine at bank will see that it has received a ACK packet and as it didn't send any SYN packet before, so it will normally drop the packet. Due to this a TCP handshake can't complete. So, the connection between your site and the bank is not established completely.

This is why in DDOS a spoofed IP is used. Because in DDOS the attacker's motive is to bring the target machine down, so that the legitimate users are not able to get the resources from the target machine. Hence the name Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack.

Spoofing an IP address: One method is that an attacker will use some packet crafting tools and create a packet that will contain a spoofed IP address. The link above shows most commonly used tools.

ρss
  • 344
  • 2
  • 8
  • Thank you pss, but how an `attacker can still spoof the IP address and use bank's IP address`? I know that at the end you said TCP handshake fails but I like to know how it is achievable. – revo Jun 13 '15 at 15:07
  • Welcome revo. I have updated my answer. – ρss Jun 13 '15 at 15:15