Jump to content

Users who use 'spoof' IP addresses


woolyg

Recommended Posts

Hey all,

 

I'm building a PHP app that requires that the user's IP is recorded upon registration, and am in the middle of coding the logic that allows or disallows registration. A question for those who know about IP 'spoofing', really. Is it possible, if you obfuscated or hid your IP, to have a PHP script think you have no IP, ie for $_SERVER['REMOTE_ADDR'] to return nothing?

 

The script will require that an IP is returned in the first place - if none is shotwing, the script will die out.

 

All input appreciated, I'd like to know what I'm up against with regards to the possibilty of IP obfuscators/hiders/spoofers...

 

WoolyG

Link to comment
Share on other sites

Yes it is possible to spoof your IP address and no you can't do anything about it.  But even legitimate users' IP addresses can change from time to time, even when they are accessing the internet from home.  But they could also be accessing it from a public place, in which case you will most certainly come across different users with the same IP address.

 

The reason most sites are worried about spoofed IP addresses is to ensure that the same user isn't doing something twice.  Like for instance, viewing content twice (like accessing some media or downloading some asset multiple times, when you only want them to access it once).  Requiring the user to register and login greatly reduces this.  And since you require the user to register and login, then what is your need to know their IP address? 

 

In short, for average users, you should not look at IP addresses at all, because not only is it unreliable, it is pointless. 

 

That is not to say that looking at IP addresses is a lost cause.  For instance, you can use it as part of a larger algorithm for determine possible spambots.  If you look at your database and suddenly see a 100 hits in the span of minutes from the same IP address, then it's more than likely a spambot.  But the point of previous paragraphs is, if you look in your db at IP address and reject a registration because even one exists, even if it was entered like a year ago...well that is not a good idea.

Link to comment
Share on other sites

The reason most sites are worried about spoofed IP addresses is to ensure that the same user isn't doing something twice.  Like for instance, viewing content twice (like accessing some media or downloading some asset multiple times, when you only want them to access it once).

 

That's mostly why I'm looking at this - the site rules are going to dictate that users may not have more than one account. The site will only allow them to carry out a certain action once per page (based on their session ID) and while I'm not going to actively disallow them from doing it, I'll be logging IPs to check if the same action is done on the same page by the same IP, but using different session IDs. This will then be highlighted to admins to 'flag' for a possible duplicate account - also understanding that 2 PCs on the same home or workplace network will be sharing the same IP as seen by the site.

 

Visitors to the site that do not log in will not have the IP recorded.

 

Thanks for your input Crayon, it's made it clearer in my head in any case!!

 

- Wooly

Link to comment
Share on other sites

Just some additional feedback.  I would advise not relying solely on IP addresses either. However, they tend to be a nice addition to your other security protocols.

So here is another bit of feedback, one way that a person can hide their IP address is by using a proxy. I did some basic Google Searches and found out, it might

be possible to get someones IP even if they are behind a proxy. http://www.teachmejoomla.net/code/php/remote-ip-detection-with-php.html

Not sure if this is going to help you make the system a little more secure, but it's something worth looking into.

Link to comment
Share on other sites

That script buisnessman pointed you to makes it really, really easy to spoof IP addresses since it looks at *FORWARDED_FOR headers, which are just sent by the client and you can set these really easily using Modify Headers or similar browser plugins.  At least using the REMOTE_ADDR makes a person have to work a bit to spoof it even though you might have more duplicates.

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.