Application Security Concerns: How easy is it to fake an IP-Address?

Question

I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).

Its a bit delic

Answer 1

Now I am quite sure that IP addresses ARE inspected and filtered when passing a router.

This assumption is incorrect, despite your level of sureness. "Egress filtering", which is the name of this, is generally not done.

The major protection against widespread spoofing of IP addresses is that the attacker would not recieve any response packets - they would all be routed back to the host that is legitmately using the IP address being spoofed. This kind of attack is known as "blind spoofing", because the attacker is working blind.

In order to send data on a TCP connection, you must be able to finish the TCP "three-way handshake". This requires knowing the initial sequence number used by the opposite end - and since TCP initial sequence numbers are chosen reasonably randomly¹, this prevents a blind spoofing attack from being able to do this. (Note also that this does not apply to UDP - without some kind of application layer preventative, UDP is at significant risk from blind spoofing).

If the attacker can see the replies coming back (say, because he is sniffing the uplink or the local network of your server), then this also doesn't apply - spoofing TCP connections in this case is not just possible but trivial.

---

^{1. These days, anyway - this wasn't always the case.}

Answer 2

Inside a LAN it depends on how your routers/switches/hubs are configured. But I think spoofing should be possible quite often.

---

I don't think the IP address is inspected. Thus you can send UDP packets with forged sender IP. But you won't receive the answer since the server will send it to the real owner of that IP.

This means you can't simply fake an IP in TCP since establishing the connection needs a handshake.

---

You can forge the IP of somebody if the response will go through your router. So a network admin can fake all IPs inside his LAN, an ISP all IPs inside his net, and a carrier can fake IPs on many international connections, provided they get routed through him.

---

Finally there is the possibility of abusing BGP to modify the routes for that IP to go through your computer. But not everybody has access to BGP, you probably need to become an ISP to get it. And then the manipulation will probably be detected because BGP route changes are monitored.