I've been reading here that a URL returned as a result of a request to php/browser may not return a legitimate URL, ie, intervention on the client side can return a bogus URL.
Is the same true when one requests an IP address of the requesting browser? Can it be spoofed? How is it done? Can one tell if the address is spoofed?
TIA
Can it be done? Of course. You can spoof pretty much anything over the net. Can one tell if it's being spoofed? Not really. AFAIK, You can only spoof an IP address by routing through proxies, I don't think you can just use HTTP headers or something like that, like you can with URI's, or User-Agents.
If you are going through a proxy that is not fully anonymous the proxy sends forwarded for information to the webserver. So yes they can tell you are using a proxy (except if you are on a fully anonymous one).
Although not intentional spoofing of IP addresses... multiple computers behind a proxy server can all have the same IP addr.
Multiple computers behind a router often have the same IP as well.
People using AOL rarely show request with their actual IP, because AOL uses some very freaking proxying of pages to help speed up their service for their users ( is it just me or does this not seem to be working for them...? ) Often, you'll get requests where each request to your server ( ie every image ) will be from a different AOL IP address... but often they are really all going to the same person's browser.
I think I am getting a handle on this IP business. Any guru's that care to comment, teach me, correct my errors in understanding, please do.
a) every end node, client computer, ie my windows broswer, is connected to a network that has some range of IP addresses assigned to it. I get one of those IP addresses, either permanently or temporarily, depending upon my connection.
b) When I access a website via my browser, the packets that get sent have a destination IP and a source IP. The destination IP is necessary to route the packet from my client to the web server but the source IP is not used until the server delivers up the page. The the source IP I sent becomes the destination to return the requested data to me.
c) URL's can be easily spoofed because they are only needed for DNS lookup to get the correct IP to load into the packet header. Once that is done, it really doesn't matter what the URL is because the routing data is already in the header.
d) If I were to spoof my IP address in a packet, then I cannot receive any information back since the return IP is no longer valid. But, if my intent is not to receive information, but to be hidden while I send data to the server, then IP spoofing does what I want.
e) Being able to spoof an IP requires being able to get into the TCP/IP stack and alter the outgoing source address in the packet. Apparently, this has long been possible in most flavors of *nix systems, but until the advent of Win 2K, and Win XP, this could not be accomplished in a Windows system.
f) If ISP's (and their routers) were to check the source IP of each outgoing packet from their network, they could easily prevent IP spoofing altogether. If the IP address is not within the network then it must be bogus. Actually, they could be much more granular about this, and actually confirm that a source IP address is within a block of IP's managed by a router.
g) Although more complicated, the ISP could also insure that there are no spoofed URL's or spoofed email addresses, by verifying that the URL or email addy matches an A or MX record in a DNS... again, if there is no return of a valid IP, or the IP returned for the URL/email addy is not within the block serviced by the ISP, then the URL/email addy must be bogus.
h) So, the reality is, that spam email could be stopped if the switches and routers in the networks were programmed to verify that the supposed source headers (whether IP or URL) actually fall within the IP's managed by the ISP.
Do I have this right?
Exactly right beastrider, and you bring up some good points about the possibilities of stopping spoofing and spamming, however, the processing overheads required to check each packet as it passes through a router are unfeasible. The TCP/IP stack implementation in Win9x wasn't properly implemented and had some major flaws, some of which meant you couldn't control it as you should be able to, and some of which meant it had some major vulnerabilities, but the *nix varieties basically allow you to do whatever the hell you like with your packets. We use a product at my company every now and then that allows us to adjust any part of any packet that goes through the machine (It's used as a network gateway), which runs on a heavily modified version of Debian Linux 