httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] .htaccess mixed access based on client-ip/auth
Date Thu, 07 Dec 2006 21:37:34 GMT
On 12/7/06, ara.t.howard@noaa.gov <ara.t.howard@noaa.gov> wrote:

> >> still, i think even REMOTE_ADDR could be spoofed easily couldn't it?
> >
> > No, it is determined directly from the TCP/IP connection information which
> > cannot be (easily) spoofed.  The Client-IP is simply a request header which
> > the client (or proxy) completely controls.
>
> ok.  i'm understanding correclty then - spoofing remote_addr would most likely
> involve packet wrapping.  i'm not sure that would be consider 'hard' - but it
> is indeed harder than setting headers.

I'm not sure what you mean by "packet wrapping".  But in general, it
is hard to lie about the source IP address if you want to get a
response from the server and are not on the same local network.  (It
is much easier if you are just doing a denial of service attack and
hence don't care if you ever see a response.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message