15

We have a few Windows server VMs hosted in Amazon cloud. Users need to enter account and password to RDP to the VMs. The VMs’ RDP EndPoint (IP+Port) is public to the internet. As an extra security measure, we managed to restrict access to the RDP port (available to public) to specific public IP addresses.

The question is that how easy it is to spoof a public IP address? Can hackers spoof our designated public IP address, so they bypass our Pubic IP address firewalling? Thank you,

Allan Xu
  • 253
  • 1
  • 2
  • 4
  • 1
    Crude source-IP-based security is broadly used, so the question is an important one. – kubanczyk Nov 16 '15 at 17:25
  • @kubanczyk: Is Crude source-IP-based the same is IP spoofing, or something different? Can you provide a link? – Allan Xu Nov 16 '15 at 20:22
  • Spoofing on a local level is easy. When it comes to Public IP it can be much harder. I found this https://superuser.com/questions/619477/how-do-i-spoof-the-ip-that-my-computer-sends-a-server-without-using-something-li Also found this too https://security.stackexchange.com/questions/55279/how-easy-is-it-really-to-do-ip-spoofing – Bad_Guy Nov 16 '15 at 17:17

2 Answers2

14

Short Answer

Assuming a TCP connection, it is nearly impossible to spoof a source IP address without control of the network.

Longer Answer

Assuming you are not using any proxies (which can cause issues if you're getting their IP address from a X-FORWARDED-FOR header), and running a service on TCP, it's extremely difficult to spoof a source IP address

To initialize a TCP connection multiple packets have to be sent back and forth between the server and the attacker. If the source address for the initial request is spoofed, then the attacker would be unable to finish opening the connection because the spoofed address is not their address. So when the server sends a packet 'back' to them, it would instead be directed to the real owner of the address and not the attacker.

I would make a diagram on Visio for this, but I am in class, so hopefully a sketch is sufficient.

TCP handshake

Pablo A
  • 123
  • 5
Chase Haddleton
  • 176
  • 1
  • 5
  • 2
    Notice that in some cases `Real User` might have a firewall configured in such a way that `Server` never receives the `RST` packet. In such a case the firewall can make the attack slightly easier to pull off, but it still is only feasible if `Server` uses predictable sequence numbers. – kasperd Nov 16 '15 at 18:30
3

Spoofing the source address is fairly easy, there are still many ISPs that don't implement source address filtering.

Receiving the replies to those spoofed packets is harder. The attacker would need to either get on the network path between client and server or modify routing to change the network path. This is harder but certainly not impossible.

Modern TCP implementations use randomised sequence numbers which make the probability of successfully opening a TCP connection without receiving the reply to the SYN packet very low. Older systems and UDP based protocols may be more vulnerable to such attacks. Use of "SYN cookies" by the server also increases the probability of such an attack suceeding (though it's still a very low probability).

I would consider source IP filtering to be a useful extra line of defense but I would not want to rely on it as the sole means of protection.

Peter Green
  • 4,968
  • 1
  • 22
  • 26