Trusting Self Reported IP Address

From Guidance Share
Jump to navigationJump to search


The use of IP addresses as authentication is flawed and can easily be spoofed by malicious users.

Applies To

  • Languages: All
  • Operating platforms: All


The following code connects to a remote host and then checks its IP address to make a trust decision:

sd = socket(AF_INET, SOCK_DGRAM, 0);
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
servr.sin_port = htons(1008);
bind(sd, (struct sockaddr *) & serv, sizeof(serv));
while (1) {
  memset(msg, 0x0, MAX_MSG);
  clilen = sizeof(cli);
  //Make a trust decision based on IP
  if (inet_ntoa(cli.sin_addr)==...)
     n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen);

Since IP address may be spoofed by the remote host, a valid trust decision cannot be made with this information


  • Authentication: Malicious users can fake authentication information, impersonating any IP address.


  • Use of IP address to make a trust decision about a remote host.


  • Design: Use other means of identity verification that cannot be simply spoofed.

Vulnerability Patterns

How Tos