On 12/7/06, ara.t.howard@xxxxxxxx <ara.t.howard@xxxxxxxx> wrote:
>> still, i think even REMOTE_ADDR could be spoofed easily couldn't it? > > No, it is determined directly from the TCP/IP connection information which > cannot be (easily) spoofed. The Client-IP is simply a request header which > the client (or proxy) completely controls. ok. i'm understanding correclty then - spoofing remote_addr would most likely involve packet wrapping. i'm not sure that would be consider 'hard' - but it is indeed harder than setting headers.
I'm not sure what you mean by "packet wrapping". But in general, it is hard to lie about the source IP address if you want to get a response from the server and are not on the same local network. (It is much easier if you are just doing a denial of service attack and hence don't care if you ever see a response.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|