通过源 IP 验证 TCP 连接安全吗?

发布于 2024-10-17 06:26:31 字数 291 浏览 7 评论 0原文

我正在开发一个通过互联网接受客户端连接的应用程序。所有这些客户端都位于固定的 IP 地址上,并将建立非加密的 TCP 连接。

当前的计划是让服务器检查连接来自哪个 IP,并仅允许来自已知 IP 列表的客户端连接?

防止 IP 欺骗的安全性如何?

我的理由是,由于这是一个 TCP 连接,攻击者不能仅仅伪造其发送者 IP(这很容易),而是必须确保数据包传回给他,因此他必须破解该网络上的所有路由器。这条路,看起来相当艰难。

我知道我可以使用加密,例如 SSH,但让我们继续讨论纯 TCP 连接的安全性如何。

I'm developing an application that accepts connections from clients over the internet. All these clients are on fixed IP addresses and will establish a non-encrypted TCP connection.

The current plan is for the server to check which IP the connections come from and allow only client connections from a list of know IPs?

How safe is that against IP spoofing?

My reasoning is that since this is a TCP connection, an attacker couldn't just fake its sender IP (which is easy), but would have to assure that the packets travel back to him and thus he would have to hack all routers on the path, which seems rather hard.

I know I could use encryption, like SSH, but lets stick with the question of how safe the plain TCP connection would be.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

夕嗳→ 2024-10-24 06:26:31

在实际情况下,通过 IP 地址限制连接通常是一个很好的做法,因为它大大减少了攻击面并使攻击的复杂性更高。正如其他答案中所述,您现在必须执行 IP 欺骗或攻击网络本身(虚假 BGP 路由等)之类的操作。

也就是说,IP 地址限制应该用作深度防御方法的一层。您能否在不进行太多返工的情况下加密 TCP 流?也许是 SSL?如果程序都修改不了,那网络怎么办?建立站点 IPSEC VPN 隧道并不困难,因为几乎所有商业防火墙都支持它们。甚至一些 soho 路由器也可以修改为支持 IPSEC(例如,使用 OpenWrt 加 OpenSwan)。

最后,您是否可以要求客户端和服务器相互验证?

Restricting connections by IP address is generally a good practice when practical, as it greatly reduces the attack surface and makes the complexity of an attack much higher. As stated in other answers, you would now have to do something like IP spoofing, or attacking the network itself (false BGP routes, etc).

That said, IP address restriction should be used as one layer of a defense-in-depth approach. Could you encrypt the TCP stream without too much rework? Maybe SSL? If you can't modify the program, how about the network? Site ti site IPSEC VPN tunnels are not difficult to establish, as almost any commercial firewall supports them. Even some soho routers can be modified to support IPSEC (with OpenWrt plus OpenSwan, for example).

Lastly, could you require the client and server to mutually authenticate?

冷月断魂刀 2024-10-24 06:26:31

不安全。 BGP 网关也无法免受攻击,因此可能会发布虚假路由并欺骗 IP。

Not safe. BGP gateways are not immune to attack, and with that, false routes can be advertised and IPs can be spoofed.

独守阴晴ぅ圆缺 2024-10-24 06:26:31

首先,使用 IP 您并不能识别客户端,而只是识别一些数字。 即使即使IP是正确的,用户的计算机上仍然可能存在木马,代替用户本身进行身份验证(因为我不知道你提供什么样的服务,我认为这可能是有道理)。

现在,如果一个人可以访问客户端和服务器之间数据包经过的路由器之一,那么他几乎可以做任何事情 - 他可以以客户端的名义发送和接收数据包,或者他可以修改它们(如数据未加密)。此外,攻击者不需要破解所有或其中一台路由器 - 他只需要能够访问(包括合法的路由器)数据所在的通道,无论是路由器本身还是电缆(可以被切断和切断)可以插入路由器)。

综上所述,IP可以在一定程度上作为加强欺骗的组件之一,但它不能成为主要的安全措施。

First of all, using the IP you are not identifying the client, but just some numbers. Even if the IP is right, there still can be a troyan on user's computer, authenticating in place of the user itself (as I don't know what kind of service you provide, I assume that this might make sense).

Now, if one has access to one of the routers via which the packets between the client and the server go, then he can do almost anything - he can send and receive packets in the name of the client or he can modify them (as the data goes unencrypted). Moreover, the attacker doesn't need to hack all or one of routers - he just needs to have access (including legitimate one) to the channel where the data goes, be it the router itself or the cable (which can be cut and the router can be inserted).

So to summarize, IP can be used as one of the component that hardens spoofing to some extent, but it can't be the main security measure.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文