ip 屏蔽特定 ip 地址
所以假设我使用一些代码来执行限制来检测用户的IP....
有没有一种方法可以让用户通过任意地将他们的IP设置为他们想要的任何IP(例如通过代理服务器或其他东西)来规避这个问题允许他们选择在我检测到时显示的特定 IP
so suppose I detect a user's ip using some code to perform restrictions....
is there a way for a user to circumvent this by arbitrarily setting their ip to any ip they want anytime they want (eg. via proxy server or something) hence allowing them to choose a specific ip to be displayed when I detect it
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
有几种隧道和基于代理的技术,可以有效地为任何 HTTP 请求提供与原始计算机不同的 IP 地址。我在 this 答案中提到了几种方法,以及这里。在许多情况下,实际上不可能区分中继连接和真实连接...
一般来说,您不能将 Internet 上 TCP 连接的源伪造为多个连接的任意地址。原因包括:
TCP 是一种有状态协议,即使是为了建立连接,数据包也会来回移动。伪造 IP 源地址意味着您无法取回任何数据包。
一些 ISP 会丢弃在其自己的网络中生成的数据包,这些数据包在正确的子网中没有源 IP。这通常在客户端连接级别完成,以保护 ISP 网络并防止由于客户端简单的配置错误问题而导致随机数据包将客户端信息泄露到 Internet。
ISP 过滤器还会阻止用户设置任意 IP - 如果不是出于任何其他原因,那么只是因为 ISP以高得多的价格出售具有静态 IP 地址的连接并让用户设置自己的 IP IP 会破坏这一点。更不用说如果 ISP 的客户端之间可能存在 IP 冲突,将会导致混乱......
所以一般来说,您不能仅仅欺骗 TCP 连接的源。您必须使用中间计算机来中继连接。
但请记住,积极主动且经验丰富的攻击者可能拥有由数百万台属于无辜用户的受感染计算机组成的僵尸网络。理论上,每台计算机都可以用作连接中继,从而使潜在的攻击者可以从多种 IP 地址中进行选择。
最重要的是,简单的基于 IP 的检查和过滤不能以任何形式确保连接的合法性。您应该使用其他方法来保护您的服务:
HTTPS 和正确的用户帐户。
对您的服务进行广泛的日志记录和监控。
入侵检测系统和自动攻击响应程序(请小心这些 - 确保您不会将自己锁在外面!)。
我们无法真正提供更具体的答案,除非您告诉我们您正在提供什么服务,您想要应用什么限制以及您非常担心哪种攻击......
There are several tunneling and proxy-based techniques that will effectively present a different IP address for any HTTP requests than the one belonging to the originating computer. I have mentioned several methods in this answer, as well as here. In many cases it is actually impossible to tell apart a relayed connection from the real thing...
In general you cannot forge the source of a TCP connection on the Internet to be an arbitrary address for a number of reasons, some of which are:
TCP is a stateful protocol and packets go back and forth even in order to establish the connection. Forging an IP source address means that you cannot get any packets back.
Some ISPs will drop packets generated within their own network that do not have a source IP within the proper subnet. This is usually done at the client connection level to protect the ISP network and prevent random packets from leaking client information to the Internet due to simple misconfiguration issues client-side.
ISP filters will also prevent users from just setting an arbitrary IP - if not for any other reason, then just because ISPs sell connections with static IP addresses at significantly higher prices and having users set their own IPs would spoil that. Not to mention the mess that would result if there could be IP conflicts among the clients of an ISP...
So in general you cannot just spoof the source of a TCP connection. You have to use an intermediate computer to relay the connection.
Keep in mind, however, that motivated and experienced attackers may have at their disposal botnets that consist of millions of compromised computers belonging to innocent users. Each and every one of those computers could theoretically be used as a connection relay, thus allowing a potential attacker quite a wide variety of IP addresses to chose from.
The bottom line is that simple IP-based checks and filters cannot in any form ensure the legitimacy of a connection. You should be using additional methods to protect your service:
HTTPS and proper user accounts.
Extensive logging and monitoring of your service.
Intrusion detection systems and automatic attack responders (be careful with those - make sure you don't lock yourself out!).
We cannot really provide a more concrete answer unless you tell us what service you are providing, what restrictions you want to apply and what kind of attacks you are so worried about...
某种程度上 - 正如您所提到的,代理是一种风险,但是它使攻击者的生活变得更加困难,因此仍然值得使用 IP 禁令。
监控您的日志、自动发出警报,如果攻击来自其他 IP,也将其禁止。如果你让攻击者的生活变得足够艰难,他们可能会放弃。
Sort of - as you mentioned, proxies are a risk, however it makes life a wee bit harder for the attacker so it is still worth using IP bans.
Monitor your logs, automate alerts and if attacks come from another IP - ban it too. If you make life hard enough for an attacker they may give up.