How much effort does it take to spoof an Ip Address in a call to a webservice?
- by Rory Becker
I don't want to know how... Just how complicated....
I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure?
Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer?
Update: Ok so from what I can tell.... I should create a Gettoken() method which checks the IPaddress and passes out a cryptographically significant token with a timeout to any valid IP address. This is then required by any other method before any kind of side effect is allowed.
Since an Attacker can't (likely) get the token without having a valid IP, he will be unable to validly call any of my "dangerous" webmethods ?