8

I'm getting lots of emails from my error reporting service about IP spoofing attacks with increasing frequency. If I understand correctly, this occurs when the request sets an HTTP header specifying that the IP address the request is coming from was not the original IP address.

The error message looks like this:

IP spoofing attack?!HTTP_CLIENT_IP="10.212.0.172"HTTP_X_FORWARDED_FOR="10.212.0.172, 68.180.224.232"

If I'm reading this correctly, the two IP addresses in this error message are a local IP address (10.x.x.x) and a Yahoo! IP address (68.180.224.232).

I'm not sure if I'm reading that correctly, but it seems that this may be caused from a Yahoo crawler. The error reports on lots of different URLs which makes it seem like a crawler. Also, it seems like a legitimate request because it's an internal IP that is being routed through an external IP.

My questions are:

  • How do you determine if these are legitimate requests or malicious.
  • If malicious, what's the harm in allowing these GET requests?
  • Either way, how can I prevent these errors from occurring (besides turning off the email notification)? Do I need to find a way to block the IP address? What if it's a legitimate request? Do I need to set up a whitelist of some sort?

Update: I reviewed the request parameters and the user agent is indeed a Yahoo crawler:

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

Andrew
  • 227,796
  • 193
  • 515
  • 708

2 Answers2

1

How do you determine if these are legitimate requests or malicious?

IP spoofing by itself is not dangerous but it is mostly used in DDoS (distributed denial of service) attacks to mask the IP address to different IP addresses so that it appears distributed. You can use this gem here to figure out of either of the IP addresses are bots/crawlers/spiders.

If malicious, what's the harm in allowing these GET requests?

By allowing GET requests from spoofed IP's, you are susceptible to being DDoS'ed and the load on your server will increase and if you have auto-scaling turned on, you're going to have to spend more.

Either way, how can I prevent these errors from occurring (besides turning off the email notification)? Do I need to find a way to block the IP address? What if it's a legitimate request? Do I need to set up a whitelist of some sort?

Refer to this answer here which details the best way to solve this problem. I have an alternative way which I will explain below.

I have not tested the below code but in short, it checks if both the headers are present and if they are, it then checks if they are not equal. If both the conditions are true, then you can raise an exception or redirect to an error page with status code 400, up to you.

    def ip_spoofing_check
        if request.env['HTTP_CLIENT_IP'] && request.env['HTTP_X_FORWARDED_FOR']
            if request.env['HTTP_CLIENT_IP'] != request.env['HTTP_X_FORWARDED_FOR']
            response.status = 400
            response = {:status => false, :message => "IP Spoofing Attempt"}
            respond_to do |format| format.json { render json: response} end
            end
        end
    end

Don't forget to call this function in the before_action of your application controller.

Good luck!

Securiosity
  • 37
  • 11
0

Maybe not a complete answer but I've been using this gem for exception notifications and it supports filtering out exceptions raised by crawlers

http://smartinez87.github.io/exception_notification/#ignore-exceptions/ignore_crawlers

magagnon
  • 146
  • 1
  • 4