Strange client IP adress from"REMOTE_ADDR" in WebService (ASP.NET)

Question

I run a server for a project of mine. The clients invoke an Update check function running as a webservice at start-up. These requests are logged to file.

I use the following function to log to file:

Public Sub Log(ByVal Message As String, ByVal Level As LogEntryLevel, ByVal Additional As Boolean)
   Dim base As String = "C:\SERVER\log\"
   Dim fileName As String = Date.Now.ToString("dd-MM-yyyy") & ".log"
   Dim newString As String = ""
   If Not Additional Then
      If System.IO.File.Exists(base + fileName) Then newString &= vbNewLine
      newString &= Date.Now.ToString("[dd/MM/yyyy HH:mm:ss.fff ") & Level.ToString & "] " & Message
   Else
      newString &= Message
   End If
   My.Computer.FileSystem.WriteAllText(base + fileName, newString, True)
End Sub

I use the following function to get the clients IP-address:

Public Function getIP() As String
   Dim ip As String
   ip = Context.Request.ServerVariables("HTTP_X_FORWARDED_FOR")
   If ip = String.Empty Then
      ip = Context.Request.ServerVariables("REMOTE_ADDR")
   End If
   Return ip
End Function

The log message is constructed as follows:

Log(String.Format("Client {0} invoked CheckForUpdate with [{1}]", getIP, ver), LogEntryLevel.INFO, False)

Some time ago this got logged:

[11-12-2011 22:10:20.730 INFO] Client 10.0.1.4, 127.0.0.1 invoked CheckForUpdate with [0.5]

O_O How can this be returned? Is this normal? Is this possible? How can the request have originated from localhost (127.0.0.1) and at the same time from a remote IP-address? Was the server hacked? Is this a glitch? Can someone please explain this to me?

This was posted some time ago on XtremeVBTalk.com: http://www.xtremevbtalk.com/showthread.php?t=322915 but no one answered, so I am asking it here again.

score 0 · Accepted Answer · answered Dec 30 '11 at 00:51

0

This is very likely the result of a non-anonymous proxy being used to access your server. High-anonymity proxies completely hide the fact that a proxy is being used, and standard anonymous proxies do not show the user's original IP address, but they do send an X-Forwarded-For header, so they can be detected that way. Non-anonymous proxies, however, simply add the X-Forwarded-For header value to the user's IP address, and it tends to look exactly like the result you found in your logs. The fact that it was forwarded for 127.0.0.1 implies that they were likely trying some form of nefarious activity, probably submitting a recreated form with modified values.

answered Dec 30 '11 at 00:51

ranksrejoined

1,229
9
9

Does this imply that the client was trying to do something he was not supposed to do? I have the ability to deny further requests from a certain IP address matching a specified regular expression. Should I prevent clients with this IP address from invoking this method (And thus from using the application)? – user1122122 Dec 30 '11 at 01:01
Well, if CheckForUpdate couldn't be used for anything dangerous, they're likely just trying to run it programatically as a convenience. Ideally, you'd be keeping more detailed logs of every GET and POST request so you could see precisely which data they're submitting to determine if it could be harmful to your application's integrity. After a bit of research, it looks like 10.0.1.4 might just be a result of the user's DHCP settings; it could be completely harmless, but it might just as well be an attempt to remain anonymous. – ranksrejoined Dec 30 '11 at 01:09
I looked up the ISS logfile of the day in question, and at the timestamp from my own logfile there is nothing in the ISS log file. There is one about 30 seconds later but the IP is different. – user1122122 Dec 30 '11 at 02:15

score 0 · Answer 2 · edited May 23 '17 at 11:48

0

I believe this question would help you: How do I get the correct IP from HTTP_X_FORWARDED_FOR if it contains multiple IP Addresses?

Seems that HTTP_X_FORWARDED_FOR can return multiple comma delimited IPs in the form of: X-Forwarded-For: client1, proxy1, proxy2, ...

So 10.0.1.4 is a computer on the same network as the localhost that used the localhost as a proxy. Some local area networks are setup this way, to connect through a certain computer.

192.168.x.x and 10.x.x.x are reserved IP address ranges for local networks

I believe a client was invoked on your server's local area network.

edited May 23 '17 at 11:48

Community

1
1

answered Dec 30 '11 at 01:05

Motomotes

4,111
1
25
24

If I invoke the function from my own network this gets logged: "[30-12-2011 02:51:38.781 INFO] Client 192.168.1.1 invoked CheckForUpdate with [0.5]" Its the same for all computers on my LAN (I tested it). And since no one on my LAN uses it (I checked), its not possible for the request to have come from my LAN. What other possibilities are there? – user1122122 Dec 30 '11 at 01:58
If your router is set to use 192.168.x.x instead of 10.x.x.x then the HTTP_X_FORWARDED_FOR header was likely spoofed. You could modify your code to trap any 10.x.x.x clients, since they shouldn't exist, and ignore them and maybe use the REMOTE_ADDR instead to create a blacklist, as you probably don't want anyone trying to pretend they are on your intranet, when they aren't. Note that: REMOTE_ADDR can be spoofed as well, but then the resposnse content will be sent to REMOTE_ADDR, so spoofing REMOTE_ADDR would be pointless, as one wouldn't receive a response. – Motomotes Dec 30 '11 at 17:06

Strange client IP adress from"REMOTE_ADDR" in WebService (ASP.NET)

2 Answers2