I use CloudFlare, so my server's IP address is hidden, and I want to keep it that way. When I make an HTTP request obviously my IP will be revealed. But does gethostbyaddr reveals my IP address? I want to get the user's IP host, so I do:
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
Will the user be able to find out my server's IP address by this?
gethostbyaddr does a reverse DNS lookup. It does not contact the host directly. However, it may contact DNS servers to do the reverse lookup.
Typically PHP will ask the system's DNS service for the reverse lookup, and if the answer doesn't happen to be cached, the service will contact its closest DNS server to get the answer. If that doesn't have the answer, it will go out and contact its closest upstream server etc. etc. until the answer comes back.
So, rarely if ever should the server reach out further than its closest DNS server. It's certainly not impossible though, and if your server happens to contact a DNS server which your user happens to have control over, that user could see the incoming DNS resolution request.
That will be extremely rare, and again, typically the only DNS server your server will have contact with is its closest DNS server, but cannot be entirely ruled out.
I have a PHP application in front of me that reads the IP address of the user from $_SERVER['REMOTE_ADDR'].
I don't seem to quite understand how it gets populated. I assume that it is basically reading the client IP address from the request headers. Is that correct?
Note:
I am not asking about whether it is providing the client IP address or not. The documentation already states that fact. I am more interested in the knowing about the "how". Is it retrieving the IP address implicitly from the request headers?
Not a network expert in any way, but as it's an HTTP request, it gets delivered over a TCP connection. The webserver populates $_SERVER['REMOTE_ADDR'] from a TCP socket that is used to communicate with the browser.
I need to send data from a web page to an arduino, but without knowing the ip address. My idea is to make the arduino listening on a specific port and the web page would send data to this port.
Can my idea work ? If yes how to do the php part ?
Otherwise what can i do ?
Sorry for my english, i'm not really good.
If you want to send data to somebody on the Internet you have to find out their IP address. There is no other way. If the recipient has a dynamic IP address they need to tell the sender about it somehow. A dynamic DNS service is one example of this.
However if this is all in a local network and you make sure everything is set up correctly, you can also send to a broadcast address. Broadcast packets will be received by any host in the local network.
I don't know anything about PHP, but if you want to do this over a LAN you need to know the hostname. In laymans terms, the hostname acts as the IP address over the LAN.
Is it possible to fake or hijack a content of $_SERVER['REMOTE_ADDR'] variable?
I would like to fake a request with:
$_SERVER['REMOTE_ADDR']='127.0.0.1';
How could I do that with PHP? Can CURL do that somehow?
I assume that you mean faking it remotely. The short answer is yes you can. The long answer about how easy it is depends on how you want to fake it.
If you don't care about receiving a response, it's as trivial as opening a raw socket to the destination and forging the source IP address. I'm not sure if it's really easy to do in PHP since all of PHP's socket implementations are at or above the TCP level. But I'm sure it's possible. Now, since you're not in control of the network, the response will not go back to you. So that means that you cannot (reliably anyway) create a TCP connection via a trivial forged TCP header (since the syn-ack does prevent this by requiring two-way communication).
However, if you can compromise the gateway the IP is off of, you can do whatever you'd like. So if you compromise the wifi router a computer is connected to, you can pretend to be that computer, and the server won't tell the difference. If you compromise the ISP's outbound router, you can (in theory at least) pretend to be the computer and the server won't tell the difference.
For some more info, see these following links:
ServerFault Question
Symantec Article
Linux Security Article
However, you will only be able to forge the 127.0.0.1 loopback address under TCP if you actually compromise the local machine/server. And at that point does it really matter?
Important
If you're using a framework to access this information, be absolutely sure that it does not check the X-HTTP-FORWARDED-FOR header! Otherwise it's trivial to fake the IP address. For example, if you're using Zend Framework's Zend_Controller_Request_Http::getClientIp method, be absolutely sure that you pass false as the parameter! Otherwise someone just needs to send an HTTP header: X-Http-Forwarded-For: 127.0.0.1 and they now appear to be local! This is one case where using a framework without understanding how it works in the backend can really be bad...
Edit: Relevant
I wrote a blog post recently about how I stumbled across a vulnerability in StackOverflow's application. It's very relevant here, since it exploits a very similar mechanism to what this question is looking for (although the circumstances around it are somewhat narrow):
How I Hacked StackOverflow
The remote address is not something added out of courtesy, it's used in the IP protocol to route packages, so if you send a package with a fake address, you will not receive a response, and since you're talking about a HTTP request, which is delivered over a TCP connection, which takes several IP packets (and the matching responses) to set up:
No, that's impossible (except of course by actually sending the request from the same host via the loopback interface).
Apache populates $_SERVER['REMOTE_ADDR'] from a TCP socket that it uses to communicate with your browser. It is IMPOSSIBLE to influence this variable over the open internet because of the three-way-handshake. If the client and the server is on a broadcast network, like wifi, then you can sniff the wire and complete the handshake.
If you browse via a proxy, $_SERVER['REMOTE_ADDR'] may be set to the proxy's IP address rather than the end user's.
There are other headers which you can use instead in this case: This page gives a function which checks all the possibilities and provides the address most likely to be the end user's:
http://roshanbh.com.np/2007/12/getting-real-ip-address-in-php.html
However if the user is proxying using a badly configured proxy, or a malicious one, or one designed to anonymise the end user, then you won't be able to guarantee any of the headers other than REMOTE_ADDR (which would only lead you as far as the proxy).
If your end user is browsing via HTTPS, then REMOTE_ADDR will always be his IP address; you can't use proxy forwarding via HTTPS. Therefore, the one way to be absolutely sure of his address is to get him to open your site in HTTPS.
You can overwrite any item in the $_SERVER array, including the one you mention, in your server; of course, not in someone else's.
However, it won't change your computer's IP address.
REMOTE_ADDR
The IP address from which the user is viewing the current page.
You can request script using proxy, etc. to change IP address but you cannot set there any text you want.
That is a variable set by apache or whatever server you're using. You cannot spoof it.
You may run $_SERVER['REMOTE_ADDR']='127.0.0.1'; at the beginning of the scripts, but i doubt thats what you're trying to do
How do you detect if the IP address for data received via a web form has come from a spoofed IP address?
If detection is possible in PHP, is there a library that will also attempt to find the real IP address?
Äh - you can not. There can not be a spoofed IP address.
See, HTTP (which is the b asis for web forms) runs on top of TCP.
If I spoofe my IP address in the TCP process, I will never manage to establish the TCP connection. WIthout an established TCP connection, I can not send any data to your server.
THe connection on your side keeps stuck in a half open state - which, btw., was one of the attack vectors some time ago for a denial of service attack (overloading servers with half open connections so real ones do not get established):
Ergo: In order to complete the form data submission, I need to open the TCP channel, for which my IP packets need to provide the real IP address.
Where did you get the idea that your submissions come from spoofed IP addresses?