Is it possible to spoof your IP... is testing ip addresses secure?

I have some extra features on a site that employees can use but customers are not allowed to see.

The employees are all going to be on a series of domains.

What I do is get the user ip like so:

$user_ip = gethostbyname($_SERVER['REMOTE_ADDR']);

Then I get an array of all the ips for the domains the users will be on using gethostbyname

Then I check if the user is on one of the domains like so:

in_array($user_ip,$allowedIPS)

So if the user is on one of the domains they see additional features for internal use. Otherwise they just see what is meant for the general public.

My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?

It is impossible to spoof a TCP connection over the open internet due to the Three Way Handshake. However, it maybe possible to access this feature using CSRF.

PHP pulls $_SERVER['REMOTE_ADDR'] directly from Apache's TCP socket, there for it cannot be influenced by an attacker. And yes, i have looked at this code.

My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?

No, unless they also have access to the networks of one of the allowed IPs, or any of the allowed machines under one of the IPs is compromised and proxies traffic.

In your scenario, it seems good enough. Well, except the privileged users will not be allowed to access the content from other IPs without some kind of VPN.

Note that IP spoofing generally has a different meaning than the one you're using. It means only forge the source address of a packet. This by itself is worthless because to access the service, it would also be necessary to receive the response from the server. Even "IP spoofing" in this sense is rare today due to better routing.

IP spoofing is possible, if non-trivial.

Why don't you just have your employees log in to get access to employee-only features?

If you are going to do this, do it with apache config, not with code. You are basically re-inventing functionality the is built-in.

As to the direct question, as others have said, spoofing an IP is possible if non-trivial. Also hope you don't have any unsecure access wireless points.

EDIT: Apache access control instructions. This is my assuming you are using Apache due to PHP usage, if you are actually using IIS, its still a config driven setting but obviously different in its execution.

I don't think this is possible, because when your making a request to a server, your actually requesting your ISP to request the server.

as long as you validate all the HTTP Meta data that the ISP Forwards on to you, such as X-FORWARDED-FOR and proxy meta you should be able to keep a tight system..

heres a diagram that may help you uderstand what i mean:

read here for more info.

http://www.astahost.com/info.php/hacker39s-view-easy-spoofing-ip-address_t13807.html

I upvoted ROOK on this one. You cannot spoof a TCP connection and still access your site from the same machine doing the spoofing. Why? Because the response your web server would make (initially) would be to the spoofed IP in an attempt to establish a socket connection (TCP 3-way handshake).

It is conceivable that if you have two computers (A and B) at two different public IP addresses and you use one of the computers (A) to spoof or send packets to your web server using B's IP address such that when your web server replies it sends packets to B.

If the IP addresses used in the spoofed call are internal on your subnet, then internal workstations would receive TCP ACK packets for uninitiated TCP SYN packets and reject them or ignore them. I'm not aware of any TCP/IP stack implementation that would try to complete a 3-way handshake against ACK only packets; it breaks standard protocol.

Spoofing is technique for UDP flooding where an attacker does a DoS (Denial Of Service) attack using a phony IP address to attempt to hide their tracks.

Hope this helps.

$_SERVER['REMOTE_ADDR'] is provided by your web server and it's not possible to spoof it directly. The only way around it that I can see is proxying the connection via one of the allowed IPs.

When we were confronted by a similar question, we came to the conclusion that if the user was accessing us via http, we couldn't absolutely rely on their IP address, because they could be using a proxy. But https is always a direct connection; it doesn't allow proxies, so we could be sure that the IP address we were seeing was correct. Therefore, we locked our users down based on IP address PLUS they had to access the site via https (and log in to their account, of course).

Your case sounds a little bit different from ours, but I'd say the above should be useful for you as well.

Even if you don't follow that exact path, you do need to be aware of proxies. A proxy could theoretically allow any number of different users to access your site from a single IP address, so if you somehow managed to get a proxy's IP into your list of allowed addresses then you'd be opening up a security hole, so you need to be sure that any IP address you add to the list is legitimate (this is where https can help).

Also, if your users are coming from their home PCs, be aware that their IP address could change over time. Most ISPs will issue their customers with dynamic IPs which can be re-assigned, meaning that each time you connect to the internet, there's a chance you'll get a different IP address. If this is the case, there's no spoofing going on but nevertheless you won't be able to reliably identify a user by their IP address.

While as it is discussed before, IP spoofing in TCP over the Internet is impossible, other methods for attacking webapps exist.

Please note that many web implementations (either using PHP or not) are vulnerable to X-Forwarded-For injection. X-Forwarded-For is an HTTP header that specifies the original IP address when a request passes trough a proxy. There is no validation (possible) in Apache2 and on some configurations this is the IP address that is passed to PHP's REMOTE_ADDR. So yes, IP spoofing is possible this way.

Suppose an attacker sets a request header X-Forwarded-For with a value of 127.0.0.1. If the configuration on the HTTP server allows this, 127.0.0.1 will be passed to PHP-FPM's REMOTE_ADDR, not the actual attacker's IP. When I browse the Internet, I always add this header to my requests to test security of webpages. Many of them show additional admin toolbars when I set my IP to localhost. Even stackoverflow had this error when it was in beta stage and some major software today is still "vulnerable" to this by default.

Everything is possible, but it's always matter of cost.
In most of cases such a spoofing doesn't worth