I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).

Its a bit delicate and it would be much hassle to introduce another authentication/protection layer.

My understanding of networking is not great because its not my subject, but in my Head I made up the following scenario:

• Someone knows the IP-Address of one of our application servers and wants to fake it to get access to the other application which he knows the listening socket and protocol of.

• So he alters the Header of his IP packets to have the Webserver IP as transmitter.

What happens next?

• A: His ISP rejects the packet and says “Hey, that is not the IP address you were assigned from me.” – Problema Solved

• B: The ISP passes the packet on to the next level (his up-link…)

Lets assume the ISP has been compromised or the packet is passed on without inspection (I don’t know whether that’s the case)

What happens next?

• A: The carrier rejects the Packet and says “Hey, that IP is not in the range of IP we agreed you are operating on!” – Now if my webserver isnt operated by the same ISP that my attacker compromised – Problema solved

• B: The ISP doesn’t inspect the packet or is compromised and forwards it to his up-link.

Now I am quite sure that IP addresses ARE inspected and filtered when passing a router. Otherwise it would be total anarchy.

So to put this straight: An Attacker that wants to fake my IP-Address needs to compromise the VERY same ISP that is in charge of the IP-Range my Webserver operates in – or this ISP does not do packet inspection.

• Is this correct?

Okay now I imagine my server is located in an office and its ISP is a regional cable company.

What would be the steps necessary to send packets from my IP address to another internet IP?

(Of course I am only asking to get aware of the risks and choose proper protection!)

I imagine locating the routing station which is often in some small container at the side of the street that is only protected by a lock. Going in there. Swapping cables or plugging yourself into.

Will this most likely work if you know what you are doing or is there some encrypted handshake with keys stored on the real offices modem that is required to built an authenticated connection?

I am talking about today’s standards in cable internet.

Last thought: So if my origin server is not some household ISP that has its stations vulnerable on the street i should be pretty safe, right?

I remember that NFS servers relies on IP authentication ONLY as a default. Because this is pretty common – are there any examples where NFS servers got hacked by faking IP addresses?

I realise that this question is put very very vagly. This is because I am not sure about anything I am saying here. I just wanted to give some input where I think the cave-eats could be, so they can be confirmed or eliminated.

Overall I am grateful for any comment and your personal thoughts about that subject!