get visitor IP address or mac address

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: get visitor IP address or mac address

Post by jackpf »

IP spoofing is really hard. Because the data has to be sent back to the same IP address, it won't work, except on one way protocols.

Also, the server has to "shake hands" with the client, which is a three way process.

1. client connects
2. server says hello
3. client says hello back

But if the server is saying hello to the wrong IP address, they won't get the hello, so won't be able to send/receive data.


This is what I've heard anyway....I could be wrong.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: get visitor IP address or mac address

Post by pickle »

On pretty much any OS, you can go in and set a static IP rather than get it from DHCP - it's that simple.

Edit: The "spoofing" I'm referring to would work if you're using the IP in your session code. Actual man-in-the-middle attacks (like described above) are more difficult.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: get visitor IP address or mac address

Post by jackpf »

Oh right. Yeah, it's easy to change your IP address...But actually pretending your IP address is something it isn't is not so easy...
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: get visitor IP address or mac address

Post by pickle »

Well for the purposes ~nga would be using it - that's all I'd need to do. If I have the session ID of my enemy, I can (albiet not simply) find his IP, statically set it on my computer and voila - I'm in. Real world applications are not as simple as this, but the theory is the same.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: get visitor IP address or mac address

Post by VladSun »

As jackpf said "bidirectional" IP spoofing is NOT an easy task to perform (e.g. there should be really misconfigured routers, etc.).
I'm not sure what pickle and jackpf talked about in their last posts, but certainly IP spoofing is not that easy.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: get visitor IP address or mac address

Post by jackpf »

I don't think you can give yourself an external static IP address. Do you mean a local IP address, with your router?

I thought you get your external IP address from your ISP's DHCP server. The only way to change your IP address in that sense would be to turn off your router for a while, and hope that a) your ISP's IP Pooling is set to dynamic, and b) you turned it off long enough to renew your lease with the DHCP server.

I may be talking complete nonsense, but if I learned anything during my time working as a network technician at my school, then that's how it works.

But anyway, that doesn't allow you to spoof your IP address. Your ISP's records will still show you as the owner. So anything illegal you get up to will still trace back to you.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: get visitor IP address or mac address

Post by pickle »

That's assuming you're listening to DHCP - which isn't necessary. You can easily set your IP to something in the range of the DHCP server, and the routers your behind won't be any the wiser. Routing may get a bit squirelly if you have the same IP as someone else, but if you don't - there's not really any way to tell - most especially from a PHP server somewhere else.

It's also assuming that you and your enemy are in different places in the world. What about in an office or a school? Or if both computers are behind a common NAT - then only one user behind that NAT at a time can use the website.

~nga hasn't spoke up in a while, so I'm thinking we may be getting of the topic that will help him/her.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: get visitor IP address or mac address

Post by VladSun »

pickle wrote:~nga hasn't spoke up in a while, so I'm thinking we may be getting of the topic that will help him/her.
To generalize: one should not use IP/SessionID pairing, because it may result in a denial of service for:
- many users, sinlge public IP (SNAT);
- one user, multiple public IPs (multiple routing for trafic load balance purposes)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: get visitor IP address or mac address

Post by VladSun »

pickle wrote:That's assuming you're listening to DHCP - which isn't necessary. You can easily set your IP to something in the range of the DHCP server, and the routers your behind won't be any the wiser. Routing may get a bit squirelly if you have the same IP as someone else, but if you don't - there's not really any way to tell - most especially from a PHP server somewhere else.
That's why ISPs use some kind of point-to-point protocol (or interface) to end users. E.g. PPPoE.
pickle wrote:It's also assuming that you and your enemy are in different places in the world. What about in an office or a school? Or if both computers are behind a common NAT - then only one user behind that NAT at a time can use the website.
That's true - know your enemy :P
There are 10 types of people in this world, those who understand binary and those who don't
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: get visitor IP address or mac address

Post by nga »

ok, my bad, i only look on page 1 without even realise that there is a page 2 :(. Anyway, what i'm asking is if you use both IP address and session ID, there are chances that the IP address changes(like what you guys said) and the user might be logged out but i assume that doesnt happen alot. Is there any chances that someone capture the cookie and spoof the IP address to be able to get into the account?
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: get visitor IP address or mac address

Post by nga »

How can users in using same IP address can be denied? we will check the combination of IP and session ID, if there is a match, they can be logged in. It's not like you check the IP then check the session ID associate with it?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: get visitor IP address or mac address

Post by VladSun »

You may check against and store the username/IP pair in a DB on user log in.
There are 10 types of people in this world, those who understand binary and those who don't
nga
Forum Commoner
Posts: 46
Joined: Mon Aug 17, 2009 3:05 am

Re: get visitor IP address or mac address

Post by nga »

uhm, i'm not so sure about this matter but the session ID will be stored in database in cookie form or in the database?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: get visitor IP address or mac address

Post by jackpf »

A session ID is stored on the client's computer, which they send to the server on every page request. The server then gets the data relating to that session id. Depending on how you handle sessions, it could be either in session files or in the database. The PHP manual will explain in a lot more detail....


But that's why people validate user agents as well. Because even if someone does manage to steal someone's session ID and spoof their IP address, they'd have to be psychic to know what browser and version they're running...
Post Reply