Application Security Concerns: How easy is it to fake an IP-Address?

Question

I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).

Its a bit delic

Answer 1

Inside a LAN it depends on how your routers/switches/hubs are configured. But I think spoofing should be possible quite often.

---

I don't think the IP address is inspected. Thus you can send UDP packets with forged sender IP. But you won't receive the answer since the server will send it to the real owner of that IP.

This means you can't simply fake an IP in TCP since establishing the connection needs a handshake.

---

You can forge the IP of somebody if the response will go through your router. So a network admin can fake all IPs inside his LAN, an ISP all IPs inside his net, and a carrier can fake IPs on many international connections, provided they get routed through him.

---

Finally there is the possibility of abusing BGP to modify the routes for that IP to go through your computer. But not everybody has access to BGP, you probably need to become an ISP to get it. And then the manipulation will probably be detected because BGP route changes are monitored.