Spoofing IP addresses when using web proxies

Many network devices operate as proxies, reading client requests and then forwarding then on to a downstream server. Network proxies and some web application security proxies function in this way.

Some of these proxies do not preserve the client IP address in the downstream connection to the server. From the server's perspective, the connection appears to originate from the proxy rather than the remote client. This can be a problem when the server is performing access control based on the source address, or when the server wishes to maintain an audit log of all traffic.

Most of these proxies append the upstream address onto the end of an X-Forwarded-For header. If a trusted upstream reverse proxy manipulates the header, then ZXTM can read the header and determine the true source address of the connection.

In this case, ZXTM can then spoof the source IP address of the connection when it forwards the request on to the downstream server. This capability depends on ZXTM's IP Transparency feature, which is available on the ZXTM 2000, 5000 and 7000 Appliances:

$forwardedfor = http.getHeader( "X-Forwarded-For" );
 
# We trust the upstream proxy, so use the source IP address that it appended
# onto the end of the header
 
if( string.regexmatch( $forwardedfor, "([0-9]+.[0-9]+.[0-9]+\\.[0-9]+)$"  )) {
   $ip = $1;
   request.setRemoteIP( $ip );
}

Note that access control based on the value of an HTTP header is extremely weak and easy to bypass. The above example assumes that all incoming traffic comes through a trusted upstream proxy that modifies the X-Forwarded-For header.

Owen Garrett [Zeus Dev Team] 20 October 2005