0

I have an ec2 instance (proxy) which is being used as http proxy server. There are some other hosts (hostA, hostB, hostC), I want the proxy server will only allow connection from those hosts.

For this I changed the security group and add those hosts as source and 80 as port

Port | Source ---------+---------- 80(HTTP) | hostA/32 80(HTTP) | hostB/32 80(HTTP) | hostC/32

At this point no other host than hostA, hostB and hostC can access Proxy.

But what if someone from other aws machine creates a fake IP packet with fake source address. Will the interface (eth0) to accept it?

Is there any other security measure I should take other than security group settings?

Improve this question

1 Answer 1

Reset to default
3

But what if someone from other aws machine creates a fake IP packet with fake source address. Will the interface (eth0) to accept it?

Yes, but since they won't get the reply packet, they won't be able to complete the handshaks and establish a TCP connection. So they shouldn't be able to send any actual data to the proxy.

Even if they manage to correctly guess the sequence number, establish a TCP connection, and get some data to the proxy, they will still face two problems:

  1. They will never receive any data, since the replies won't be addressed to them.

  2. Their connection will be soon closed by the machine that actually uses that IP address, as it responds to the "alien" packets with RSTs, assuming it's operational.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.