Does getAddress() with DatagramPacket return a trustworthy IP address?

Question

I have programming a little Authentification System and I use this code to get the IP of the user:

DatagramSocket socket = new DatagramSocket(port);
DatagramPacket packet = new DatagramPacket(buffer, buffer.length);
socket.receive(packet);
InetAddress address = packet.getAddress();
String ip = address.toString().replace("/", "");

My question is: Can we trust the value given with the string ip? Can somebody put a fake IP in a header of the packet?

It is very confusing, does a UDP header contain the IP of the sender of the UDP packet, if so can we change this header to modify with another IP?

Answer 1

In an established TCP connection, you can assume that the remote IP address is valid because otherwise you could not send anything back to the host (and the TCP handshake would not succeed -- see SYN flood).

However, you have no guarantee that the remote IP address actually belongs to your user, so it's a really bad way to perform authentication.

One of the commenters gave the example of a proxy. It doesn't have to be TOR: if you use the common practice of an NGINX or Apache server in front of your application, then you'll always get the IP address of that server (ie, your own server).

Also, we live in a world where most users are behind a NAT. Which means that you may have dozens or hundreds of distinct users that all appear to come from the same IP address.

And the IP address will potentially change. This is particularly common with connections made from cellphones