Unfortunately there are techniques of spoof one of them called Ipspoofing which are used to falsify IP addresses, it is literally possible to enter the medium of communication between client and server and take the victim’s connection, all open sections in the monento between client and server are delivered to the forger, this is only possible because another technique is used in conjunction with Ipspoofing the call session hijack this is really dangerous, the combination of the two techniques is alarming because it allows the interception (theft) of traffic from any protocol to the forged address, when I say "make connection" is in the literal sense of the word, imagine you in your home making an ssh or telnet connection to some server, if an attack of this type happens the instant your section is open the attacker takes his place, he literally connected without having ssh/telnet password. In the 90’s this was really very dangerous, until there is a legendary story of the hacker Kevin Mitnick using both technique to intercept connections!
Today most of the routers natively have spoof protection options in an attempt to filter and detect forged packets!
Unfortunately not all know and understand the gravity of the subject and do not enable in their networks this type of protection, this allows attacks derived techniques as serious as, for example the ARP Spoof, is currently widely used in public networks such as wireless networks, allowing you to forge ARP requests and redirect all network traffic to the attacker who uses sniffers to capture information that is moving through, if this is used with another technique that can forge encryption connections like SSL the thing becomes extremely dangerous and it is possible to capture passwords, conversations, etc, etc...
EDIT
Well come on Wikipedia in this case gives you just a superficial approach, trying to answer your question comment we can go a little further, I do not want to open here a topic that serves as a bridge to malicious, but this type of attack when made outside your network is actually considered a blind attack, when a TCP communication is successfully established (You can study the TCP-IP architecture in depth, to better understand the process) is well defined between the communicating parties the initial sequence number that is sent together with the SYN+ACK package, the attack is blind because the forger has no idea what initial number has been established to predict what the next sequence will be and without that there is no communication and without communication there is no answer, "but", there is always a "but", there are ways to try to figure out this number and generate the next expected sequence, with this information there is talk, look this is extremely complex, it is complicated but not impossible.
If Spoof comes from inside your network things get easier because the attack is not considered blind, with a Sniffer it is possible to capture and analyze the packages between two hosts and know which are the sequences...
You spoke of Mitm in fact Ipspoof is classified as an integral part for the execution of a Mitm. The Mitm apart from intercepting the data can relay in original or altered form (spoof Arp is very close to being a Mitm in fact it is used as a bridge to the next step that would not only capture data, but rather relay altered or not), the scenario described was an example of Ipspoof using hijack techniques.
The scenario so important everything is happening before the application layer, I remember that I was stuck with this type of flaw in the architecture tcp/ip in the year 2000, I set up an environment to test these situations, I did tests with telnet at the time and it was alarming :-(
EDIT 2
If you are concerned about the customer’s public address whether it was forged or not, "looking" at the public IP does not guarantee security for your web application and if the IP was really fake (spoofed) you would not even have artifices to identify and take any action, malicious clients will worry about making it as difficult as possible for the real IP to be in their logs (from their web application), in these cases if the client connects behind any proxy opened by the world you will only have the public IP address done through the Proxy and the client’s real address only the Proxy owner will be able to tell you, getting this information will depend perhaps on judicial requirements requiring the proxy to pass on to you that information, these open proxys are already used as attack bridge for these reasons, generally do not have manage much less logs with the information of who connected at date X and at time Y which leaves the attacker unpunished, One way to try to check the public address that connects in your application is to submit the public IP address to some RBL list like this one http://mxtoolbox.com/blacklists.aspx, on it an IP is subjected to several Rbls that rank whether an IP is "clean" but this again does not guarantee much, these checks only look if given IP has record of sending viruses, trojans, botnets, spam, etc, etc, problems in this sense, again if the client is behind some proxy is the public Proxy IP that you will be submitting.
So Checking the IP of who connects doesn’t make much sense unless you’re closing connection to a particular group of clients with static IP’s. Only with the information of the IP that connects in your application does not bring you security guarantees in absolutely nothing.
I’m a little confused: this scenario you described is different than a Mitm between the client and the server, right? Because the linked Wikipedia article says "In addition the characteristics of the IP protocol allow falsifying a sender, but do not allow receiving the answers - these will go to the fake address. Thus, the attack can be considered blind". How could an attacker capture his ssh connection through this technique? (see well that I am not doubting, far from it, is that I asked the question to better understand how the process works, but your answer confused me even more)
– mgibsonbr
See if EDIT helps clarify...
– ederwander
You did, thank you! When I asked the question, I was thinking from the point of view of a web application that uses the client’s IP as part of the authentication/validation process. That’s why my focus was on the public IP. From what I understood from the ARP Spoof, it occurs within the user’s network, acting on the private IP, right? In this scenario, an outside observer would not detect anything "suspicious" happening (because the public IP would be the same), even if such an attack - including Mitm - was successful. Anyway, very good the answer! + 1
– mgibsonbr
I really enjoyed this discussion. It may be kind of off-topic, but you have any idea if using the Tor can prevent this attack?
– rodrigogq
In no way would Tor in these cases act as an extra pinch in the seasoning, making it difficult to trace the origin of the attack. Tor network uses TCP IP protocol for communication so it is susceptible to spoof attacks in the same way ...
– ederwander