Skip to main content
Unlisted page
This page is unlisted. Search engines will not index it, and only users having a direct link can access it.

What is IP Spoofing?

· 3 min read

What is IP Spoofing?

Spoofed IP packets with disguised source addresses are commonly used in attacks, with the purpose of avoiding detection of the source address during the attack.

IP spoofing is creating Internet Protocol (IP) packets with a modified source address to hide the sender's identity, impersonate another computer system, or both. This is a technique often used by bad actors to launch DDoS attacks against target devices or surrounding infrastructure.

Sending and receiving IP packets is the primary way networked computers and other devices communicate, forming the foundation of the modern internet. All IP packets contain a header that precedes the packet body and contains important routing information, including the source address. In a normal packet, the source IP address is the address of the packet sender. If the packet is spoofed, the source address will be forged.

ip-spoofing

IP spoofing is similar to an attacker sending a packet to someone with a false return address. If the person receiving the packet wants to stop the sender from sending packets, blocking packets from the fake address won't work because the address is quite easy to change. Similarly, if the receiver wants to respond to the return address, their response packets will go somewhere else, not to the real sender. The ability to spoof packet addresses is a core vulnerability exploited by many DDoS attacks.

DDoS attacks often utilize spoofing to flood target devices with traffic while masking the identity of malicious source addresses and preventing mitigation efforts. If the source IP address is spoofed and continuously randomized, blocking malicious requests becomes quite difficult. IP spoofing also makes it difficult for law enforcement and cybersecurity teams to track down attack perpetrators.

Spoofing is also used to impersonate another device so that responses are sent to that target device. Volume attacks like NTP amplification and DNS amplification exploit this vulnerability. The ability to modify the source IP is inherent in TCP/IP design, making it an ongoing security concern.

Associated with DDoS attacks, spoofing attacks can also impersonate another device to bypass authentication, gain access, or "hijack" user sessions.

How to Prevent IP Spoofing (Packet Filtering)

While IP spoofing cannot be prevented, measures can be taken to block spoofed packets from infiltrating networks. One very common spoofing defense is ingress filtering, outlined in BCP38 (Best Common Practices document). Ingress filtering is a form of packet filtering typically implemented on network edge devices that examines incoming IP packets and looks at their source. If the source on these packets doesn't match where they came from, or they look suspicious, the packets are rejected. Some networks also implement egress filtering, which looks at IP packets leaving the network to ensure these packets have legitimate sources, preventing someone in the network from launching outbound malicious attacks using IP spoofing.

Reference

[1] What is IP spoofing? https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/