What is IP Spoofing?

Whether you’re a private in­di­vid­ual using the internet or you’re re­spon­si­ble for a local network: Pro­tec­tion against unau­tho­rized access or systemic attacks always plays an important role. Criminals have been gaining access to other computer systems for decades in a variety of ways, and with varying amounts of resulting damage. The attack itself is usually not damaging to the accessed system, as long as the intruders know their craft. And many cy­ber­crim­i­nals know how to cover their tracks so that it’s almost im­pos­si­ble to determine the origin of the attack by ordinary means. One of the most popular tech­niques of cy­ber­crim­i­nals has always been spoofing, which began in its original form – IP spoofing – in expert circles during the 1980s.

IP spoofing is a method in which TCP/IP or UDP/IP data packets are sent with a fake sender address. The attacker uses the address of an au­tho­rized, trust­wor­thy system. In this way, it can inject its own packets into the foreign system that would otherwise be blocked by a filter system. In most cases, IP spoofing is used to perform DoS and DDoS attacks. Under certain cir­cum­stances, the attacker can also use the stolen IP to intercept or ma­nip­u­late the data traffic between two or more computer systems. Such Man-in-the-Middle attacks that use the help of IP spoofing nowadays require (with few ex­cep­tions) that the attack be in the same subnet as the victim.

The ability to falsify the IP address is a result of the fact that the source and des­ti­na­tion addresses that each IP packet contains in its header are not suf­fi­cient­ly protected against ma­nip­u­la­tion. Mech­a­nisms don’t exist for en­crypt­ing this in­for­ma­tion or for checking its cor­rect­ness. With a simple IP spoofing attack, the attacker doesn’t gain access to data traffic. The attack merely changes the address entry in the cor­re­spond­ing packet, while the actual IP address remains unchanged.  That way the response to the sent data doesn’t come to the attacker, but instead comes to the computer whose address the attacker indicated.

The fact that a third, unau­tho­rized member is behind the IP packet is hidden from the re­spond­ing system, which makes IP spoofing usable for pre­vi­ous­ly addressed DoS and DDoS attacks. The two following scenarios are the most likely:

1. On the basis of the stolen source address, the attackers sends large quan­ti­ties of data packets to different systems inside the network in question. These systems reply to the contact by sending another data packet – which is then received by the un­in­volved computer whose IP address has been ap­pro­pri­at­ed.


2. An intended target computer receives si­mul­ta­ne­ous data packets from various falsified IP addresses and becomes over­loaded.

The computer whose IP address was stolen by the attackers can either be the target of the DDoS attack or just be drawn in to serve as a tool. In both cases the attacker remains unknown, since the sent packets of­fi­cial­ly appear to originate from the computers whose IPs were taken over.

An attacker can, in theory, initiate the de­lib­er­ate over­load­ing from any location, as long as the target computer is connected to the internet. But as a con­se­quence, direct access to the data traffic is now much more difficult if the intruder’s computer is not on the same subnet. This is because data packet in­ter­cep­tion is only possible with the help of the cor­re­spond­ing packet se­quenc­ing number – an un­der­tak­ing that today is almost im­pos­si­ble from the outside, compared to earlier days of data hacking.

In the past, operating systems and network devices generated trans­ac­tion numbers which were entered in the TCP header, always using the same pattern. Attackers could easily send extra packets to the targeted systems for test purposes, and thanks to the receipts, predict the next sequence numbers. The package behind the number could now read or ma­nip­u­late it and then forward it with a fake sender IP, all without being reg­is­tered by the two com­mu­ni­cat­ing systems. Because many systems rely on host-based log-in pro­ce­dures, the trans­ferred login data such as usernames and passwords is un­en­crypt­ed and attackers can with some luck actually establish a con­nec­tion. Since today’s systems randomly output sequence numbers, these so-called TCP-Sequence-Pre­dic­tion attacks (also known as blind spoofing) have become basically in­ef­fec­tive – but older devices are still at risk.

If an IP spoofer moves in the same subnet – for example, in a local network – as the attacked system, it has a much easier time reaching the sequence number or the IP packets behind it. Instead of having to painstak­ing­ly pinpoint it, it can filter and analyze all of the data traffic and single out the desired data packets. This is what’s referred to as non-blind spoofing.

For decades, the problem of IP spoofing has kept security ad­min­is­tra­tors and spe­cial­ists in the computer sector busy. In par­tic­u­lar, the sim­plic­i­ty of DoS or DDoS attacks makes it so that IP ma­nip­u­la­tion as a method is still in­ter­est­ing to today’s criminals. Because of that, there has been demand for a long time for a targeted filtering of outgoing data traffic by internet service providers, where packets with sources addressed outside the un­der­ly­ing network are recorded and discarded. Expense is the main reason why this claim remains, but nobody is following up on it. Another reason for the hesitant attitude of the service providers may also lay with the security features of the revised internet protocol version IPv6. IPv4 is still very common, but its successor includes various optional au­then­ti­ca­tion and en­cryp­tion pos­si­bil­i­ties for header and data packets that could com­plete­ly prevent IP spoofing in the future. But the switch to the new ad­dress­ing protocol has proven to be a difficult matter, as evidenced, for example, by the lack of IPv6 support in various common network devices. In order to prevent attackers from fal­si­fy­ing their IP addresses and ap­pro­pri­at­ing others, op­por­tu­ni­ties are available to internet users who want to take ini­tia­tive and set up their own pro­tec­tions systems. These focus on the following two measures:

• Set up a com­pre­hen­sive packet filtering system for your router or security gateway. This should analyze and discard incoming data packets if they have source addresses of devices within your network. Outgoing packets with sender addresses outside of the network should also be watched for and filtered. Security experts tend to see this as the duty of the internet service provider.

• Stay away from host-based au­then­ti­ca­tion systems. Make sure that all log-in methods take place via encrypted con­nec­tions. This minimizes the risk of an IP spoofing attack within your own network while also setting important standards for overall security.

Of course, older operating systems and network devices should be replace as well if they are still in use. This will not only increase pro­tec­tion against IP spoofing, but also close a number of other security gaps.