What is IP spoofing?

Table of Contents 4 sections

What is IP Spoofing?

IP spoofing is a cyberattack technique in which an attacker sends IP packets with a falsified source address. By forging the source IP field in a packet header, the attacker can disguise their true origin, impersonate a trusted host, or evade IP-based security filters. The receiving system processes the packet as though it came from the spoofed address, which can be exploited in a variety of malicious ways.

IP spoofing is possible because the Internet Protocol was designed to route packets based on the destination address without authenticating the source. While this design enabled the internet's open and scalable architecture, it also created a fundamental vulnerability that attackers continue to exploit decades later. The IP header's source address field can be set to any arbitrary value by an attacker with sufficient access to raw network sockets.

How IP Spoofing Works

To perform IP spoofing, an attacker crafts network packets with a forged source IP address using raw sockets or specialised tools. The attacker modifies the IP header before sending the packet, replacing their real IP address with the address they wish to impersonate. When the target receives the packet, it believes the communication originated from the spoofed address.

Because the source address is falsified, any responses from the target are sent to the spoofed address rather than the attacker. This means IP spoofing is most effective in attacks that do not require a two-way connection, such as UDP-based floods and amplification attacks. For TCP-based attacks, the attacker must employ additional techniques to predict sequence numbers and maintain the illusion of a legitimate connection.

Types of Attacks Using IP Spoofing

IP spoofing is commonly used in DDoS amplification attacks, where the attacker sends requests to a public server (such as a DNS resolver) with the victim's IP address as the source. The server sends its response, which is often much larger than the request, to the victim, amplifying the attack volume. This technique is the basis of DNS amplification, NTP amplification, and memcached amplification attacks.

IP spoofing is also used in man-in-the-middle attacks, where the attacker intercepts communication between two parties by impersonating one or both. In some cases, spoofing is used to bypass IP-based access controls, such as firewall rules that allow traffic from specific trusted IP addresses. Session hijacking attacks may also leverage IP spoofing to take over an established connection.

Preventing IP Spoofing

Network operators can prevent IP spoofing at the source by implementing ingress filtering (BCP38/RFC 2827), which verifies that outgoing packets have source addresses that belong to the network's assigned address space. This prevents attackers within the network from sending packets with spoofed addresses. Unfortunately, not all ISPs and networks implement ingress filtering, leaving the technique viable.

At the destination, organisations can use firewalls to detect and block packets with suspicious source addresses, such as private addresses arriving on public interfaces. Deploying anti-spoofing rules, using encrypted and authenticated protocols like TLS and IPsec, and employing DDoS mitigation services that can identify spoofed traffic are all effective countermeasures against IP spoofing attacks.