Problem solve Get help with specific problems with your technologies, process and projects.

How do IP spoofing and session hijacking work?

How does IP spoofing work? I understand that an IP-spoofer must interrupt the connection between two hosts. What...

kind of program would he use to jump into the conversation before the other person noticed something was wrong? It's the timing that I can't figure out. Can this be done over the Internet, or must the spoofer have a packet sniffer and be on the same segment of cable?

You are apparently confusing IP spoofing with session hijacking.

IP spoofing is simply forging the IP addresses in an IP packet. This is used in many types of "attacks" including session hijacking. It is also often used to fake the e-mail headers of SPAM so they cannot be properly traced.

Session hijacking occurs at the TCP level. According to Internet Security Systems, "TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine."

For more information on session hijacking and other TCP Exploits, please visit Internet Security Systems. The definition I quoted above came from that page, and there are references to other papers, including one that explains IP spoofing.

As for how and where it can be done, if your connections are vulnerable, it can be done over the Internet. The attacker does not need to be directly in your path, though that does simplify things.

More on this topic


This was last published in August 2002

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)