IP spoofing is the crafting of Internet Protocol (IP) packets with a source IP address that has been modified to impersonate another computer system, or to hide the identity of the sender, or both. In IP spoofing, the header field for the source IP address contains an address that is different from the actual source IP address.
IP spoofing is a technique often used by hackers to launch distributed denial-of-service (DDoS) attacks and man-in-the-middle (MITM) attacks against targeted devices or the surrounding infrastructures. The goal of the DDoS attack is to overwhelm a target with traffic while hiding the identity of the malicious source, preventing mitigation efforts.
Using spoofed IP addresses can give attackers the ability to:
- avoid being discovered and implicated by the authorities as well as forensic cyberinvestigators;
- prevent targeted devices from alerting about attacks in which they are unwitting and unwilling participants; and
- bypass security scripts, devices and services that attempt to mitigate DDoS attacks by blacklisting IP addresses known to be sources of malicious traffic.
How IP spoofing works
In IP spoofing, the attacker modifies the source address in the outgoing packet header, so that the destination computer treats the packet as if it is coming from a trusted source, e.g., a computer on an enterprise network, and the destination computer will accept it. As the IP spoofing activity is carried out at the network level, there aren't any external signs of tampering.
IP spoofing is commonly used in DDoS attacks, when hackers use spoofed IP addresses to overwhelm computer servers with volumes of packets large enough to cause them to become unusable by legitimate users. Often, spoofed IP packets are sent by botnets that are dispersed geographically. Large botnets may contain tens of thousands of computers, each of which can spoof multiple source IP addresses at the same time. Consequently, this automated attack is hard to trace.
How to prevent IP spoofing
Organizations can take measures to stop spoofed packets from infiltrating their networks, including:
- Monitoring networks for atypical activity.
- Deploying packet filtering systems capable of detecting inconsistencies, such as outgoing packets with source IP addresses that don't match those on the company's network.
- Using robust verification methods for all remote access, including for systems on the enterprise intranet to prevent accepting spoofed packets from an attacker who has already breached another system on the enterprise network.
- Authenticating IP addresses of inbound IP packets.
- Using a network attack blocker.
Firewalls are an important tool for blocking IP packets with spoofed addresses, and all enterprise routers should be configured with an eye to rejecting packets with spoofed addresses. Some basic considerations include:
- Configuring routers and firewalls to reject packets with private IP addresses that originate from outside the enterprise perimeter.
- Blocking traffic that originates from inside the enterprise but that spoofs an external address as the source IP address; this prevents spoofing attacks from being initiated from inside the enterprise against other, external, networks.
Types of spoofing
Internet spoofing can be carried out at different network layers. IP spoofing occurs at the network layer (layer 3 of the OSI communications model), but spoofing device media access control (MAC) addresses in Address Resolution Protocol (ARP) headers occurs at the data link layer, in the Ethernet frames carrying that protocol.
An ARP spoofing attack occurs when an attacker sends falsified ARP messages over a local area network. This links the hacker's MAC address with the IP address of a legitimate computer or server on the network.
Another type of spoofing is domain name system (DNS) spoofing. This type of attack exploits DNS vulnerabilities and diverts internet traffic away from legitimate servers and toward fake servers.
Hackers can also spoof email by altering the email header fields to falsely indicate that the message originated from a different sender. Spoofed email is often part of a phishing attack that contains a link to a spoofed phishing website: a duplicate version of a website that appears to be the original. This spoofed website attempts to steal users' login credentials or other confidential information by tricking them into believing they are on a legitimate site.
Examples of IP spoofing
On Feb. 28, 2018, the GitHub code hosting platform was hit by what was believed at the time to be the largest DDoS attack ever recorded. The hackers spoofed GitHub's IP address and sent queries to several memcached servers that are typically used to speed up database-driven sites. The servers then amplified the returned data from those requests to GitHub by a factor of about 50, meaning that for each byte sent by the attacker, up to 51 KB was sent toward the target. In this case, GitHub was hit with 1.35 terabits per second of traffic, causing the site to go down for 10 minutes.
In another infamous attack, on Dec. 25, 1994, hacker Kevin Mitnick launched an attack against the computer system of rival hacker Tsutomu Shimomura using IP spoofing.