Spoofing is a specific type of cyber attack in which someone attempts to use a computer, device or network to trick other computer networks by masquerading as a legitimate entity. Cybercriminals use spoofing to gain access to computers to mine them for sensitive data, turn them into zombies (computers took over for malicious use) or launch Denial-of-Service (DoS) attacks. Of the several types of spoofing, IP spoofing is the most common.
What is IP Spoofing?
IP spoofing involves the creation of Internet Protocol (IP) packets with a manipulated source address. Its primary purpose is to conceal the identity of the sender or impersonate another computer system, or sometimes both. By modifying the source address, malicious actors attempt to deceive or bypass security measures, making it challenging to trace the origin of network traffic
Before discussing how it works, let us refresh our memory on how data is transmitted over the internet.
IP Packet Headers
The data transmitted over the internet is first broken into multiple packets, and those packets are transmitted independently and reassembled at the end. Each packet has an IP header that contains information about the packet, including the source IP address (sender) and the destination IP address (receiver).
Figure 1: IPv4 Packet Headers. Source: imperva.com
How does IP spoofing work?
IP address spoofing is the act of falsifying the content in the Source IP header, usually with randomized numbers, either to mask the sender’s identity or to launch a DDoS attack. The purpose of IP spoofing is to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it. Because this occurs at the network level, there are no external signs of tampering.
IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the person receiving the package wants to stop the sender from sending packages, blocking all packages from the bogus address will do little good, as the return address is easily changed. On the other hand, if the receiver wants to respond to the return address, their response package will go somewhere other than to the real sender.
The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks. DDoS attacks will often utilize spoofing with the goal of overwhelming a target with traffic while masking the identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and continuously randomized, blocking malicious requests becomes difficult.
IP spoofing also makes it tough for law enforcement and cybersecurity teams to track down the perpetrator of the attack, since geographically dispersed botnets—networks of compromised computers—are often used to send the packets. Each botnet potentially contains tens of thousands of computers capable of spoofing multiple source IP addresses. As a result, this automated attack is difficult to trace.
A variation on this approach uses thousands of computers to send messages with the same spoofed source IP address to a huge number of recipients. The receiving machines automatically transmit an acknowledgment to the spoofed IP address and flood the targeted server.
Another malicious IP spoofing method uses a Man-in-the-Middle attack to interrupt communication between two computers, alter the packets, and then transmit them without the original sender or receiver knowing. Over time, hackers collect a wealth of confidential information they can use or sell.
In systems that rely on trust relationships among networked computers, IP spoofing can be used to bypass IP address authentication. The idea behind this type of defense is simple: Those outside the network are considered threats, and those inside are trusted. Once hackers breach the trusted network, it is easy for them to explore the system and spoof IP addresses. Considering that vulnerability, using simple authentication as a defense strategy is not an effective measure and needs to be replaced by more robust security approaches, such as those with multi-factor authentication mechanisms including adaptive authentication and the use of machine identities.
How to prevent IP spoofing - Detecting and preventing IP spoofers
There are several measures that organizations can take to stop spoofed packets from infiltrating their networks, including:
- Monitoring networks for atypical activity.
- Deploying packet filtering systems capable of detecting inconsistencies, such as outgoing packets with source IP addresses that don't match those on the company's network.
- Using robust verification methods for all remote access, including for systems on the enterprise intranet to prevent accepting spoofed packets from an attacker who has already breached another system on the enterprise network.
- Authenticating IP addresses of inbound IP packets.
- Using a network attack blocker
Web designers are encouraged to migrate sites to IPv6. In contrast to IPv4, IPv6 makes IP spoofing harder by including encryption and authentication steps. However, most of the world's internet traffic still uses IPv4. The Seattle Internet Exchange IPv6 traffic statistics indicates that only about 5% of traffic has migrated to the newer, more secure protocol.
Another option to consider is the use of network edge devices, such as firewalls, configured to support packet filtering to detect inconsistencies and reject packets with spoofed addresses. Some basic considerations include:
- Configuring the devices to reject packets with private IP addresses that originate from outside the enterprise perimeter (ingress filtering).
- Blocking traffic that originates from inside the enterprise but that spoofs an external address as the source IP address (egress filtering). This prevents spoofing attacks from being initiated from inside the enterprise against other, external, networks.
Finally, detecting IP spoofing is virtually impossible for end-users. They can minimize the risk of other types of spoofing, however, by using secure encryption protocols like HTTPS—and only surfing sites that also use them.
IP spoofing is a tool used by cybercriminals to impersonate legitimate networks or devices, used predominantly to launch DDoS and Man-In-The-Middle attacks aiming either to disrupt the delivery of network services or to steal sensitive data. Although IP spoofing is hard to detect, there are many solutions which can help organizations stop spoofed messages from infiltrating their trusted systems. The combination of continuous network monitoring, packet filtering and strong authentication methods should be the preferred tools in the arsenal of every security team.
(This post has been updated. It was originally published on September 8, 2020.)