IP Spoofing

IP spoofing is the process of creating Internet Protocol (IP) packets which have a false source address. The purpose of this false source address is to hide the identity of the sender or to impersonate another computer system. 

An IP address is a fundamental building block. An IP address consists of a sequence of numbers used to identify a device on an IP network. An IP packet contains the IP address and also includes the data to be delivered to the device which is  identified by the IP address. The IP address format uses a 32-bit number that identifies a particular network interface on the targeted machine. IP addresses are usually written in decimal digits, formatted as four 8-bit fields separated by periods. Each byte of the IP address is represented by an 8-bit field. This format appears as follows:  [xxx].[xxx].[xxx].[xxx]. IP spoofing changes the legitimate senders’ IP address to one which is false and misleading.

IP spoofing is a technique often used by threat actors to initiate DDoS attacks. A distributed denial-of-service (DDoS) attack is a targeted attack on a server or network by overwhelming the target with a massive flood of Internet traffic. DDoS attacks achieve critical mass and overpowering impact by utilizing multiple compromised computer systems to generate the attack. Targets which are exploited can include computers and other networked connected devices, such as Internet of Things (IoT) devices. As noted earlier, IP spoofing is often used to initiate DDoS attacks.

The transmission of IP packets is by far the primary way in which networked devices communicate, and this communication constitutes the backbone functionality of the internet. As noted earlier, IP packets contain a header which contains necessary routing information, including the source address. In a legitimate packet, the source IP address is the address of the sender of the information in the packet. If the packet has been spoofed, the source address will be forged to both hide the identity of the threat actor and to make the message seem legitimate.

It is important to note that IPv4 and IPv6 are different versions of the Internet Protocol address scheme. The format for IPv4 addresses is four sets of numbers separated by periods (dots), as shown above. This 32-bit format, can support approximately 4.3 billion, unique IP addresses. While this worked initially, it is not enough for the amount of devices that are now on the Internet. The need for more IP addresses led to the implementation of IPv6. 

IPv4 has been around for over 25 years. IPv6 is the next-generation Internet protocol designed to replace it to resolve the address space limitations. The push towards deployment of IPv6 has grown significantly as the rewards for doing so have become highly compelling. IPv6 can decrease complexity and improve security. It is still expected that attacker techniques will evolve to address the new capabilities and different attack surface of IPv6 when it reaches broad deployment.

IPv6 addresses use a more complex syntax that utilizes sets of alphanumeric characters separated by colons (single or double). The result is that this 128-bit format can support a massive address space. There was an IPv5 – this was an experimental streaming data protocol that was designed, prototyped, but never put into production.  It used the same 32-bit formatting as IPv4, so the total address space was insufficient to meet the growing requirements of the Internet.

For example, when a home user connects to the Internet on their laptop, that user’s ISP assigns them a temporary IP address from a pool of shared IP addresses. This is known as a dynamic IP address. This is more cost-effective for the ISP than assigning each user a permanent, or static, IP address.

At the 10,000 foot view, you can imagine IP Spoofing as similar to an attacker sending a package to someone with an intentionally mislabeled return address. If the person receiving the package wants to stop the receipt of additional packages, blocking all packages from the fake address won’t really work, as this return address can be created and mislabeled continuously. Also consider that if the recipient wants to respond to the sender (the return address), their reply will go somewhere other than to the actual sender. This ability to spoof the addresses of packets is a core vulnerability which is continuously exploited by DDoS attacks and other types of threat actor techniques.

IP spoofing also makes it tough for attribution of the attack. It is difficult to impossible to track down the threat actors responsible for the attack. Cybersecurity teams and their law enforcement partners can take no action with clear evidence of attribution behind the attack.

If the source IP address is bogus and continually changed, then identifying and blocking malicious requests remains very difficult. 

Spoofing can also be used to pretend to be a particular device so that all responses are sent to that device which has been targeted. Volumetric attacks (NTP Amplification and DNS amplification) make use of this vulnerability. Volume based attacks are generally measured in bits per second. Volume based attacks include the use of tactics such as UDP floods, ICMP floods and other spoofed packet flooding designed to saturate and exhaust the bandwidth of the targeted IP address. Protocol attacks include SYN floods, the “Ping of Death,” and other tactics. Protocol attacks generally target communication equipment or servers. Consider that spoofing can also be done with the aim of pretending to be another device in order to avoid authentication and thus hijack or gain unauthorized access to a user’s session.

Protecting against IP spoofing is hard, but it can be done. A common defense against IP spoofing is ingress filtering. Ingress filtering is generally implemented on a network edge device which examines incoming IP packets and examines their source headers. If the source headers on those packets don’t match their origin or look suspicious in some way, the packets are rejected. Some networks will also implement egress filtering. Egress filtering looks at IP packets exiting the network to ensure these have legitimate source headers.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.