IP address spoofing is a technique used by hackers to disguise their IP address as another IP and gain access to sensitive information or access private services on authorized networks. In some special cases, they can create IP packets that contain a false source IP address and this way hide their original address or impersonate another computing system.This is possible when they have access to the router for the local network.
The Internet Protocol states that all IP packets must have a header section. This section contains the IP address of the packet’s sender – and other information too, of course. When an IP address is spoofed, this header section is altered in some way. When this alteration happens, the receiver of the packet thinks that it came from another (trusted) source.
But why is it possible to alter packet headers?
The techniques used to alter IP addresses originate from design problems of the TCP/IP protocol suite. The Internet Protocol (IP) operates at the network layer of the OSI model. Because of the connectionless nature of the model, there is no information about the state of the transaction – whether it is delivered to the destination or not.
The Transmission Control Protocol (TCP) has a solution for packet delivery acknowledgment. The sequence and acknowledgment numbers are used to ensure proper packet delivery. So the state of the transaction is handled and monitored.
TCP uses a so-called three-way handshake to establish a connection. When a client wants to connect to a server, the server must open up a port for connections. This is called a „passive open” because the server will listen on the opened port.
After this a client may start an „active open” and to successfully establish a connection, the three-way handshake will occur. So although it’s basically easy to send a TCP packet with any IP address, the SYN/ACK response will be routed to the original IP which means that the response will never arrive to the hacker who tries to spoof the address. And because of this, the forged IP won’t send the ACK response to acknowledge the server’s packet and the connection won’t be established.
So on TCP, it’s not possible to successfully spoof an IP address after the handshake.
Spoofing through UDP (User Datagram Protocol) is another matter because there are no handshaking dialogues. Real-time audio and video streaming services use UDP where it’s more acceptable to drop packets than to wait for delayed ones. UDP is a message-based connectionless protocol where communication is achieved by transmitting information in one direction from source to destination without verifying the readiness or state of the receiver. There is no acknowledgment, timeout or retransmission.
What is IP spoofing used for?
IP spoofing is often used in DoS (denial-of-service) and DDoS (Distributed Denial of Service) attacks because the altered addresses are more difficult to filter since each spoofed packet seems to come from a different address. In these cases the attacker is not concerned about receiving the response from the targeted server. The server will be flooded with requests to such an extent that it won’t be able to reply to legitimate requests (e.g. when a visitor tries to load a website in the browser).
Attackers can randomly choose IP addresses from the common IP address space or they can use sophisticated IP generating tools that filter those addresses which are unroutable or are not in use by anyone.
But not only IP addresses, websites can be spoofed too. Hackers can use legitimate looking logos, pictures, colors and fonts to look like another service and to change a website to seem realistic and trusted.
For example, what if they change a well-known news service’s website to broadcast false information? Or they steal the look-and-feel of a popular bank’s website? Criminals can use a false site to look like the webpage of a financial service and this way steal credit card information and gain access to private banking accounts. The technique used by hackers to redirect a website’s traffic to a fake site is called „pharming”.
How to detect a spoofed packet?
ISPs (Internet Service Providers) and VPN providers can take certain steps against IP spoofing because detecting a spoofed packet generally can only be done close to the source of the traffic. For example the first router on the path has the possibility to detect that the source address in the packet doesn’t belong to any of the internal networks it knows of and therefore could drop it. This is called egress filtering. This check can only be done inside or at the edge of a network. It’s usually only performed by firewalls and needs to be carefully configured to avoid side effects.
An almost identical technique is called ingress filtering.It is used to ensure that incoming packets are actually from the networks from which they claim to originate. This technique works only if the filtering device has some knowledge of the connected network.
You can build your own rules against TCP-based DDoS attacks using iptables. Iptables is the default firewall management utility on Linux systems. It can be used from the command-line to set up kernel packet filtering rules. If you configure it correctly, it can help you to block packets that would cause your server to be flooded and overloaded. If you’re under a DDoS attack, you must be able to block as many packets per second as possible.
You can implement rules for the iptables mangletable and the PREROUTING chain.
You usually don’t want to receive packets from private source IPs. So you can use the following iptables rules to block spoofed packets originating from private (local) subnets. (These rules assume that your loopback interface uses the 127.0.0.0/8 IP space.)
iptables -t mangle -A PREROUTING -s 220.127.116.11/3 -j DROP iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
With filtering rules you could reject addresses coming in on the wrong interface at or near the source of the traffic, but on the final host it’s very difficult to detect spoofing because each arriving packet would be examined.
So basically when we discuss protection against IP spoofing, it’s generally true that a „simple” end-user can do little about it. Mainly it’s the responsibility of the bigger players (ISPs and VPN providers, etc.) to take the necessary steps to avoid these kind of attacks. But I think it’s definitely worth a try to use some packet filtering rules and to look further into this topic.