What is IP spoofing?
Internet Protocol address in short IP address is an identifier for a computer or device on a network. Any device connected to the IP network must have a unique IP address within the network. An IP address is analogous to a street address or telephone number in that it is used to uniquely identify an entity.
An IP address can be static or dynamic. A static IP address will never change and it is a permanent Internet address. A dynamic IP address is a temporary address that is assigned each time a computer or device accesses the Internet.
Computer networks communicate through the exchange of network data packets, each containing multiple headers used for routing and to ensure transmission continuity. One such header is the ‘Source IP Address’, which indicates the IP address of the packet’s sender.
In IP spoofing, also known as IP address forgery, used to gain unauthorized access to machines, whereby an attacker illicitly impersonates another machine by manipulating IP packets.
The intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
Robert Morris first conceptualized IP spoofing when he uncovered what is known as sequence prediction within TCP. Morris noted this to be a gap in IP security. Certain design problems in the TCP/IP suite has lent itself well to cracking IP security and thus enabling IP spoofing.
When IP spoofing is used to hijack a browser, a visitor who types in the URL of a legitimate site is taken to a fraudulent Web page created by the hijacker. If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware.
IP spoofing is a default feature in most DDoS malware kits and attack scripts, making it a part of most network layer distributed denial of service DDoS attacks. It is used for two reasons in DDoS attacks: to mask botnet device locations and to stage a reflected assault.
In security research, IP data derived from network layer assaults is often used to identify the country of origin of attacker resources. IP spoofing, however, makes this data unreliable, as both the IP address and geolocation of malicious traffic is masked. When reading reports relying solely on network IP data, it’s necessary to be aware of these limitations.
The use of packets with a false source IP address is not always evidence of malicious intent.
For example, in performance testing of websites, hundreds or even thousands of "v-users" (virtual users) may be created, each executing a test script against the website under test, in order to simulate what will happen when the system goes "live" and a large number of users log on at once.
Types of attacks
Denial-of-service attack - When a DDoS attack is launched, the IP spoofing is used not to identify the exact machines from where the requests are coming. This makes the DDoS attack more powerful because it will be difficult to identify the senders and block them.
Blind Spoofing - The attacker transmits multiple packets to his intended target to receive a series of numbers which are generally used to assemble packets in the order in which they intended to read the packets. ie, in the order of packet 1 to be read first, then packet 2 and then packet 3.
Non-Blind Spoofing - In this type of attack, the cracker resides on the same subnet as his intended target so that he is aware of the sequence of the packets. Thus the attack is called the non-blind spoofing.
Man-in-the-middle attack - When two machines are communicating with each other, the attacker intercepts the packets sent by the systems and alters the packets with the sending and receiving machines unaware their communication has tampered.
Spoofing Attack Prevention
There are many tools and practices that organizations can employ to reduce the threat of spoofing attacks. Newer routers and firewall arrangements can offer protection against IP spoofing. Here are the most common spoofing attack prevention -
- Packet filtering: Packet filters inspect packets as they are transmitted across a network.
- Use spoofing detection software: There are many programs available that help to detect spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
- Use cryptographic network protocols: Transport Layer Security, Secure Shell, HTTP Secure and other secure communications protocols bolster spoofing attack prevention efforts by encrypting data before it is sent and authenticating data as it is received.