+5 votes
in Security by (242k points)
IP spoofing: how attackers manipulate your data packets

1 Answer

+3 votes
by (1.6m points)
Best answer

What is IP spoofing?
The reason for IP spoofing is spoofing
How do attackers get around even the problem of coordinated attack?
How to protect against IP spoofing


IP spoofing: how attackers manipulate your data packets

Regardless of whether you surf the Internet in your free time or whether you are responsible for a local area network, it is essential that you protect yourself against unauthorized access and attacks that can cause considerable damage to your system. For decades, cybercriminals have found different methods to gain access to external computer systems , thus causing damage on a small and large scale. If the intruders are professionals and have the necessary tools, the user will not know about the attack itself. On the other hand, many cybercriminals know how to erase their tracks , making it almost impossible to determine the origin of attacks using ordinary means. One of the preferred techniques for these purposes is the so-called spoofing (in Spanish, manipulation or impersonation) and, by 1980 and in its original form, IP spoofing, was already a topic of conversation in the circles of experts..

What is IP spoofing?

The so-called IP spoofing is a technique in which TCP / IP or UDP / IP data packets are sent with a false sender address. To inject his own packets into an external system , the attacker uses the address of an authorized and trusted system, which would otherwise be blocked by a filtering system. In most cases, IP spoofing is used to perform DoS and DDoS attacks. However, under certain circumstances, the attacker can also intercept and manipulate IP traffic between two or more computer systems. These types of attacks are known as man in the middle and, like IP spoofing (with only a few exceptions), they require the attacker to be on the same subnet as the victim.

The reason for IP spoofing is spoofing

Impersonation of the IP address is possible because the source and destination addresses that each IP packet contains in its header are not sufficiently protected against manipulation. Unfortunately there are no mechanisms to encrypt this information or to verify its veracity. However, with a simple IP spoofing attack the attacker does not gain access to the data traffic. That is, it can only change the address in the corresponding packet, while the actual IP address remains unchanged . Thus, the response with the data issued will not reach the attacker, but rather the address of the computer that he entered..

The system receiving the request has no way of knowing that an unauthorized third party is behind the IP packet, which makes IP spoofing useful for the aforementioned DoS and DDoS attacks . In particular, the following two scenarios are possible:

  1. Based on the source address, the attacker sends many data packets to various systems within the respective network. They respond by sending a data packet to the computer whose address was misused.
  2. A destination host receives many data packets from multiple spoofed IP addresses at the same time, and is therefore overloaded.

Computers whose IP addresses have been spoofed can become targets for DDoS attacks or serve as a tool for them. In both cases, because the packets sent seem to come officially from the computers whose IP addresses were spoofed, it is not possible to identify the attackers .

How do attackers get around even the problem of coordinated attack?

An attacker can cause the intentional overload from anywhere, as long as the target computer is connected to the Internet. However, direct access to data traffic is difficult to do if the intruder is not on the same subnet. This is because intercepting a data packet is only possible when you have the sequence number of said packet, something that externally, compared to other times, is almost impossible today..

In the past, operating systems and network devices generated this TCP header based on a pattern without major changes. In this way, the attackers could send multiple packets to the target system without much trouble and, thanks to the receipt, predict the subsequent sequence number . They could also read or manipulate the packet behind the number and forward it using the spoofed IP address without it being able to be registered by the systems in the communication process. Since many systems used the host-based login process and transferred login data such as username and passwords in the clear, hopefully the attacker could connect without any problems. Since currently sequence numbers are randomly generated, so-called TCP Sequence Prediction (TCP Sequence Prediction) attacks are basically ineffective, so old devices are still at risk. 

If the IP spoofer moves on the same subnet, for example on the same local network as the attacked system, you have a better chance of easily accessing the sequence number or IP packets behind it. Instead of using a tedious procedure to do this, it can filter the traffic, analyze it and select the desired data packets . In this case, we speak of non-blind spoofing.

How to protect against IP spoofing

For decades, security experts and professionals in the computer industry have dealt with the problem of IP spoofing. This is mainly due to the ease with which it is possible to generate denial of service or DDoS attacks using this method of IP spoofing . Therefore, a specific filtering of outgoing traffic by Internet providers has long been necessary, where packets with source addresses outside the network are collected and discarded. Unfortunately, efforts and costs are the main reasons why, until now, this application has remained as such without anyone having managed to implement it.  

Another reason for the reluctance of Internet providers is the apparent security features of the latest version of the IPv6 Internet protocol. Among other things, the official successor to the currently widespread IPv4 includes several optional authentication and encryption options for data packet headers that, in the future, could completely prevent IP spoofing. However, so far, the switch to the new addressing protocol has proven to be somewhat complicated, manifesting, for example, in the lack of IPv6 support for various common network devices.

To prevent an attacker from spoofing your IP address and using it for unscrupulous purposes, you have the ability to take the initiative by creating your own protection mechanisms. Thus, we recommend that you focus on the following two measures:

  • Establish a comprehensive packet filtering solution for your router . This will be in charge of analyzing and discarding those packets whose source addresses do not come from the network itself. You will even have to take care of filtering outgoing packets with sender addresses that are outside your network, despite the fact that, in this sense, security experts consider it a duty of the service provider.
  • Stay away from host-based authentication method . Make sure that all check-in methods are done over encrypted connections. In this way you will minimize the risk of an IP spoofing attack within your network and you will be setting important security standards. 

On the other hand, it is also advisable to replace older operating systems and network devices (in case you are still using them). In this way, you will not only increase protection against IP spoofing, but you will also be protecting yourself against many other vulnerabilities.