Skip to main content
banner image
venafi logo

What Is IP Spoofing and How to Prevent It?

What Is IP Spoofing and How to Prevent It?

September 8, 2020 | Guest Blogger: Anastasios Arampatzis

Spoofing is a specific type of cyber attack in which someone attempts to use a computer, device or network to trick other computer networks by masquerading as a legitimate entity. Cybercriminals use spoofing to gain access to computers to mine them for sensitive data, turn them into zombies (computers took over for malicious use) or launch Denial-of-Service (DoS) attacks. Of the several types of spoofing, IP spoofing is the most common.

What is IP Spoofing?

A quick definition of IP spoofing is that it is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both.

Before discussing how it works, let us refresh our memory on how data is transmitted over the internet.

IP Packet Headers

The data transmitted over the internet is first broken into multiple packets, and those packets are transmitted independently and reassembled at the end. Each packet has an IP header that contains information about the packet, including the source IP address (sender) and the destination IP address (receiver).

Figure 1: IPv4 Packet Headers. Source: imperva.com

How does IP Spoofing work?

IP address spoofing is the act of falsifying the content in the Source IP header, usually with randomized numbers, either to mask the sender’s identity or to launch a DDoS attack. The purpose of IP spoofing is to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it. Because this occurs at the network level, there are no external signs of tampering.

IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the person receiving the package wants to stop the sender from sending packages, blocking all packages from the bogus address will do little good, as the return address is easily changed. On the other hand, if the receiver wants to respond to the return address, their response package will go somewhere other than to the real sender.

The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks. DDoS attacks will often utilize spoofing with the goal of overwhelming a target with traffic while masking the identity of the malicious source, preventing mitigation efforts. If the source IP address is falsified and continuously randomized, blocking malicious requests becomes difficult.

IP spoofing also makes it tough for law enforcement and cybersecurity teams to track down the perpetrator of the attack, since geographically dispersed botnets—networks of compromised computers—are often used to send the packets. Each botnet potentially contains tens of thousands of computers capable of spoofing multiple source IP addresses. As a result, this automated attack is difficult to trace.

A variation on this approach uses thousands of computers to send messages with the same spoofed source IP address to a huge number of recipients. The receiving machines automatically transmit an acknowledgment to the spoofed IP address and flood the targeted server.

Another malicious IP spoofing method uses a Man-in-the-Middle attack to interrupt communication between two computers, alter the packets, and then transmit them without the original sender or receiver knowing. Over time, hackers collect a wealth of confidential information they can use or sell.

In systems that rely on trust relationships among networked computers, IP spoofing can be used to bypass IP address authentication. The idea behind this type of defense is simple: Those outside the network are considered threats, and those inside are trusted. Once hackers breach the trusted network, it is easy for them to explore the system and spoof IP addresses. Considering that vulnerability, using simple authentication as a defense strategy is not an effective measure and needs to being replaced by more robust security approaches, such as those with multi-factor authentication mechanisms including adaptive authentication and the use of machine identities.

How to Prevent IP Spoofing

There are several measures that organizations can take to stop spoofed packets from infiltrating their networks, including:

  • Monitoring networks for atypical activity.
  • Deploying packet filtering systems capable of detecting inconsistencies, such as outgoing packets with source IP addresses that don't match those on the company's network.
  • Using robust verification methods for all remote access, including for systems on the enterprise intranet to prevent accepting spoofed packets from an attacker who has already breached another system on the enterprise network.
  • Authenticating IP addresses of inbound IP packets.
  • Using a network attack blocker

Web designers are encouraged to migrate sites to IPv6. In contrast to IPv4, IPv6 makes IP spoofing harder by including encryption and authentication steps. However, most of the world's internet traffic still uses IPv4. The Seattle Internet Exchange IPv6 traffic statistics indicates that only about 5% of traffic has migrated to the newer, more secure protocol.

Another option to consider is the use of network edge devices, such as firewalls, configured to support packet filtering to detect inconsistencies and reject packets with spoofed addresses. Some basic considerations include:

  • Configuring the devices to reject packets with private IP addresses that originate from outside the enterprise perimeter (ingress filtering).
  • Blocking traffic that originates from inside the enterprise but that spoofs an external address as the source IP address (egress filtering). This prevents spoofing attacks from being initiated from inside the enterprise against other, external, networks.

Finally, detecting IP spoofing is virtually impossible for end-users. They can minimize the risk of other types of spoofing, however, by using secure encryption protocols like HTTPS—and only surfing sites that also use them.

Conclusion

IP spoofing is a tool used by cybercriminals to impersonate legitimate networks or devices, used predominately to launch DDoS and Man-In-The-Middle attacks aiming either to disrupt the delivery of network services or to steal sensitive data. Although IP spoofing is hard to detect, there are many solutions which can help organizations stop spoofed messages from infiltrating their trusted systems. The combination of continuous network monitoring, packet filtering and strong authentication methods should be the preferred tools in the arsenal of every security team.
 

Related posts

 

Like this blog? We think you will love this.
advanced-persistent-threats-against-machine-identities
Featured Blog

How Advanced Persistent Threats Misuse Machine Identities

How Cybercriminals Misuse Machine Identities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat