computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...

, IP address spoofing or IP spoofing is the creation of

Internet Protocol The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet. ...

(IP) packets with a false source

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

, for the purpose of impersonating another computing system.

Background

The basic protocol for sending data over the Internet network and many other

computer networks A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are m ...

is the

(IP). The protocol specifies that each IP packet must have a header which contains (among other things) the IP address of the sender of the packet. The source IP address is normally the address that the packet was sent from, but the sender's address in the header can be altered, so that to the recipient it appears that the packet came from another source. The protocol requires the receiving computer to send back a response to the source IP address therefore spoofing is mainly used when the sender can anticipate the network response or does not care about the response. The source IP address provides only limited information about the sender. It may provide general information on the region, city and town when on the packet was sent. It does not provide information on the identity of the sender or the computer being used.

Applications

IP address spoofing involving the use of a trusted IP address can be used by network intruders to overcome network security measures, such as

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

based on IP addresses. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network – which would require them already being logged in. By spoofing a connection from a trusted machine, an attacker on the same network may be able to access the target machine without authentication. IP address spoofing is most frequently used in

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...

s, where the objective is to flood the target with an overwhelming volume of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed IP addresses are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid non-routable addresses or unused portions of the IP address space. The proliferation of large

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

s makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets.

Backscatter In physics, backscatter (or backscattering) is the reflection of waves, particles, or signals back to the direction from which they came. It is usually a diffuse reflection due to scattering, as opposed to specular reflection as from a mirror, a ...

, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.

Legitimate uses

The use of packets with a false source IP address is not always evidence of malicious intent. For example, in performance testing of websites, hundreds or even thousands of "vusers" (virtual users) may be created, each executing a test script against the website under test, in order to simulate what will happen when the system goes "live" and a large number of users log in simultaneously. Since each user will normally have its own IP address, commercial testing products (such as

HP LoadRunner LoadRunner is a software testing tool from Micro Focus. It is used to test applications, measuring system behaviour and performance under load. LoadRunner can simulate thousands of users concurrently using application software, recording and la ...

WebLOAD WebLOAD is load testing tool, software performance testing, performance testing, Stress testing (software), stress test web applications. This web and mobile load testing and analysis tool is from RadView Software. Load testing tool WebLOAD comb ...

, and others) can use IP spoofing, allowing each user its own "return address" as well. IP spoofing is also used in some server-side load balancing. It lets the load balancer spray incoming traffic, but not need to be in the return path from the servers to the client. This saves a networking hop through switches and the load balancer as well as outbound message processing load on the load balancer. Output usually has more packets and bytes, so the savings are significant.

Services vulnerable to IP spoofing

Configuration and services that are vulnerable to IP spoofing: * RPC (

Remote procedure call In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure ( subroutine) to execute in a different address space (commonly on another computer on a shared network), which is coded as if it were a normal ( ...

services) * Any service that uses IP address authentication * The R services suite (

rlogin The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems ...

, rsh, etc.)

Defense against spoofing attacks

Packet filtering is one defense against IP

spoofing attack In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage. Internet Spoofing an ...

s. The gateway to a network usually performs

ingress filtering In computer networking, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the at ...

, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally, the gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. An

intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

(IDS) is a common use of packet filtering, which has been used to secure the environments for sharing data over network and host-based IDS approaches. It is also recommended to design network protocols and services so that they do not rely on the source IP address for authentication.

Upper layers

Some upper layer protocols have their own defense against IP spoofing attacks. For example,

Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is common ...

(TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

Other definitions

The term ''spoofing'' is also sometimes used to refer to ''header forgery'', the insertion of false or misleading information in

e-mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic (digital) version of, or counterpart to, mail, at a time when "mail" meant ...

netnews Usenet () is a worldwide distributed discussion system available on computers. It was developed from the general-purpose Unix-to-Unix Copy (UUCP) dial-up network architecture. Tom Truscott and Jim Ellis conceived the idea in 1979, and it was ...

headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of

spammers This is a list of individuals and organizations noteworthy for engaging in bulk electronic spamming, either on their own behalf or on behalf of others. It is not a list of all spammers, only those whose actions have attracted substantial independen ...

and sporgers, who wish to conceal the origin of their messages to avoid being tracked.

References

External links

ANA Spoofer Project: State of IP Spoofing and Client Test
* {{IETF RFC, 6528, link=no, Defending Against Sequence Number Attacks, February 2012 Internet security Deception Spoofing Types of cyberattacks