IP address spoofing

IP Spoofing in computer networks to send IP packets with a forged source IP address.

The header of each IP packet contains the source address. This should be the address from which the packet was sent. By the attacker spoofs the header data so that they contain a different address, he can make the package look as if the packet was sent from another computer. This can be used by intruders to trick security measures such as the IP - address-based authentication on the network.

The method may be particularly used when a bidirectional communication is required, for example because the answers to the attacker are predictable or not necessary. Disguising computer communication is for TCP connections in this way, however, not possible because the response packets are sent to the "real" computer of the fake IP address. In non- switched networks, an attacker can also see the reply packets, however, so that his computer may occur to some extent in place of the fake IP address ( see sniffing ). The attacker needs access to the same physical network segment or there standalone device under his control in this case.

This type of attack is most effective when there are trust relationships in a network between the machines. In some corporate networks, it is quite common that internal systems trust each other, so that a user can log in without a user name and password when accessing from another internal machine on the network and is therefore already logged in on another computer. By now, a connection is forged from a trusted machine, an attacker could attack the target computer without having to authenticate.

Without problems to IP spoofing attacks can be in accordance with the scheme of distributed denial of service, such as use with SYN flood or DNS Amplification Attack. As a source address the attacked target is thereby specified, which then - is flooded answers - not requested by him and thus meaningless.


Packet filters are a possible countermeasure against IP spoofing. The gateway to a network should carry out a detailed filtering: From the outside, incoming packets that have source addresses of internal hosts are discarded. This prevents an external attacker can forge the address of an internal engine. Ideally, outgoing packets should be filtered, in which case packets are discarded, the source address is not within the network; this prevents IP addresses can be spoofed by external machines, and is, a long- standing demand of security professionals towards ISPs: If every ISP would filter consistently outgoing packets that do not originate from its own network according to their source address would be mass exemplary IP spoofing (often in conjunction with denial of service attacks), a much smaller problem than it is on the internet today.

Some protocols on higher layers provide their own measures against IP spoofing ready. Transmission Control Protocol (TCP ) is used, for example, sequence numbers to ensure that incoming packets are actually part of an established connection. The poor implementation of TCP sequence numbers in many older operating systems and network devices, however, means that it may be possible for the attacker to guess the sequence numbers and thus to overcome the mechanism. Alternatively, he might try a man-in -the -middle attack.

That may be a worm but also within a single UDP packet spreading, proved 2003 SQL Slammer year. This used then no IP spoofing, but so would probably be better come through firewalls with anti-spoofing functionality.

If a firewall such as a rule that the MS SQL service (UDP port 1433 ) from an IP address allowed to AAAA BBBB, the worm on the computer CCCC would have its own return address fake only on the AAAA network to pass through. Since only a single packet is necessary and the User Datagram Protocol ( UDP) has no state with a stateful firewall would provide no protection.

Security implications

IP spoofing can be taken for only limited use for breaking into other systems because all the response packets of the attacked computer are sent to the spoofed address. Conversely, this behavior can however also use it as a "weapon " when spoofed packets with SYN flooding is operated; this one sends forged packets to certain computers, and the reply packets arrive at the specified as the source address victim whose connection is thus possibly paralyzed. The identity of the actual attacker is not easy to establish, since the source of the response packets is of course the previously took by surprise unsuspecting computer.

IP spoofing in the load distribution

BENEFICIAL allows IP spoofing apply in some load testing, where a small number of load generators simulate a larger number request Direction computer. The load during a load test is usually from a few so-called load generators and therefore of a few IP addresses. Run the load test against a system that is used in the IP-based load balancing, this can lead to an unrealistic distribution of the load on the server behind the load balancer. With IP spoofing, this problem can be circumvented.