15 October 2021 | 7 min read

What Is IP Spoofing, and How To Protect Yourself Against It

Learn more about IP spoofing and how to prevent IP spoofing attacks.

What is IP spoofing

IP spoofing is a technique of creating IP packets with a modified source IP address. During an IP spoofing attack, the IP header is altered to conceal the sender of the packet. An attacker can do this by replacing the original source IP address with a spoofed IP address.

IP spoofing prevention is vital in ensuring protection against such cybercrimes as identity theft, financial fraud or DDoS attacks. Luckily, it is possible to minimize the risks associated with IP spoofing, and several different prevention techniques are available.

As you keep reading, you will learn more about IP spoofing and the different types of cyberattacks that rely on it. Most importantly, we go over the techniques that can help protect yourself against IP spoofing now and in the future.

How does IP spoofing work? 

IP spoofing works by modifying an IP packet and forging the source address of a message. Whether it’s a DM, a file or a link to a website, the message is split into smaller packets to make data transmission much more manageable. 

Essentially, a message is broken down into smaller pieces during transmission across the internet. Once the recipient is reached, the packets reassemble to deliver the final message from the source address. This is how computer networks communicate.

The source IP header, which is at the front of the IP packet and contains information, may be vulnerable. If a hacker is successful at modifying the header, they can trick the recipient computer system into thinking that the modified source address is, in fact, a trusted source IP address. Essentially, the attacker introduces the wrong return address to confuse the end recipient of the message.

Hackers don’t even need to try hard to spoof IP addresses. Tools that can help bypass IP address authentication exist, and they do most of the work for the attackers. Unfortunately, this ease of access enables hackers to perform all kinds of IP spoofing attacks, including Distributed Denial of Service (DDoS) or Man-in-the-Middle (MITM) attacks.

Spoofing: A common type of cybercrime

In 2020, spoofing was one of the most common types of cybercrime reported to IC3 (Internet Crime Complaint Center), run by the Federal Bureau of Investigations in the US.

Column chart showing types of cybercrime by frequency.
Types of cybercrime most frequently reported to the IC3 in 2020, by victim count (data by Statista)

Let us note that IP address spoofing is not the only form of spoofing. For example, ARP spoofing involves sending fake Address Resolution Protocol messages over LAN (local area network).

DNS server spoofing involves modifying DNS records to divert Internet traffic and route users to a different IP address than expected. Email spoofing is instrumental in phishing attacks, during which misleading emails are sent to extract sensitive data. 

IPv4 packet headers

As you now know, every packet has a header, and it contains information about the packet. This information denotes the packet’s length, the version of the IP address and who the sender and the recipient are.

Internet Protocol version 4, IPv4, packet has a header that doesn’t have a fixed length. It can be between 20 and 60 bytes, which makes the IPv4 header more complex than the IPv6 header. The IPv4 header contains these components:

Table representing the IPv4 network packet header composition.
IPv4 header composition
  • Version: Always set at 4
  • IHL (Internet header length): The count of 32-bit words in the header
  • Type of service: Determines how to queue packets as they are being transmitted; also known as Differentiated Services Code Point (DSCP)
  • Total length: The total length of the header and the data in bytes
  • Identification: The unique identifier of a packet 
  • IP flags: Allows controlling and identifying fragments (smaller pieces of the packet)
  • Fragment offset: Determines if routes can fragment a packet
  • Time to live: The time the datagram (transfer unit) is live on the internet 
  • Protocol: The type of transport packet
  • Header checksum: Checks the header for errors
  • Source IP address: IP address of the sender
  • Destination IP address: IP address of the recipient
  • Data: Information sent to the recipient

Different IP spoofing attack types

IP spoofing enables hackers to potentially impersonate a legitimate computer system or networks to conceal themselves. If successful, they can perform untraceable spoofing attacks. These are the most common IP spoofing-related attacks:

1. DDoS attack

Cybercriminals perform DDoS attacks to overwhelm computer servers using a massive flood of internet traffic. What’s the purpose? Attackers might use DDoS attacks for blackmailing, as a distraction to conceal other crimes or to bring down competitors’ websites and halt services.

Cybercriminals can successfully employ the malicious IP spoofing method in DDoS attacks to conceal themselves and avoid repercussions. It is difficult to uncover the source of the attack when spoofed IP addresses are in use, which, of course, makes it much harder to stop the attack or figure out what its true purpose may be. 

Blocking malicious requests to mitigate DDoS attacks is difficult. Nonetheless, in June 2020, AWS claimed to have mitigated a massive 2.3 Tbps DDoS attack. While not the biggest DDoS attack today, at the time, it was unprecedented and involved sending CLDAP (Connectionless Lightweight Directory Access Protocol) requests with the help of spoofed addresses.

A graph explaining the flow of a distributed denial of service attack.
Distributed Denial of Service attack

2. Botnet attack

A botnet is a network of compromised computers. Cybercriminals can control such computers to perform mass attacks against specific targets. Infected devices are sometimes known as zombies or slaves because their owners are usually unaware of the attack.

A botnet can be instrumental in a DDoS attack. A spam bot can assist in mass spam email campaigns. The more devices an attacker involves, the bigger the attack is likely to be. When it comes to IP spoofing, multiple spoofed IP addresses enable cybercriminals to perform massive attacks without leaving a trace. Essentially, IP spoofing enables masking botnet devices.

In 2016, the infamous Mirai botnet gained the functionality to perform IPv4 and IPv6 spoofing. Mirai usually targets IoT devices with DDoS attacks, but it certainly is not the only botnet that can utilize IP spoofing for successful and untraceable attacks. 

3. Man-in-the-middle attack

DNS (Domain Name System) servers make it possible to communicate over the internet without needing to remember complicated numeric (IPv4 address) and alphanumeric (IPv6 address) combinations. Unfortunately, cybercriminals can employ the so-called man-in-the-middle attacks to intercept communication between devices.

If an attacker successfully intercepts communication between two parties, they can spoof IP addresses so that both parties believe that they are communicating with each other and no one else. Hackers can use this to gain access to confidential information and, potentially, steal sensitive data or extort money.

Cybercriminals have recently used the Israeli Postal Service to create false communication with targeted victims. Attackers sent phishing emails using the Salesforce email service to trick unsuspecting recipients into clicking a link leading to a spoofed Israeli Postal Service website and, eventually, disclosing credit card information. 

How to protect yourself from IP spoofing 

Preventing IP spoofing is important if you wish to avoid successful DDoS, botnet and man-in-the-middle attacks. Here are the methods that you can apply to enhance protection against IP spoofing.

Network monitoring

Keeping an eye on your internal network is important, and tracking network activity can help discover suspicious or downright malicious activity. While it may be impossible to uncover the identities of the attackers behind IP spoofing, monitoring networks could potentially help expose the crimes that a DDoS attack, for example, may be used to conceal.

Firewalls and network attack blockers

A network firewall can authenticate IP addresses and, thus, help secure private networks. A firewall ensures that only authorized traffic is allowed through while unauthorized traffic is blocked. A network attack blocker complements the firewall by authenticating IP addresses of inbound IP packets. In short, blockers can help detect suspicious activity, including IP spoofing.

A flow chart explaining how a firewall works.
The function of a firewall

Packet filtering

Since IP spoofing relies on spoofed IP packets, setting up IP packet filtering systems makes sense. The filters look for legitimate source headers and check to see that the information within makes sense. If source IP addresses are inconsistent, the packet filtering system doesn’t verify connection due to the risk of validating a spoofed source IP address. 

Both inbound and outbound traffic should be filtered, and this is where egress and ingress filtering comes into play. Egress filtering ensures the filtration of outgoing packets. Ingress filtering ensures the filtration of incoming IP packets. Undoubtedly, a good filtering system can help prevent the spoofing of source IP addresses. 

Public key infrastructure authentication

The public key infrastructure uses private and public keys to authenticate devices and users. A private key encrypts the communication while the public key decrypts it, ensuring secure transmission of sensitive data. Successful IP spoofing and other cyberattacks become much more unlikely with the help of PKI. 

IPsec is another great solution that can help encrypt connections between devices.

Using verification methods for remote access

If you want to prevent accepting spoofed packets, it is crucial to configure routers to reject IP packets coming from outside networks when they claim to originate from within a legitimate network. When it comes to remote access, it is ideal to set robust verification methods in place to stop spoofed packets even when one of the trusted networked computers is breached. 

Security awareness training

Knowledge is power, and the more knowledge one has about virtual security, the safer one is likely to be. Unfortunately, IP spoofing is not the only malicious activity that can affect networks, and focusing solely on detecting IP spoofing doesn’t make sense.

Without exception, everyone from IT experts to home users should continue learning about cybersecurity and cyberattack prevention. 

Conclusion

Undeniably, IP spoofing poses a major threat for networks, databases, devices and even home computers. Unless the way we interact changes drastically, we will continue transmitting packets that automatically deconstruct and then reassemble to ensure smooth communication between message senders and recipients. And as long as this is how we communicate, IP spoofing will present a potential threat. 

IP spoofing tools are available, and even amateur cybercriminals might be able to deploy spoofed IP addresses, bypass security scripts and successfully perform a DDoS attack or MITM attack. Unfortunately, it is impossible to stop the creation and use of such tools. Nonetheless, countermeasures that can help prevent IP spoofing exist, and it is up to us to apply them. 

Keep in mind that it may not suffice to implement packet filtering, network monitoring or secure encryption protocols as standalone countermeasures. To reign IP address spoofing in, applying all available measures is likely to provide the greatest relief. Of course, it is important not to forget that adequate awareness training may greatly complement anti-IP spoofing techniques.

Still need help?

Slack community

Get involved in the IPXO Slack community.

Ask the IPXO community

Contact support

If you have any questions, contact our support team!