IP spoofing

from Wikipedia, the free encyclopedia

In computer networks, IP spoofing refers to the sending of IP packets with a forged sender IP address .

Schematic representation of IP spoofing

The header data of every IP packet contain its source address. This should be the address from which the package was sent. By forging the header to contain a different address, the attacker can make the packet appear as if the packet was sent from another computer. This can be used by intruders to take security measures such as B. tricking IP address-based authentication in the network.

The method can be used in particular when bidirectional communication is not required because, for example, the responses are predictable or unnecessary for the attacker. In this way, however, it is not possible to disguise computer communication with TCP connections because the response packets are sent to the “real” computer with the falsified IP address. In unswitched networks, however, an attacker can also see the response packets, so that his computer can, to a certain extent, take the place of the falsified IP address (see sniffing ). In this case, the attacker needs access to the relevant physical network segment or a device under his control.

This type of attack is most effective when the machines on a network have relationships of trust. In some company networks it is quite common for internal systems to trust each other, so that a user can log in without a user name and password if he is accessing the network from another internal machine and is therefore already logged in on another computer. By forging a connection from a trustworthy machine, an attacker could attack the target computer without authenticating himself.

IP spoofing can be used without problems in attacks based on the Distributed Denial of Service scheme , such as with SYN flood or DNS amplification attack . The attacked target is specified as the source address, which is then flooded with responses that have not been requested by the target and are therefore meaningless.


Packet filters are a possible countermeasure against IP spoofing. The gateway to a network should perform an in- depth filtering : packets coming from outside that have source addresses from internal computers are discarded. This prevents an external attacker from being able to forge the address of an internal machine. Ideally, outgoing packets should also be filtered, in which case packets whose source address is not within the network are discarded; This prevents IP addresses from being spoofed by external machines and is a long-standing demand from security experts against Internet service providers (ISP): If every ISP were to consistently filter outgoing packets that, according to their source address, do not come from their own network, there would be massive amounts IP spoofing (often in connection with denial-of-service attacks) is a much smaller problem than it is on the Internet today.

Some protocols on higher layers provide their own measures against IP spoofing. The Transmission Control Protocol (TCP), for example , uses sequence numbers to ensure that incoming packets are actually part of an established connection. However, the poor implementation of the TCP sequence numbers in many older operating systems and network devices means that the attacker may be able to guess the sequence numbers and thus overcome the mechanism. Alternatively, he could try a man-in-the-middle attack .

In 2003, SQL Slammer proved that a worm can also spread within a single UDP packet . At the time, it did not use IP spoofing, but would probably have gotten better through firewalls with anti-spoofing functionality.

Had a firewall e.g. If, for example, a rule allows the MS-SQL service (UDP port 1433) from an IP address AAAA to BBBB, the worm on the machine CCCC would only have to forge its own sender address to AAAA in order to pass the firewall. Since only a single packet is required and the User Datagram Protocol (UDP) has no status, a stateful firewall would not offer any protection either.

Security Implications

On its own, IP spoofing can only be used to a limited extent to break into other systems, since all response packets from the attacked computer are sent to the fake address. Conversely, however, this behavior can also be used as a “weapon” if SYN flooding is used with spoofed packets ; for this purpose, forged packets are sent to certain computers, and the response packets end up with the victim specified as the source address, whose connection may thereby be paralyzed. The identity of the actual attacker is difficult to determine because the source of the response packets is of course the unsuspecting computer that was taken by surprise.

IP spoofing in the area of ​​load sharing

IP spoofing can be used to good effect in some load tests , where a small number of load generators simulate a larger number of inquiring computers. The load in a load test usually comes from a few so-called load generators and thus from a few IP addresses. If the load test runs against a system in which IP-based load balancing is used, this can lead to an unrealistic distribution of the load on the servers behind the load balancer. IP spoofing can work around this problem.

See also