IP address spoofing
Encyclopedia
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...

 (IP) packets with a forged source IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...

, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.

Background

The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...

 ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.

In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...

 or WAN.

Applications

IP spoofing is most frequently used in denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...

s. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...

s makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.

IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication.

Services vulnerable to IP spoofing

Configuration and services that are vulnerable to IP spoofing:
  • RPC (Remote Procedure Call services)
  • Any service that uses IP address authentication
  • The X Window System
    X Window System
    The X window system is a computer software system and network protocol that provides a basis for graphical user interfaces and rich input device capability for networked computers...

  • The R services suite (rlogin, rsh, etc.)

Defense against spoofing attacks

Packet filtering is one defense against IP spoofing attacks
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...

. The gateway to a network usually performs ingress filtering
Ingress filtering
In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.- Problem :...

, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the gateway would also perform egress filtering
Egress filtering
In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.TCP/IP packets that are being sent...

 on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.

It is also recommended to design network protocols and services so that they do not rely on the IP source address for authentication.

Upper layers

Some upper layer protocol
Upper layer protocol
In computer networking, the term upper layer protocol refers to a more abstract protocol when performing encapsulation, in particular it is often used to describe the protocols above the network layer....

s provide their own defense against IP spoofing attacks. For example, Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...

 (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally can't see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

Other definitions

The term spoofing is also sometimes used to refer to header forgery, the insertion of false or misleading information in e-mail
E-mail spoofing
Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails...

 or netnews headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of spammers and sporgers
Sporgery
Sporgery is the disruptive act of posting a flood of articles to a Usenet newsgroup, with the article headers falsified so that they appear to have been posted by others. The word is a portmanteau of spam and forgery, coined by German software developer and critic of Scientology Tilman...

, who wish to conceal the origin of their messages to avoid being tracked down.

See also

  • Egress filtering
    Egress filtering
    In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.TCP/IP packets that are being sent...

  • Ingress filtering
    Ingress filtering
    In computer networking, ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.- Problem :...

  • Network address translation
    Network address translation
    In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....

  • Reverse path forwarding
    Reverse path forwarding
    Reverse path forwarding is a technique used in modern routers for the purposes of ensuring loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing.- Multicast RPF :...

  • RFC 1948
  • RFC 1948, Defending Against Sequence Number Attacks, May 1996
  • Router (includes a list of manufacturers)
  • Spoofed URL
    Spoofed URL
    A Spoofed URL describes one website that poses as another. It sometimes applies a mechanism that exploits bugs in web browser technology, allowing a malicious computer attack. Such attacks are most effective against computers that lack recent security patches...


External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK