IP spoofing

What is IP spoofing?

IP address spoofing (IP spoofing) is a type of cyberattack where an attacker sends IP packets with a modified source IP address. This technique is used in man-in-the-middle attacks (MITM attacks) and DoS attacks (denial-of-service attacks).

Note: IP spoofing is a network security problem, not a web application security issue, but it can have a major impact on the security of web servers and web applications.

Types of IP spoofing

You might think that IP spoofing is easy to do since any device can declare its own IP. However, if the attacker simply declares the same IP as the victim, they will cause a network conflict with unpredictable results. The original device may disconnect, the connection may be unsuccessful, or both devices may connect and then disconnect. In all these cases, the attack will be unsuccessful, and the victim may notice the failed attempt.

To ensure they have the upper hand, attackers can use two techniques, both based on manipulating TCP sequence numbers. Before looking at these types of spoofing, we need a side note to explain how TCP sequence numbers work.

What are TCP sequence numbers?

Most computer network connections are established using TCP/IP (Transmission Control Protocol/Internet Protocol). When two devices on the network connect using TCP/IP, they first need to establish a TCP connection. The connection process is called a three-way handshake.

The three-way handshake is very simple:

  1. Device A sends a SYN message (synchronization request) to device B.
  2. Device B sends a SYN-ACK message (synchronization request + acknowledgment of the received SYN) to device A.
  3. Device A sends an ACK message (acknowledgment of the received SYN) to device B.

The SYN requests declare random starting sequence numbers (a different one for each direction), needed for the recipient to recognize further packets. The sequence numbers allow devices to determine the order of subsequent data packets. For example, if device A declared the starting sequence number to be 74656, the next packet from device A to device B must have sequence number 74657, and so on.

TCP sequence prediction (non-blind IP spoofing)

Non-blind IP spoofing works when the attacker is on the same subnet as the victim and can directly see the sequence numbers of other connections, for example, between the victim and their internet gateway router. The attacker first sniffs such a connection (listens in on traffic) using typical network monitoring software. By looking at the sniffed TCP packet headers, the attacker can learn the sequence numbers, predict the next one, and send a spoofed packet pretending to be the original sender. If that packet reaches the destination before the legitimate response, the attacker will intercept the connection.

Note that TCP sequence number prediction may be extended beyond the local subnet by using IP source routing. Every TCP packet is allowed to declare an IP route in the IP header. This tells the destination device what specific route it should use to send the response. The attacker may declare a strict route to skip gateway routers and receive responses from the victim via other machines, potentially allowing them to see the original sequence numbers. However, not all network devices are configured to follow such routing information, which limits the usefulness of this attack.

Blind IP spoofing

This type of attack is much harder to perform but is not restricted to the same subnet, so it may also be attempted from outside the local network. However, it only works with older operating systems.

In the past, the TCP/IP protocol suites of operating systems used predictable algorithms to generate starting TCP sequence numbers. Sometimes, they were incremented by a specific value for every new connection, and in other cases by a specific value per unit of time elapsed.

To learn how the initial sequence numbers are formed, the attacker sends a number of SYN requests to the victim and looks at the starting TCP sequence numbers received from the legitimate source. If they see a predictable pattern in how these are chosen based on the order of responses and time of response, they may attempt to guess the starting sequence number for other connections, too.

This trick no longer works with modern operating systems (all modern Unix/Linux/Windows/Mac and mobile devices as well) because modern TCP/IP software uses random number generators to generate starting sequence numbers. That’s why IP spoofing from outside the subnet is now very difficult and can only rely on IP source routing, as described earlier.

IP spoofing attack example

Let’s assume that Nancy is a black-hat hacker with access to your private network (for example, when you’re using a wi-fi hotspot) who attempts IP spoofing with a sequence number attack in order to change the routing and become a man-in-the-middle between you and the internet gateway router:

  1. Nancy joins your internal network as 10.0.0.42 with her laptop and runs a sniffer. The sniffer software lets her see all the IP packets that go through the network.
  2. Nancy wants to intercept your connection to the destination IP address of the gateway: 10.0.0.1. She looks for an existing connection, sniffs incoming packets directed to the gateway from your computer system (10.0.0.102), sees your sequence numbers, and then predicts the next sequence number.
  3. At the right moment, Nancy sends a spoofed packet from her laptop. The packet has the source address of the gateway (10.0.0.1) and the correct sequence number, so your laptop is fooled into thinking it’s coming from the real gateway.
  4. At the same time, Nancy floods the real gateway using a DDoS attack (distributed denial of service attack). For just a moment, the gateway responds more slowly or stops responding. That way, Nancy’s spoofed packet reaches you before the legitimate packet from the gateway.
  5. Nancy has just convinced your laptop that her laptop is the gateway. Next, she repeats the same attack against the gateway, this time to convince the gateway that her laptop is 10.0.0.102 (you). If this also succeeds, she becomes a successful spoofer.

Note that the spoofed IP addresses work only as long as the connection is established. Every time a new TCP/IP connection is made, the attacker must use the same technique to take over the source IP addresss once again.

How to prevent IP spoofing attacks?

IP spoofing attacks are not caused by any misconfigurations or vulnerabilities. The vulnerability is the TCP/IP protocol itself, which was designed in the early days of networking, before cybersecurity became a major consideration. Since we can’t change the TCP/IP protocol itself, we can only take measures to safeguard our networks and machines as much as possible.

While there is no way to prevent IP spoofing on your local network, you can still block spoofing attempts coming from outside that network:

  1. Use ingress filtering. This involves setting up access control lists and packet filtering on the firewall of your internet gateway’s external interface to prevent any private IP addresses from connecting to the gateway, as well as creating rules to reject any packets that come from outside your local network but claim to originate from within it. You can also use egress filtering to monitor responses to potentially spoofed addresses, and also to limit connections based on MAC addresses of trusted sources to make spoofing attempts more difficult.
  2. Disable IP source routing on all devices to prevent them from being used as intermediaries in TCP sequence prediction attacks.

Note that safeguarding your local network from external attempts at IP address spoofing won’t prevent other types of attacks such as ARP spoofing, DNS spoofing, or (as mentioned above) local IP address spoofing. Therefore, use the following general principles not to prevent such attacks but to prevent them from having negative consequences:

  1. Enforce encryption wherever possible. Enforce VPN connections to your company resources. Enforce SSL/TLS for your web apps, for example, by using HTTP Strict Transport Security (HSTS). Allow only SSH connections for administrative purposes. Allow only secure SMTP and POP3 connections with authentication. Use IPsec in your local networks wherever possible, both in IPv4 and IPv6 networks, because encrypting IP packets makes it impossible to spoof TCP sequence numbers.
  2. Educate your users continuously. Make sure they realize that connecting to potentially unsafe free hotspots may threaten them and your company. Inform them of potential consequences of man-in-the-middle attacks such as theft of sensitive information/sensitive data, using your domain name in phishing, introducing malware/ransomware/bots/botnets into local networks, and more.

While most IP spoofing attempts are initiated by cybercriminals, there are potential legitimate uses for spoofing, for example, testing network configurations and system functionality.

Frequently asked questions

What is IP spoofing?

In an IP spoofing attack, a malicious hacker sends IP packets with a modified source IP address to pretend to be another machine. This technique is used in man-in-the-middle attacks.

 

Learn more about man-in-the-middle attacks (MITM).

How dangerous is IP spoofing?

IP spoofing is not considered very dangerous on its own because it is extremely difficult for the attacker to predict the correct sequence numbers needed for a successful attack. To be useful in a man-in-the-middle attack on web assets, IP spoofing also needs to be combined with other techniques, such as SSL stripping or SSL hijacking.

 

Read more about SSL hijacking.

How to prevent IP spoofing attacks?

IP spoofing cannot be prevented in local networks, so it is most likely to succeed if the victim uses public WiFi hotspots. You should always be vigilant when using public networks and use VPN connections whenever possible to avoid most man-in-the-middle attack techniques.

 

Find out more about how to prevent man-in-the-middle attacks (MITM).


Written by: Tomasz Andrzej Nidecki, reviewed by: Benjamin Daniel Mussler