Home General Topics IP Spoofing

IP Spoofing

by Bella

IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system. Its a phenomena in which attackers changes or replicate a IP packets. In order to dig deep lets understand some basic concepts.

In internet the connection between two computer takes place using TCP/IP protocol. In which data needed to send from one computer to another is broken down into pieces known as packets. These packets are numbered when broken down so that they can reassembled at the end or receiver. Each packets have two parts header and body. Body stores the message part and Header stores the metadata for the packets such as source IP, destination IP, sequence number, TLL etc. These metadatas are used in the destination for the authentication of the connection or to identify the source of the request. These data can be generated or modified by a third person or attackers this is commonly known as IP Spoofing.

Spoofing is generally done on the sender or source address metadata so as the requester will not be traceable. There are many types of attacks which uses this vulnerability. The top among them are mentioned below :

  • DDOS

Denial of service attack, in which the server or the destination will not respond the new request from the client or the source. This so happen as the sender IP is spoofed in the packets and sent to the server or destination. In normal scenario a connection is established between the server and client using three way handshake signaling. In which the client send the request which is acknowledged by the server which in turn take client acknowledgement. In the above case the second acknowledgement from the server to client happens and the server waits for the reply from the client which will not happen as the IP is spoofed thus that connection remains in the open state. When more such request come to the server the server exceeds its spool of connection it rejects any more connection to it.

  • Middle man Attack

When there is connection between two computer the data is exchanged using the IP packets. If a third party can determine the the sequence of the IP packets they can easily insert the packet in the line of communication. These are mainly done by sending test spoof packets to the source and destination to understand the pseudo sequence of the packet numbering. This acquired packet is used to understand the pattern and generate the packets. In worst scenario the middle man or third party sends reset signal to the one computer indicating the end of session while the third party acquires the connection who does the malicious work on the other server. Since the connection was authenticated the access will not be denied by the source.

  • Flooding

In this case the spoofer will sent the spoof packets to the different IP, which will respond to the request and query the server or provide acknowledgement, thus the server is flooded with the request from various IP which result in malfunction of the server.

IP spoofing is a hard process to tackle. Regular checking and monitoring only will do the work. Still some measures can be taken to reduce the same. Few of them are :

>> Implementing smart routers

In this method the router checks the source IP of the packets and look for the match of the IP with MAC address of the sender. If not matched the packet is dropped by the router. The solution is well suited for the static IP, but less effective when the pc is under the dynamic routing or the NAT interface.

>> Software Implementation

Firewall software can be used to compare the received metadata of a spoofed packets with the acknowledgement packet to the server request. There can be notable difference in the TTL or other values such as the pattern of the body where windows might use alphabets to fill up the packet whereas the Linux uses numbers. But if the packets are spoofed by scanning the packets from the destination IP this cannot be traced by the software.

>>Implementing IPv6

IP spoofing is said to be washed out from the screen if IPv6 would be fully implemented. In the present scenario the we have router which translate the IPv4 to IPv6 address as some network does not support IPv6 yet. Spoofers make use of this leak to sent there spoofed packets to such router making them utterly traceable.

The only effective way to track down spoofing would be trace back the packets to its source. There are also limitation in the same as router logs get refreshed and the identity of the spoofer is hidden in the packets thus no effective measure cannot be taken and take advantage of the vulnerability in the IP data structure.

Preventive measures

There are few preventive measures which can be applied to detects or rejects the spoofed attacks to the server

  • IPsec

IP security encrypts the IP packets with the encrypted key which can only be decoded at the source. Thus better security.

  • SPF and DKIM

Enabling this would reduce the spam mailing that may be caused due to the spoofed IPs. This technique would detect the sender is eligible for sending the mail and also check the source for authentication or else the mail is rejected.

  • Firewall Roles

Rejecting IP which originates from the external and have the source IP has internal (192.168.XXX.XXX) and and IPs which originate from internal and have a external source IP. This can be setup in the gateway server which could help reduce middleman attacks.

  • Token based authentication

Enabling token based authentication would reduce the chance of middle man attack caused by the spoofing as the connection is established through a secure tunneling rather than normal password authentication.

Need expert assistance?

SupportPRO has a team of well experienced professionals. If you need any assistance or would like an expert review, you may get in touch with our 24×7 online techs anytime.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

Leave a Comment

CONTACT US

Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015
USA

©2022  SupportPRO.com. All Rights Reserved