IP address spoofing, or IP spoofing, is the creation of Internet Protocol (IP) packets with a source IP address for the purpose of concealing the identity of the sender or impersonating another computing system. It’s a phenomena in which attackers changes or replicate IP packets. To dig deep, let’s understand some basic concepts.
On the Internet, communication between two computers uses TCP/IP. In which data needed to be sent from one computer to another is broken down into pieces known as packets. These packets are numbered when broken down so they can be reassembled at the end or by the receiver. Each packet has two parts: header and body. The body carries the message, and the header stores metadata for the packet, such as source and destination IP addresses, sequence number, TTL, etc. This metadata is used at the destination for connection authentication or to identify the source of the request. These data can be generated or modified by a third person or attackers this is commonly known as IP Spoofing.
Spoofing is generally done on the sender or source address metadata so that the requester will not be traceable. There are many types of attacks that use this vulnerability. The top among them are mentioned below :
- DDOS
Denial of service attack, in which the server or the destination will not respond to the new request from the client or the source. This happens when the sender’s IP is spoofed in the packets before they reach the server or destination. In a normal scenario, a connection is established between the server and client using a three-way handshake signalling. In this, the client sends a request, which the server acknowledges, and the server then sends the client’s acknowledgement. In the above case, the second acknowledgement from the server to the client is sent, and the server waits for the client’s reply, which does not arrive because the IP address is spoofed; thus, the connection remains open. When more such requests come to the server, it exceeds its connection pool and rejects further connections.
- Middleman Attack
When two computers are connected, data is exchanged using IP packets. If a third party can determine the sequence of the IP packets, they can easily insert a packet in the line of communication. This is mainly done by sending test spoof packets to the source and destination to understand the pseudo-sequence of packet numbering. This acquired packet is used to understand the pattern and generate the packets. In the worst-case scenario, the middleman or third party sends a reset signal to one computer, indicating the end of the session, while the third party acquires the connection and performs the malicious work on the other server. Since the connection was authenticated, the source will not deny access.
- Flooding
In this case the spoofer will sent the spoof packets to the different IP, which will respond to the request and query the server or provide acknowledgement, thus the server is flooded with the request from various IP which result in malfunction of the server.
IP spoofing is a hard process to tackle. Regular checking and monitoring only will do the work. Still, some measures can be taken to reduce the same. A few of them are :
>> Implementing smart routers
In this method, the router checks the packets’ source IP and looks for a match between the IP address and the sender’s MAC address. If not matched, the packet is dropped by the router. The solution is well-suited for static IP addresses, but less effective when the PC is on a dynamic routing or a NAT interface.
>> Software Implementation
Firewall software can be used to compare the received metadata of a spoofed packet with the acknowledgement packet to the server request. There can be notable differences in the TTL or other values, such as the body pattern, where Windows might use alphabets to fill the packet, whereas Linux uses numbers. But if the packets are spoofed by scanning the packets from the destination IP, this cannot be traced by the software.
>>Implementing IPv6
IP spoofing is said to be washed out from the screen if IPv6 were fully implemented. In the current scenario, we have a router that translates IPv4 addresses to IPv6 addresses because some networks do not yet support IPv6. Spoofers exploit this leak to send their spoofed packets to such a router, making them utterly traceable.
The only effective way to track down spoofing is to trace packets back to their source. There are also limitations to this, as router logs are refreshed and the spoofer’s identity is hidden in the packets; thus, no effective measure can be taken to exploit the vulnerability in the IP data structure.
Preventive measures
There are a few preventive measures which can be applied to detect or reject the spoofed attacks to the server
- IPsec
IP security encrypts IP packets using a key that can only be decoded at the source. Thus, better security.
- SPF and DKIM
Enabling this would reduce spam mail caused by spoofed IPs. This technique would detect whether the sender is eligible to send the mail and also check the source for authentication; otherwise, the mail is rejected.
- Firewall Roles
Rejecting IP addresses that originate from the external and have an internal source IP (192.168.XXX.XXX) and IP addresses that originate from internal and have an external source IP. This can be set up in the gateway server, which could help reduce middleman attacks.
- Token-based authentication
Enabling token-based authentication would reduce the risk of a man-in-the-middle attack through spoofing, as the connection is established via secure tunnelling rather than standard password authentication.
Need expert assistance?
SupportPRO has a team of experienced professionals. If you need any assistance or would like an expert review, you can contact our 24×7 online techs anytime.
If you require help, contact SupportPRO Server Admin


