Spoofed IP packets with forged source addresses are often used in attacks to avoid detection.
What is IP spoofing?
IP spoofing is the creation of Internet Protocol (IP) packets with a modified source address to hide the sender’s identity, impersonate another computer system, or both. Bad actors often use this technique to invoke DDoS attacks against a target device or the surrounding infrastructure.
Sending and receiving IP packets is a primary way networked computers and other devices communicate and constitutes the basis of the modern internet. All IP packets contain a header preceding the packet’s body and essential routing information, including the source address. In a normal packet, the source IP address is the address of the packet’s sender. If the packet has been spoofed, the source address will be forged.
IP Spoofing is analogous to an attacker sending a package to someone with the wrong return address listed. If the person receiving the package wants to stop the sender from sending packages, blocking all packages from the bogus address will do little good, as the return address is easily changed. Relatedly, if the receiver wants to respond to the return address, their response package will go somewhere other than to the actual sender. The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.
DDoS attacks will often utilize spoofing to overwhelm a target with traffic while masking the identity of the malicious source, preventing mitigation efforts. Blocking malicious requests becomes problematic if the source IP address is falsified and continuously randomized. IP spoofing also makes it challenging for law enforcement and cyber security teams to track down the perpetrator of the attack.
Spoofing is also used to masquerade as another device so that responses are sent to that targeted device instead. Volumetric attacks such as NTP Amplification and DNS amplification use this vulnerability. The ability to modify the source IP is inherent to the design of TCP/IP, making it an ongoing security concern.
Tangential to DDoS attacks, spoofing can also be done to masquerade as another device to sidestep authentication and gain access to or “hijack” a user’s session.
How to protect against IP spoofing (packet filtering)
While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network. A common defense against spoofing is ingress filtering, outlined in BCP38 (a Best Common Practice document). Ingress filtering is a form of packet filtering usually implemented on a network edge device that examines incoming IP packets and looks at their source headers. If the source headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected. Some networks will also implement egress filtering, which looks at IP packets exiting the network, ensuring those packets have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.
