IP Spoofing: Simple manipulation of data packets by attackers

Whether you’re a private individual using the internet or you’re responsible for a local network: Protection against unauthorized access or systemic attacks always plays an important role. Criminals have been gaining access to other computer systems for decades in a variety of ways, and with varying amounts of resulting damage. The attack itself is usually not damaging to the accessed system, as long as the intruders know their craft. And many cybercriminals know how to cover their tracks so that it’s almost impossible to determine the origin of the attack by ordinary means. One of the most popular techniques of cybercriminals has always been spoofing, which began in its original form – IP spoofing – in expert circles during the 1980s.

What is IP spoofing?

IP spoofing is a method in which TCP/IP or UDP/IP data packets are sent with a fake sender address. The attacker uses the address of an authorized, trustworthy system. In this way, it can inject its own packets into the foreign system that would otherwise be blocked by a filter system. In most cases, IP spoofing is used to perform DoS and DDoS attacks. Under certain circumstances, the attacker can also use the stolen IP to intercept or manipulate the data traffic between two or more computer systems. Such Man-in-the-Middle attacks that use the help of IP spoofing nowadays require (with few exceptions) that the attack be in the same subnet as the victim.

IP falsification: Why IP spoofing works

The ability to falsify the IP address is a result of the fact that the source and destination addresses that each IP packet contains in its header are not sufficiently protected against manipulation. Mechanisms don’t exist for encrypting this information or for checking its correctness. With a simple IP spoofing attack, the attacker doesn’t gain access to data traffic. The attack merely changes the address entry in the corresponding packet, while the actual IP address remains unchanged.  That way the response to the sent data doesn’t come to the attacker, but instead comes to the computer whose address the attacker indicated.

The fact that a third, unauthorized member is behind the IP packet is hidden from the responding system, which makes IP spoofing usable for previously addressed DoS and DDoS attacks. The two following scenarios are the most likely:

  1. On the basis of the stolen source address, the attackers sends large quantities of data packets to different systems inside the network in question. These systems reply to the contact by sending another data packet – which is then received by the uninvolved computer whose IP address has been appropriated.

  2. An intended target computer receives simultaneous data packets from various falsified IP addresses and becomes overloaded.

The computer whose IP address was stolen by the attackers can either be the target of the DDoS attack or just be drawn in to serve as a tool. In both cases the attacker remains unknown, since the sent packets officially appear to originate from the computers whose IPs were taken over.

How attackers sidestep the three-way-handshake

An attacker can, in theory, initiate the deliberate overloading from any location, as long as the target computer is connected to the internet. But as a consequence, direct access to the data traffic is now much more difficult if the intruder’s computer is not on the same subnet. This is because data packet interception is only possible with the help of the corresponding packet sequencing number – an undertaking that today is almost impossible from the outside, compared to earlier days of data hacking.

In the past, operating systems and network devices generated transaction numbers which were entered in the TCP header, always using the same pattern. Attackers could easily send extra packets to the targeted systems for test purposes, and thanks to the receipts, predict the next sequence numbers. The package behind the number could now read or manipulate it and then forward it with a fake sender IP, all without being registered by the two communicating systems. Because many systems rely on host-based log-in procedures, the transferred login data such as usernames and passwords is unencrypted and attackers can with some luck actually establish a connection. Since today’s systems randomly output sequence numbers, these so-called TCP-Sequence-Prediction attacks (also known as blind spoofing) have become basically ineffective – but older devices are still at risk.

If an IP spoofer moves in the same subnet – for example, in a local network – as the attacked system, it has a much easier time reaching the sequence number or the IP packets behind it. Instead of having to painstakingly pinpoint it, it can filter and analyze all of the data traffic and single out the desired data packets. This is what’s referred to as non-blind spoofing.

Protect yourself from IP spoofing

For decades, the problem of IP spoofing has kept security administrators and specialists in the computer sector busy. In particular, the simplicity of DoS or DDoS attacks makes it so that IP manipulation as a method is still interesting to today’s criminals. Because of that, there has been demand for a long time for a targeted filtering of outgoing data traffic by internet service providers, where packets with sources addressed outside the underlying network are recorded and discarded. Expense is the main reason why this claim remains, but nobody is following up on it.

Another reason for the hesitant attitude of the service providers may also lay with the security features of the revised internet protocol version IPv6. IPv4 is still very common, but its successor includes various optional authentication and encryption possibilities for header and data packets that could completely prevent IP spoofing in the future. But the switch to the new addressing protocol has proven to be a difficult matter, as evidenced, for example, by the lack of IPv6 support in various common network devices.

In order to prevent attackers from falsifying their IP addresses and appropriating others, opportunities are available to internet users who want to take initiative and set up their own protections systems. These focus on the following two measures:

  • Set up a comprehensive packet filtering system for your router or security gateway. This should analyze and discard incoming data packets if they have source addresses of devices within your network. Outgoing packets with sender addresses outside of the network should also be watched for and filtered. Security experts tend to see this as the duty of the internet service provider.
  • Stay away from host-based authentication systems. Make sure that all log-in methods take place via encrypted connections. This minimizes the risk of an IP spoofing attack within your own network while also setting important standards for overall security.

Of course, older operating systems and network devices should be replace as well if they are still in use. This will not only increase protection against IP spoofing, but also close a number of other security gaps.