IP Address Spoofing

December 14, 2009 by · 3 Comments 

In everyday conversation, we tend to use language that is foreign to others around us. While people sometimes give us a head nod, or say “uh huh,” they don’t always know what we’re talking about. Frankly, their body language tells the true story, especially when they display the “thousand mile stare,” or confused facial gesture. I was recently talking about IP address spoofing when I saw someone giving me that look. I decided to give them a quick summary of IP address spoofing, but decided to provide a more elaborate version of that conversation below.

Spoofing is simply the act of pretending to be someone you’re not. With IP address spoofing, an attacker will change his or her IP address to appear to be someone or something else on the network or Internet. One might ask, “Why would someone want to spoof their IP address?” Well, if an attacker were remotely accessing an unauthorized network or system, they wouldn’t want that activity traced back to them. Instead, they will spoof their IP address so that the traffic shows a different source.

For instance, if a system provided access, or authentication, based merely upon IP address, an attacker could simply change their IP to an IP address of a privileged system and effectively gain unauthorized access.


Image source: Microsoft

So what if an attacker performed the above scenario and gained unauthorized access to a system? They would probably want to execute a few commands and, depending on their intent, may want to have some information sent back to them. Nevertheless, there’s a small problem with basic IP address spoofing. Because of this thing we call the three-way handshake, once the receiving system receives the request, they will route it back to the real system whose address is being spoofed. Once that system receives the request, they will not complete the three-way handshake, since they never initiated the conversation, and will send a reset message to the sender. Therefore, the attacker wouldn’t receive the information they requested unless they provided their own IP address for routing.

So If I were an attacker, what would be my workaround? One way that an attacker could get around the three-way handshake roadblock is to use source routing. With source routing, an attacker can specify the path that a packet will take to get to its destination. This means that an attacker can direct the path for packets, to include each hop along the way. Since the attacker knows exactly where the packets will go, they can stand by for interception or simply place themselves somewhere along the directed path.

So for all my network security engineers out there, don’t allow IP source routing through your firewalls and routers!


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_1u3o7rjsrvr9ohrcdh70ftmvf7, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0