IP address spoofing

From Hill2dot0
Jump to: navigation, search

One of the most common network security threats the Internet Layer poses is the technique of spoofing (i.e., changing) a source IP address.

IP addresses are spoofed for two reasons. The first is to hide the source of the IP packet. This is useful when executing a DoS attack that attempts to disrupt the remote host through illegal commands or via excessive use of network or OS resources. Simply put, spoofing an IP packet source is a convenient way to cover an attacker’s tracks. When used for this purpose, the spoofed IP address is generally not a valid address and might even be from the private address range.

Another reason to spoof the source of a packet is to redirect traffic to yet a third device. Consider this scenario: Host A sends a packet to host B, but it looks like it came from host C. Host B sends its response to host C. Such spoofing allows a computer to bounce an attack off an unsuspecting third party. In this case, the source IP address will be that of the target host.

Since routers on the Internet generally do not take a packet’s source into consideration when forwarding traffic, spoofed addresses are notoriously hard to detect. It is then difficult to find the packet’s true source. IP’s connectionless nature makes this task even more difficult since no record is kept of the path a packet takes through a network.