IP spoofing: What is it and how does it work? – Norton
Nov. 25, 2020
Cybercriminals count on stealth to commit crimes. One tactic is Internet Protocol address spoofing, better known as IP spoofing.
IP spoofing allows cybercriminals to take malicious actions often without detection. That includes infecting your computer with malware, stealing your sensitive data, and crashing your server. An attacker can do this by using the IP address of another computer to masquerade as a trusted source to gain access to your computer, device, or network.
When cybercriminals use spoofed IP source addresses to pretend that they’re trusted sources, it can be dangerous for different reasons, including these:
IP spoofing can leave unsuspecting people vulnerable to having their personal data stolen and used for malicious purposes like identity theft and other online frauds.
IP-spoofing attacks can flood and shut down corporate servers and websites.
It’s smart to understand IP spoofing, if only to avoid it. In this article, here’s what you’ll learn:
How does IP spoofing work?
What are the types of IP spoofing attacks?
What are real examples of IP spoofing attacks?
What are the mechanics behind IP address spoofing? First, keep in mind that every device that is capable of connecting to the internet has an internet protocol (IP) address giving it a unique identity. The data travelling on the internet is made up of IP packets, and each packet contains an IP header. That IP header shares routing information about the packet like its source and destination IP addresses.
IP spoofing enables an attacker to replace a packet header’s source IP address with a fake, or spoofed IP address. The attacker does this by intercepting an IP packet and modifying it, before sending it on to its destination. What this means is the IP address looks like it’s from a trusted source – the original IP address – while masking its true source: an unknown third-party.
In the eyes of an attacker, the beauty of spoofing an IP address is that it enables them to impersonate another computer system and look like it’s from a trusted source. This enables an attacker to hide their real identity and most likely circumvent your firewall. By spoofing an IP address, a hacker can trick you into thinking you’re interacting with a trusted website or person – like a close friend, when in reality you’re interacting with a cybercriminal.
As you can see, IP spoofing facilitates anonymity by concealing source identities. This can be advantageous for cybercriminals for these three reasons in particular.
Spoofed IP addresses enable attackers to hide their identities from law enforcement and others.
The computers and networks targeted aren’t always aware that they’ve been compromised, so they don’t send out alerts.
Because spoofed IP addresses look like they’re from trusted sources, they’re able to bypass firewalls and other security checks that might otherwise blacklist them as a malicious source.
IP spoofing attacks can take several forms. It depends on the vulnerabilities of victims and the goals of attackers. Here are a few common malicious uses.
Masking botnet devices. IP spoofing can be used to gain access to computers by masking botnets, which are a group of connected computers that perform repetitive tasks to keep websites functioning. IP spoof attacks mask these botnets and use their interconnection for malicious purposes. That includes flooding targeted websites, servers, and networks with data and crashing them, along with sending spam and various forms of malware.
DDoS attacks. IP spoofing is commonly used to launch a distributed denial-of-service (DDoS) attack. A DDoS attack is a brute force attempt to slow down or crash a server. Hackers are able to use spoofed IP addresses to overwhelm their targets with packets of data. This enables attackers to slow down or crash a website or computer network with a flood if internet traffic, while masking their identity.
Man-in-the-middle attacks. IP spoofing also is commonly used in man-in-the-middle attacks, which work by interrupting communications between two computers. In this case, IP spoofing changes the packets and then sends them to the recipient computer without the original sender or receiver knowing they’ve been altered. An attacker becomes the so-called “man in the middle, ” intercepting sensitive communications that they can use to commit crimes like identity theft and other frauds.
What is a real example of IP spoofing?
Cybercriminals use IP spoofing for different purposes. One goal is to infect computers and networks with malware by fooling them into thinking the traffic is from a trusted source.
A hacker can also use IP spoofing to intercept and monitor communications between you and another person. That means they could potentially find out your passwords and other personal information to use for malicious purposes like identity theft and other online frauds.
Spoof attacks also can flood and crash a victims’ servers by sending out millions of requests with the spoofed address.
Here’s a real-world example of an IP spoof attacks that shows how the scheme unfolds. Here’s what happened to a code hosting platform known as GitHub in 2018.
GitHub was hit by a large DDoS attack that was executed by spoofing GitHub’s IP address and sending data to several servers. Those servers then increased data returned to GitHub by a factor of 50. This increased traffic overwhelmed and ultimately shut down GitHub’s website for 10 minutes.
How to protect against IP spoofing
Here are steps you can take to help protect your devices, data, network, and connections from IP spoofing.
Use secure encryption protocols to secure traffic to and from your server. Part of this is making sure “HTTPS” and the padlock symbol are always in the URL bar of websites you visit.
Be wary of phishing emails from attackers asking you to update your password or any other login credentials or payment card data, along with taking actions like making donations. Phishing emails have been a tool for cybercriminals during the coronavirus pandemic. Some of these spoofing emails promise the latest COVID-19 information, while others ask for donations. While some of the emails may look like they’re from reputable organizations, they have been sent by scammers. Instead of clicking on the link provided in those phishing emails, manually type the website address into your browser to check if it’s legitimate.
Take steps that will help make browsing the web safer. That includes not surfing the web on unsecure, public Wi-Fi. If you must visit public hotspots, use a virtual private network, or VPN, that encrypts your internet connection to protect the private data you send and receive.
Security software solutions that include a VPN can help. Antivirus software will scan incoming traffic to help ensure malware isn’t trying to get in. It’s important to keep your software up to date. Updating your software ensures it has the latest encryption, authentication, and security patches.
Set up a firewall to help protect your network by filtering traffic with spoofed IP addresses, verifying that traffic, and blocking access by unauthorized outsiders. This will help authenticate IP addresses.
Secure your home Wi-Fi network. This involves updating the default usernames and passwords on your home router and all connected devices with strong, unique passwords that are a combination of 12 uppercase and lowercase letters, at least one symbol and at least one number. Another approach is using long passphrases that you can remember but would be hard for others to guess.
Monitor your network for suspicious activity.
Use packet filtering systems like ingress filtering, which is a computer networking technique that helps to ensure the incoming packets are from trusted sources, not hackers. This is done by looking at packets’ source headers. In a similar way, egress filtering can be used to monitor and restrict outbound traffic, or packets that don’t have legitimate source headers and fail to meet security policies.
Types of spoofing
Spoofing attacks can take place at different layers, as seen in these types of spoofing.
IP address spoofing – happens at the network level.
Address Resolution Protocol (ARP) spoofing – occurs at the data link layer.
Domain Name System (DNS) spoofing – diverts internet traffic away from legitimate servers to fake servers. Attackers are able to masquerade as other devices with DNS spoofing.
Email spoofing – can be seen recently in spoofers’ promises of the latest COVID-19 information or requests for donations. While IP spoofing has been a threat to cybersecurity, the coronavirus pandemic has created new opportunities for carrying it out in the form of spoofing emails. If you’ve clicked on a link in one of these emails and not received the information you expected, you likely have been spoofed.
Legitimate uses for IP spoofing
IP spoofing also may be used by companies in non-malicious ways. For example, companies may use IP spoofing when performing website tests to make sure they work when they go live.
In this case, thousands of virtual users might be created to test a website. This non-malicious use helps gauge a website’s effectiveness and ability to manage numerous logins without being overwhelmed.
FAQs about IP spoofing
Is IP spoofing illegal?
IP spoofing is not illegal if used for non-malicious purposes like the corporate website tests. IP spoofing is illegal if used to access or steal another person or company’s sensitive data with the intent to commit crimes like identity theft and other frauds.
How easy is IP spoofing?
IP spoofing may not be difficult if victims fall for an attacker’s phishing emails, for example.
Can IP spoofing be traced?
IP spoofing occurs at the network level, so there aren’t external signs of interference. Consider an example of a DoS attack where networks of compromised computers, or botnets, are used to send spoofed packets. Because IP spoof attacks are automated by botnets that may contain thousands of participating computers, they can be challenging to trace.
Can IP spoofing be stopped?
Much IP spoofing could be stopped with prevention tactics. That includes implementing secure encryption protocols, firewalls, and packet filtering. It’s a good idea to always use caution when online and beware of unsecure Wi-Fi and websites, phishing emails, and other malicious scams.
Try Norton 360 FREE 30-Day Trial* – Includes Norton Secure VPN
30 days of FREE* comprehensive antivirus, device security and online privacy with Norton Secure VPN.
Join today. Cancel anytime.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U. S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3. 0 Attribution License. Other names may be trademarks of their respective owners.
Public IP spoofing — how hard/realistic is it?: AskNetsec – Reddit
hey yall — im a sysadmin and i have a healthy debate with a situation:need to access a service hosted at client A’s site (tcp/389)my view: tcp/389 should never be transmitted over the net as is. SSH tunnel or VPN if required. opposing view: Tie down the ACLs in clients FW to ensure only OUR “datacentre” can intimate connections to that service at client A IP’s we should be fine and that’s sufficient. obviously i think im correct, but there is some merit to the opposing view as a scale of 1-10, how wrong is my colleague? haha Seriously though how easy/hard is it to spoof a Public IP to initiate this type of traffic? Many, many thanks
IP Spoofing: How secure is to control access by user’s public …
We have a few Windows server VMs hosted in Amazon cloud. Users need to enter account and password to RDP to the VMs.
The VMs’ RDP EndPoint (IP+Port) is public to the internet.
As an extra security measure, we managed to restrict access to the RDP port (available to public) to specific public IP addresses.
The question is that how easy it is to spoof a public IP address? Can hackers spoof our designated public IP address, so they bypass our Pubic IP address firewalling?
asked Nov 16 ’15 at 17:08
Assuming a TCP connection, it is nearly impossible to spoof a source IP address without control of the network.
Assuming you are not using any proxies (which can cause issues if you’re getting their IP address from a X-FORWARDED-FOR header), and running a service on TCP, it’s extremely difficult to spoof a source IP address
To initialize a TCP connection multiple packets have to be sent back and forth between the server and the attacker. If the source address for the initial request is spoofed, then the attacker would be unable to finish opening the connection because the spoofed address is not their address. So when the server sends a packet ‘back’ to them, it would instead be directed to the real owner of the address and not the attacker.
I would make a diagram on Visio for this, but I am in class, so hopefully a sketch is sufficient.
answered Nov 16 ’15 at 17:40
Spoofing the source address is fairly easy, there are still many ISPs that don’t implement source address filtering.
Receiving the replies to those spoofed packets is harder. The attacker would need to either get on the network path between client and server or modify routing to change the network path. This is harder but certainly not impossible.
Modern TCP implementations use randomised sequence numbers which make the probability of successfully opening a TCP connection without receiving the reply to the SYN packet very low. Older systems and UDP based protocols may be more vulnerable to such attacks. Use of “SYN cookies” by the server also increases the probability of such an attack suceeding (though it’s still a very low probability).
I would consider source IP filtering to be a useful extra line of defense but I would not want to rely on it as the sole means of protection.
answered Oct 11 ’16 at 10:37
Peter GreenPeter Green4, 6101 gold badge20 silver badges25 bronze badges
answered Nov 16 ’15 at 17:17
Not the answer you’re looking for? Browse other questions tagged ip-spoofing or ask your own question.