IP spoofing: How it works and how to prevent it
Spoofing is a specific type of cyber-attack in which someone attempts to use a computer, device, or network to trick other computer networks by masquerading as a legitimate entity. It's one of many tools that hackers use to gain access to computers to mine them for sensitive data, turn them into zombies (computers taken over for malicious use), or launch Denial-of-Service (DoS) attacks. Of the different types of spoofing, IP spoofing is the most common.
What is IP spoofing?
IP spoofing, or IP address spoofing, refers to the creation of Internet Protocol (IP) packets with a false source IP address to impersonate another computer system. IP spoofing allows cybercriminals to carry out malicious actions, often without detection. This might include stealing your data, infecting your device with malware, or crashing your server.
To learn more about what IP address is and how to protect it, watch this video on YouTube:
How IP spoofing works
Let’s start with some background: Data transmitted over the internet is first broken into multiple packets, and those packets are sent independently and reassembled at the end. Each packet has an IP (Internet Protocol) header that contains information about the packet, including the source IP address and the destination IP address.
In IP spoofing, a hacker uses tools to modify the source address in the packet header to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it. This occurs at the network level, so there are no external signs of tampering.
In systems that rely on trust relationships among networked computers, IP spoofing can be used to bypass IP address authentication. A concept sometimes referred to as the ‘castle and moat’ defense, which is where those outside the network are considered threats, and those inside the ‘castle’ are trusted. Once a hacker breaches the network and makes it inside, it's easy to explore the system. Because of this vulnerability, using simple authentication as a defense strategy is increasingly being replaced by more robust security approaches, such as those with multi-step authentication.
While cybercriminals often use IP spoofing to carry out online fraud and identity theft or shut down corporate websites and servers, there can also sometimes be legitimate uses. For example, organizations may use IP spoofing when testing websites before putting them live. This would involve creating thousands of virtual users to test the website to see if the site can handle a large volume of logins without being overwhelmed. IP spoofing is not illegal when used in this way.
Types of IP spoofing
The three most common forms of IP spoof attacks are:
Distributed Denial of Service (DDoS) attacks
In a DDoS attack, hackers use spoofed IP addresses to overwhelm computer servers with packets of data. This allows them to slow down or crash a website or network with large volumes of internet traffic while concealing their identity.
Masking botnet devices
IP spoofing can be used to obtain access to computers by masking botnets. A botnet is a network of computers that hacker’s control from a single source. Each computer runs a dedicated bot, which carries out malicious activity on the attacker’s behalf. IP spoofing allows the attacker to mask the botnet because each bot in the network has a spoof IP address, making the malicious actor challenging to trace. This can prolong the duration of an attack to maximize the payoff.
Another malicious IP spoofing method uses a ‘man-in-the-middle’ attack to interrupt communication between two computers, alter the packets, and transmit them without the original sender or receiver knowing. If attackers spoof an IP address and obtain access to personal communication accounts, they can then track any aspect of that communication. From there, it’s possible to steal information, direct users to fake websites, and more. Over time, hackers collect a wealth of confidential information they can use or sell – which means man-in-the-middle attacks can be more lucrative than the others.
Examples of IP spoofing
One of the most frequently cited examples of an IP spoofing attack is GitHub’s DDoS attack in 2018. GitHub is a code hosting platform, and in February 2018, it was hit by what was believed to be the largest DDoS attack ever. Attackers spoofed GitHub’s IP address in a coordinated attack so large that it brought down the service for nearly 20 minutes. GitHub regained control by re-routing traffic through an intermediary partner and scrubbing data to block malicious parties.
An earlier example took place in 2015 when Europol cracked down on a continent-wide man-in-the-middle attack. The attack involved hackers intercepting payment requests between businesses and their customers. The criminals used IP spoofing to obtain fraudulent access to organizations’ corporate email accounts. They then snooped on communications and intercepted requests for payments from customers – so they could trick those customers into sending payments to bank accounts they controlled.
IP spoofing isn’t the only form of network spoofing – there are other types, including email spoofing, website spoofing, ARP spoofing, text message spoofing, and more. You can read Kaspersky's complete guide to different types of spoofing here.
How to detect IP spoofing
It is difficult for end-users to detect IP spoofing, which is what makes it so dangerous. This is because IP spoof attacks are carried out at the network layers – i.e., Layer 3 of the Open System Interconnection communications model. This doesn’t leave external signs of tampering – often, spoofed connection requests can appear legitimate from the outside.
However, organizations can use network monitoring tools to analyze traffic at endpoints. Packet filtering is the most common way to do this. Packet filtering systems – which are often contained in routers and firewalls – detect inconsistencies between the packet’s IP address and desired IP addresses detailed on access control lists (ACLs). They also detect fraudulent packets.
The two main types of packet filtering are ingress filtering and egress filtering:
- Ingress filtering looks at incoming packets to assess whether the source IP header matches a permitted source address. Any packets which look suspicious will be rejected.
- Egress filtering looks at outgoing packets to check for source IP addresses that don't match those on the organization's network. This is designed to prevent insiders from launching IP spoofing attacks.
How to protect against IP spoofing
IP spoofing attacks are designed to conceal the attackers’ true identity, making them difficult to spot. However, some anti-spoofing steps can be taken to minimize risk. End-users can't prevent IP spoofing since it's the job of server-side teams to prevent IP spoofing as best they can.
IP spoofing protection for IT specialists:
Most of the strategies used to avoid IP spoofing must be developed and deployed by IT specialists. The options to protect against IP spoofing include:
- Monitoring networks for atypical activity.
- Deploying packet filtering to detect inconsistencies (such as outgoing packets with source IP addresses that don't match those on the organization's network).
- Using robust verification methods (even among networked computers).
- Authenticating all IP addresses and using a network attack blocker.
- Placing at least a portion of computing resources behind a firewall. A firewall will help protect your network by filtering traffic with spoofed IP addresses, verifying traffic, and blocking access by unauthorized outsiders.
Web designers are encouraged to migrate sites to IPv6, the newest Internet Protocol. It makes IP spoofing harder by including encryption and authentication steps. A high proportion of the world's internet traffic still uses the previous protocol, IPv4.
IP spoofing protection for end users:
End-users can't prevent IP spoofing. That said, practicing cyber hygiene will help to maximize your safety online. Sensible precautions include:
Make sure your home network is set up securely
This means changing the default usernames and passwords on your home router and all connected devices and ensuring you use strong passwords. A strong password avoids the obvious and contains at least 12 characters and a mix of upper- and lower-case letters, numbers, and symbols. You can read Kaspersky’s full guide to setting up a secure home network here.
Take care when using public Wi-Fi
Avoid carrying out transactions such as shopping or banking on unsecured public Wi-Fi. If you do need to use public hotspots, maximize your safety by using a virtual private network or VPN. A VPN encrypts your internet connection to protect the private data you send and receive.
Make sure the websites you visit are HTTPS
Some websites don’t encrypt data. If they don’t have an up-to-date SSL certificate, they are more vulnerable to attacks. Websites whose URL starts with HTTP rather than HTTPS are not secure – which is a risk for users sharing sensitive information with that site. Ensure that you’re using HTTPS websites and look for the padlock icon in the URL address bar.
Be vigilant when it comes to phishing attempts
Be wary of phishing emails from attackers asking you to update your password or other login credentials or payment card data. Phishing emails are designed to look as though they come from reputable organizations but, in reality, have been sent by scammers. Avoid clicking on links or opening attachments in phishing emails.
Use a comprehensive antivirus
The best way to stay safe online is by using a high-quality antivirus to protect you from hackers, viruses, malware, and the latest online threats. It's also essential to keep your software up-to-date to ensure it has the latest security features.
- Kaspersky Anti-Virus
- Kaspersky Total Security
- Kaspersky Internet Security
- Kaspersky Password Manager
- Kaspersky Secure Connection
- How to hide your IP address
- What is DNS spoofing and how to prevent it
- What is phone number spoofing
- What is data privacy?