This tutorial explains how an IP address spoofing or a masquerading attack works. Learn what IP address spoofing or masquerade attacks are and how they are mitigated.
What is IP address spoofing?
IP address spoofing is a technique in which a node transmits a data packet using someone else's IP address. The sender node hides (fakes or masks) its IP address with someone else's IP address. Typically, the sender node chooses an IP address that belongs to the destination node's network. IP address spoofing is also known as masquerading.
The basic concept of address spoofing
An IP address is a unique identity of a computer on a network. Computers use IP addresses to communicate or exchange data with other computers on the network. To transmit a large amount of data, a computer breaks the data stream into smaller packets and transmits each data packet separately.
Each data packet contains two types of address: source address and destination address. The source address represents the sender computer, and the destination address represents the recipient computer. When a computer receives a data packet, it uses the source address of the data packet to identify the sender's computer. To reply, the computer uses the source address of the packet as the destination address.
Since the destination computer uses the source address to reply, the sender computer can fake the source address to divert the reply to another address or computer. This technique is known as IP address spoofing or masquerading. Let's take a simple example to understand how it works.
Albert sends a letter to Nina. But instead of writing his name and address on the sender column, he writes the name and address of Peter. When Nina receives the letter, she reads the name of Peter on the sender column and thinks that Peter sent her a letter. So, she sends a reply to Peter. Peter receives a response letter from Nina. This technique is called address spoofing.
The following image shows an example of address spoofing.
How does an IP address spoofing attack work?
IP address spoofing works similarly to address spoofing. To launch an IP address spoofing attack, instead of using its own IP address, a node uses a different IP address in the source address field of the packet. The destination device replies to the modified source address. In this type of attack, the sender device or the hacker does not care about the return traffic. In other words, the sender device wants the destination device to reply but does not want to receive that reply.
Let's take an example to understand how it works.
A network uses 1.0.0.0/8 address space for its internal IP addressing. The network has a server. The IP address of the server is 1.1.1.1. The server is configured to reply only requests that come from the internal network. A hacker connects to the network. The hacker sends thousands of packets per second to the server system. The hacker uses the original address in the destination address field but, in the source address field, it uses an address that belongs to the address space of the server or the internal IP address of the network. When the server receives these packets, it assumes that they arrive from the internal network, and it replies to each packet.
The following image shows this example.
As you can see in the above image, the actual IP address of the source is 10.0.0.5 but, the hacker used the IP address 1.1.1.2 in the source address field of each packet. When these packets reach the server, the server assumes that they arrive from a host that belongs to the internal network. The server replies to each packet. When the replied packets reach host 1.1.1.2, the host ignores these packets as it did not request for them. This way, a hacker can engage both the server and the host at the same time.
This type of attack is mostly used as a DoS attack tool. In a DoS attack, a hacker engages a service in responding to fake requests so much that it does not have time to respond to genuine requests.
How to mitigate an IP address spoofing attack
To mitigate IP address spoofing attacks, an administrator can use a firewall. The administrator can configure the firewall to filter all incoming traffic. The administrator can create a rule on the firewall to deny all incoming packets that have an internal IP address in the source address field. This technique is known as ingress filtering.
The following image shows how ingress filtering protects the network from IP address spoofing attacks.
The administrator can also configure the firewall to filer the outgoing traffic. The administrator can create a rule to deny all outgoing packets that do not have a valid internal IP address in the source address field. This technique is known as egress filtering. The egress filtering blocks insider hosts from launching IP address spoofing attacks on external hosts.
The following image shows how egress filtering ensures that unauthorized traffic never leaves the internal network.
That's all for this tutorial. In this tutorial, we discussed how IP address spoofing attacks work and how to mitigate them.
