Among the many risks against which you need to protect your organization, one of the most important to know about is IP spoofing.
This practice is often used as part of distributed denial of service (DDoS) attack in which the hacker disguises their IP address in an attempt to go unnoticed.
This article will explore everything you need to know about IP spoofing, including what it is, how it works, why it’s so dangerous, examples of well-known IP spoofing attacks, and tips for protecting your organization against this type of attack.
What is IP Spoofing?
Spoofing is a common type of cyber attack in which hackers impersonate another device, client, or user, typically to obscure the attack source. This disguise gives hackers cover to gain access to systems, all with the goal of malicious behavior like intercepting data or launching a DDoS attack to disrupt normal traffic.
Three types of spoofing attacks exist:
- DNS Server Spoofing: Alters a DNS server to point a domain name to a different IP address, usually with the intent of spreading a virus.
- ARP Spoofing: Connects hackers to an IP address through a spoofed address resolution protocol (ARP) message, usually to enable denial of service (DoS) and man-in-the-middle attacks.
- IP Spoofing: Disguises one IP address to gain access as a trusted system, usually to enable a DDoS attack or redirect communications.
The most common of these attacks is IP spoofing. This type of spoofing gives hackers protection in the form of going unnoticed by allowing them to appear as coming from another IP address.
How Does IP Spoofing Work?
To understand how IP spoofing works, it’s first essential to understand the role IP addresses play in internet communications.
Data gets shared over the internet through packets, each containing information about where the data comes from. One of the most important identifiers required for this packet is an IP address, including the source IP and destination IP address. Much like physical addresses, IP addresses are used as identifiers, and help systems determine whether or not information comes from a trusted source. Beyond sharing data, IP addresses are also used to identify traffic sources to a system or server.
IP spoofing occurs when a hacker tampers with their packet to change their IP source address. When done correctly, this change can easily go unnoticed since the switch happens before a hacker ever interacts with a controlled system or network. Think of this as a form of disguise since IP spoofing allows hackers to appear as though they are someone else.
Once a hacker has successfully spoofed an IP address, they can access controlled systems and intercept communications intended for someone else (i.e., the person or device whose IP address they are impersonating).
What Makes IP Spoofing So Dangerous?
IP spoofing is a dangerous type of attack because it is so difficult to detect. This is because IP spoofing happens before a hacker tries to access a system or communicate with an unknowing victim.
Consider the following implications that this difficult detection can have:
- Easily convincing people to share sensitive information with an illegitimate party. While we’ve all been trained to look for signs of phishing attacks, a good IP spoofing attack will show none of those signs. Instead, it will merely redirect communications intended for a legitimate party to a hacker who has spoofed that person or device’s IP address.
- Allowing hackers to stay concealed for extended periods. Typically, an attack on a secure system will trigger all kinds of alerts, and while damage has already been done, security teams can at least begin to stem that damage. IP spoofing allows hackers to access systems without anyone recognizing it since they are inside under a trusted source’s guise. As a result, they can do more damage for long before any type of remediation kicks in.
- Bypassing firewalls and other blockers to shut down systems. On a larger scale, IP spoofing enables multiple hackers to bypass firewalls and other security blockers more easily with the intent of flooding systems to cause outages or shut down services altogether. This approach can wreak enormous havoc, and the large scale makes it much harder to control.
What are Different Types of IP Spoofing Attacks?
IP spoofing commonly enables three different types of attacks:
1) DDoS Attacks
What it is: A DDoS attack aims to slow down or crash a server by overwhelming it with traffic. Unlike many other cyberattacks, hackers do not need to breach access to secure systems to be successful. Instead, they launch a coordinated attack on a server to bring it down for legitimate users. Often, this approach is intended as a distraction for other kinds of attacks.
How IP spoofing enables it: IP spoofing allows hackers to coordinate a DDoS attack that masks their identity from security officials and law enforcement. Specifically, they can flood any server to bring it down while disguising themselves as innocent users, making it difficult for anyone to determine the source of the attack or even distinguish those participating in it from legitimate users. And the harder it is to identify the source, the harder it becomes to pinpoint any other malicious activity for which the DDoS attack might be serving as a distraction.
Real-life example: GitHub fell victim to this type of DDoS attack in 2018, a coordinated effort that brought down its service for nearly 20 minutes. The attack was so large it has few parallels; however, GitHub managed to bring it under control by re-routing traffic through an intermediary partner and scrubbing data to block malicious parties.
2) Botnet Attacks
What it is: Botnets are a group of devices infected with malware and controlled by hackers, typically without the owners of those devices having any idea. Hackers can control these botnets as a group, giving them the nickname of a “zombie army.” Botnets are typically used for spam or DDoS attacks and can even threaten companies of an impending attack that can be held off by paying a ransom fee. Hackers can also use botnets to track and steal information from the people whose devices they have infected.
How IP spoofing enables it: IP spoofing allows botnet attacks to happen from start to finish for many reasons. First, since IP spoofing is hard to detect, it means device owners will likely stay unaware of any malicious activity going on. Second, IP spoofing enables hackers to quickly get through security measures for services and sit collecting information without anyone noticing. Finally, IP spoofing helps hackers evade discovery after the attack is complete.
Real-life example: GameOver Zeus is an infamous botnet attack in 2011 and resulted in over $100 million losses. In this attack, hackers took control of users’ devices to capture banking credentials. They then used that information to initiate or re-direct wire transfers -- all of which looked seemingly legitimate due to the use of IP spoofing.
3) Man in the Middle Attacks
What it is: A man in the middle attack occurs when a third party intercepts trusted communications between two other people or devices. In the world of digital communications, security measures like certificates and IP addresses are intended to authenticate the identity of a person or device. With a man in the middle attack, someone assumes another identity to intercept communications intended for someone else. Once hackers intercept this information, they can use it themselves or even alter the intended recipient’s original communication.
How IP spoofing enables it: IP spoofing allows hackers to become a “man in the middle” by enabling them to assume the identity of another user, device or service. In doing so, they can easily intercept communications without the sender knowing or even send information to an innocent recipient under the guise of someone else (e.g. an email from your bank asking for sensitive information).
Real-life example: In 2015, Europol busted a continent-wide man in the middle attack in which hackers intercepted payment requests between businesses and their customers, leading to damages of €6 million. Specifically, the hackers used IP spoofing to gain access to companies’ corporate email accounts. They then tracked communications and intercepted requests for payments from customers so that they could have customers send those payments to bank accounts controlled by the hackers.
How to Protect Your Organization from IP Spoofing
While detecting an IP spoofing attack early on can prove challenging, there are several steps you can take to protect your organization from the dangers of IP spoofing.
1) Packet Filtering
Packet filtering examines the IP packets for every device or user trying to connect to a network (this can be ingress to monitoring incoming communications or egress to monitor outgoing communications). This practice looks particularly closely at each IP packet’s header, which contains the IP address, to confirm it matches the source and everything looks as it should. If anything looks amiss, the packet will not be able to complete the connection as intended.
2) Authentication via Public Key Infrastructure
Public key infrastructure (PKI) is a common method for authenticating users and devices that relies on a public and private key pair. The private key can encrypt communications and verify a user/device’s authenticity, while the public key can decrypt these communications.
Importantly, these authentication methods use asymmetric encryption, meaning that each key is different from the other in its pair. This method makes it extremely difficult for hackers to determine the private key and is highly effective for preventing common types of IP spoofing attacks, like the man in the middle attack.
3) Network Monitoring and Firewalls
Network monitoring is the practice of closely tracking network activity to look out for anything suspicious. While this can prove a bit difficult in preventing hackers from gaining access via IP spoofing since that approach should disguise their presence, it can help catch any malicious activity earlier on to stem the flow of damage. Meanwhile, setting up a network firewall is another way to authenticate IP addresses and filter out any traffic that appears sketchy and potentially subject to IP spoofing.
4) Security Training
Finally, security training for legitimate network users can also help protect against damages due to IP spoofing. For example, this might involve instructing users to never respond to emails that ask them to click on a link to change their login information. Instead, go directly to the sender’s website to take any action. While this type of training can certainly help, it’s important to keep in mind that it’s just another layer of protection against damages. This training is not a prevention tactic since by the time this training comes in handy, a hacker has already led a successful IP spoofing effort and gained access to certain systems.