Summary of IP Spoofing

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.



Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)


Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

  • Send an initial TCP packet with any source IP address
  • Send a series of UDP packets with any source IP address
  • Send a series of unrelated TCP packets from the same or varying IP addresses
What can't you do:
  • Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
  • Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.
Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:
  • Simplest - Statically define your IP address to the target IP address
  • Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
  • Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.
What can you do:
  • Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).
What can't you do:
  • Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).
Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

7 comments:

Tom Usher said...

I never fail to learn from the posts on this site. I like it that I don't have to know all the jargon to follow along.

Sean Reynolds said...

Good information, we need to keep on top of this.

josie said...

thanks this is an eye opener, how to prevent this to happen?

Amgad said...

I dont know much about spoofing, but I read somewhere that its harder to implement know with all the security in firewalls and OSes.

Rampage said...

actually this is the first time i heard about spoofing .....i think i'll read more about what exactly it is...

mcallistercorinne said...

good brief information concerning upcoming motion pictures Mobdro Kodi To inspect whether the Addons are enabled or not, open nice.

The Idioms said...

Love to reading this post, keep it up.

Thank from Freya

Designed by Posicionamiento Web