The guest post on IP Spoofing was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that IP spoofing is a great way to cause a bit of commotion and try out as hackers.
The reality of the internet is actually quite different. First of all, IP spoofing has been around for decades, and has been the cause of a lot of quite nasty attacks to high profile targets.
Most serious ISP's do not want to be related to IP spoofing attacks, and are implementing measures to contain IP Spoofing attacks originating from their networks.
The containment measures are implemented on their firewalls and routers. The basic logic of this protection is this:
- A Firewall is aware of the networks to which it connects so it can control source addresses. For example, a demo firewall has 5 interfaces
- A connecting to network 10.1.1.x
- B connecting to network 10.2.1.x
- C connecting to network 10.3.1.x
- D connecting to network 10.4.1.x
- 'outside' connecting to the rest of the world/internet
It is expected that any traffic coming on interface A will have a source address of 10.1.1.x. If it doesn't, it's most probably an IP spoofing attack and will be dropped. The only interface that cannot apply such logic is the 'outside' interface, since it connects the firewall to the rest of the internet. But the outside interface can have another protection, which protects against 'loop' IP Spoofing attacks. That means that the 'outside' interface cannot see incoming packets with source addresses from a network that is on any of the 'inside' interfaces.
- Routers have a bit more complex mechanism, since a router can have traffic from multiple networks arriving on any of it's interfaces. They use uRPF (unicast Reverse Path Forwarding) which analyzes whether the packet's source address comes from a network that is known in the routing domain of the router.
- University networks - apart from the large universities with dedicated IT staff, the netadmins of most universities are the teaching assistants of computer science. And they don't really make much of an effort to control the traffic on the network as long as the university's servers and staff systems are protected. Universities are quite often Autonomous Systems, so an IP Spoofing attack originating from an unprotected network will travel on the Internet backbone.
- Smaller company networks - these networks are usually maintained by the 'one man band' sysadmin, who really has too much on his/her's plate to think about spoofing protection. The silver lining in such environment is that these companies are just a small user of a ISP, who is very capable of blocking the IP Spoofing attack originating from the small company network.
- ISP's in developing countries - much like small company networks, manned by personnel who is not properly trained, understaffed and overworked. And the bad news is that these ISP's are also Autonomous Systems, so IP Spoofing attacks originating there will most probably get out.
Please note that this article is not an invitation to start wreaking havoc on these networks, on the contrary, it should serve as a reminder for their netadmins to implement the available and quite simple protection measures.
Talkback and comments are most welcome
Summary of IP Spoofing
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction