How easy is it really to do IP spoofing?

  • I read a lot about IP spoofing but I am not sure how easy it is really to do. Let's say I am in Spain, can I somehow connect to a server in the US with an IP address that is allocated to Mexico? Won't the routers simply refuse to forward my traffic? I know you won't get any response as it would be routed to Mexico but I am confused how you can contact the US server at all with the wrong IP.

    @Xander I don't think my question is answered in the linked question.

    There's a discussion on Stackoverflow that yould be interesting for you, maybe you could take a look here

    @Caffeine looks interesting, thank you. Most of the replies I see talk about the problem of getting bidirectional traffic. But I don't see how you can even get unidirectional traffic working (to do a DOS attack for example).

  • Actually, you can't. Whenever you need IP traffic to be bidirectional, IP spoofing is no use. The contacted server would not reply to you but to someone else, the address you spoofed.

    IP spoofing is then normally "useful" only to disrupt communications - you send harmful packets, and you don't want them being traceable to yourself.

    In specific situations you can use a double spoofing to gather a measure of bidirectionality. For example let us suppose that we know of a system somewhere that has poor sequence generators - whenever you send a packet to it, it will reply with a packet containing a monotonically incrementing number. If nobody was connecting to the system except you, you would expect getting 1, 2, 3, 4... .

    Now let us further suppose that you're interested in whether another system is replying to specific packets (e.g. you're running a port scan), and you wish to receive some information but don't want the target system to have your real address. You can send to that system a spoofed packet pretending to be from the poorly-sequencing machine.

    Now there are three possibilities: the target system does not reply, it replies, or it actively counterattacks and (e.g.) scans the pretended source to determine the why's and wherefore's of that first packet.

    What you do is, you scan - without spoofing - the poorly-sequencing machine (PSM). If nobody except you has connected to it, which means that the target machine hasn't replied to the PSM, you'll get 1-2-3-4-5. If it replied once, you will get 1-3-5-7 (the packets 2, 4 and 6 having been sent by the PSM to the TM in response to the TM-PSM replies to the spoofed packets from you to the TM. If the TM made more connections, you'll get something like 2-11-17-31 or such.

    The PSM knows your real address, of course, but the TM does not. This way you can spoof a connection and still gather some information. If the PSM's security level is low enough, this, combined with the fact that your "scan" of the PSM is harmless, is (hopefully) enough to prevent consequences to you.

    Another possibility is to spoof a nearby machine. For example you are in network, have IP, and you have promiscuous access to some other machine address space, say You just have to "convince" the router serving both you and the .168 machine that you are indeed the .168 machine, and take the latter offline or disrupt its communications (or wait until it is offline for reasons of its own, e.g. a colleague logging off for lunch). Then the replies to the spoofed .168 packets will sort of whizz by past you, but as long as you can sniff them while they pass, and the real .168 isn't able to send a "That wasn't me!" reply, from the outside the communication will appear to be valid and point back to the .168 machine.

    This is sort of like pretending to be your front door neighbour, while that apartment is really untenanted. You order something through mail, the packet gets delivered to the other's front door, you tell the deliveryman "Oh yes, mr. Smith will come back in half an hour, I'll just sign for him" and get the package.

    Thank you but even when you don't need the traffic to be bidirectional I don't get it. Won't the routers in Spain simply reject traffic that appears to be coming from a Mexican IP address?

    I notice the linked question says " many routers are configured to drop traffic with an obviously wrong source IP." So does IP spoofing rely on incorrectly configured routers?

    Yes, but many routers actually do *not* perform so-called "egress filtering". More modern hardware probably will, since memory, computing power and update bandwidth is cheaper now than back in the times, but large parts of the Internet still run on "vintage", more than "ill-configured", hardware. IP spoofers are a minority, and checking *all* the traffic to cope with it is often not cost effective enough for many ISPs and carriers.

  • Say I want to write a letter to a friend in China. On the back of the envelope, I write my home address, which is in Australia. If I post the letter while on vacation in Egypt, would you expect the postal service to throw my letter in the bin, because the return address may be spoofed?

    Let's say I am in Spain, can I somehow connect to a server in the US with an IP address that is allocated to Mexico? Won't the routers simply refuse to forward my traffic?

    No, they won't. As far as the router is concerned, this is just another legitimate package destined for the US. Traffic is routed across the internet in a fairly simple way. No party controls the entire route or would even have to be aware of one. Routers do little more than fancy signposts. "North America? Not here. Turn left and ask again at the next intersection."

    On closer inspection, a router in Spain might find it suspicious that it received data from Mexico to the US, but it would be a waste of resources to investigate. Every router simply keeps pointing in the general direction of the destination. Eventually, the packet should arrive. Unless of course, the router is configured in the way you seem to expect; it rejects the packet altogether. That's certainly possible, but not very useful to anyone. The router might as well do its job and be done with it.

    The vacationing analogy is flawed. While *most* routers have no practical way to check, routers that only serve known networks **do**. For example my ISP will assign 192.168.x.y to its customers: it will expect no packets arriving from the downlink except those originating by its customers with those addresses.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM