IP Spoofing

An IP spoofing attack involves an external or internal hacker who pretends to be using a trusted computer by using the address of that computer. The hacker either uses an IP address within the range of trusted internal addresses for the network or an authorized external address that’s both trusted and allowed access specified network resources. IP spoofing is often a tool used as part of other attacks, such as any variation of DoS attack, to hide the hacker’s identity.

IP spoofing is often limited to the introduction of malicious data or commands into an existing data stream in a peer-to-peer network session. Spoofing a source address might enable data to be sent through a router interface with filtering based on the source address.

The threat of IP spoofing can be reduced, but not eliminated, through the following measures:

RFC 2827 filtering Basically, RFC 2827 filtering means filtering out any IP addresses from coming into a network segment that should already be on that segment. If the entire 195.17.1.0 network is attached to a router interface, then no legitimate packets with source addresses in that network should be coming in through the router. This should be applied to edge routers for sure, but it can also be used on internal routers to prevent spoofing within the network. Similarly, limiting any outbound packets leaving the network to ones that have source addresses assigned to that network can prevent a network’s hosts from spoofing other networks. This could be the result of an attacker on the inside or a DoS bot on a local host participating in an attack on an outside host. If the company can get its ISP to perform RFC 2827 filtering on packets coming into the network, it would preserve the bandwidth of the link and kill some hack attempts.

Note

Spoofing could be virtually eliminated if all ISPs filtered client traffic to allow only source addresses assigned to that client. If hackers can’t spoof it, this makes going undetected harder.

RFC 1918 filtering RFC 1918 filtering means filtering out RFC-defined “private” addresses from entering or exiting the network segment. Because they have no business on the Internet, they shouldn’t be there. If private addresses are used in the network, RFC 2827 filtering will include them.
Non-IP address authentication IP spoofing is worthwhile when devices use IP address–based authentication. If you use additional authentication methods, IP spoofing attacks lose much of their value. Cryptographic authentication is the strongest form of additional authentication, but if this isn’t possible, use strong, two-factor authentication, such as OTP.

alperen