🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
IP address spoofing (IP spoofing) is a type of cyberattack where an attacker sends IP packets with a modified source IP address. This technique is used in man-in-the-middle attacks (MITM attacks) and DoS attacks (denial-of-service attacks).
Note: IP spoofing is a network security problem, not a web application security issue, but it can have a major impact on the security of web servers and web applications.
You might think that IP spoofing is easy to do since any device can declare its own IP. However, if the attacker simply declares the same IP as the victim, they will cause a network conflict with unpredictable results. The original device may disconnect, the connection may be unsuccessful, or both devices may connect and then disconnect. In all these cases, the attack will be unsuccessful, and the victim may notice the failed attempt.
To ensure they have the upper hand, attackers can use two techniques, both based on manipulating TCP sequence numbers. Before looking at these types of spoofing, we need a side note to explain how TCP sequence numbers work.
Most computer network connections are established using TCP/IP (Transmission Control Protocol/Internet Protocol). When two devices on the network connect using TCP/IP, they first need to establish a TCP connection. The connection process is called a three-way handshake.
The three-way handshake is very simple:
The SYN requests declare random starting sequence numbers (a different one for each direction), needed for the recipient to recognize further packets. The sequence numbers allow devices to determine the order of subsequent data packets. For example, if device A declared the starting sequence number to be 74656, the next packet from device A to device B must have sequence number 74657, and so on.
Non-blind IP spoofing works when the attacker is on the same subnet as the victim and can directly see the sequence numbers of other connections, for example, between the victim and their internet gateway router. The attacker first sniffs such a connection (listens in on traffic) using typical network monitoring software. By looking at the sniffed TCP packet headers, the attacker can learn the sequence numbers, predict the next one, and send a spoofed packet pretending to be the original sender. If that packet reaches the destination before the legitimate response, the attacker will intercept the connection.
Note that TCP sequence number prediction may be extended beyond the local subnet by using IP source routing. Every TCP packet is allowed to declare an IP route in the IP header. This tells the destination device what specific route it should use to send the response. The attacker may declare a strict route to skip gateway routers and receive responses from the victim via other machines, potentially allowing them to see the original sequence numbers. However, not all network devices are configured to follow such routing information, which limits the usefulness of this attack.
This type of attack is much harder to perform but is not restricted to the same subnet, so it may also be attempted from outside the local network. However, it only works with older operating systems.
In the past, the TCP/IP protocol suites of operating systems used predictable algorithms to generate starting TCP sequence numbers. Sometimes, they were incremented by a specific value for every new connection, and in other cases by a specific value per unit of time elapsed.
To learn how the initial sequence numbers are formed, the attacker sends a number of SYN requests to the victim and looks at the starting TCP sequence numbers received from the legitimate source. If they see a predictable pattern in how these are chosen based on the order of responses and time of response, they may attempt to guess the starting sequence number for other connections, too.
This trick no longer works with modern operating systems (all modern Unix/Linux/Windows/Mac and mobile devices as well) because modern TCP/IP software uses random number generators to generate starting sequence numbers. That’s why IP spoofing from outside the subnet is now very difficult and can only rely on IP source routing, as described earlier.
Let’s assume that Nancy is a black-hat hacker with access to your private network (for example, when you’re using a wi-fi hotspot) who attempts IP spoofing with a sequence number attack in order to change the routing and become a man-in-the-middle between you and the internet gateway router:
Note that the spoofed IP addresses work only as long as the connection is established. Every time a new TCP/IP connection is made, the attacker must use the same technique to take over the source IP addresss once again.
IP spoofing attacks are not caused by any misconfigurations or vulnerabilities. The vulnerability is the TCP/IP protocol itself, which was designed in the early days of networking, before cybersecurity became a major consideration. Since we can’t change the TCP/IP protocol itself, we can only take measures to safeguard our networks and machines as much as possible.
While there is no way to prevent IP spoofing on your local network, you can still block spoofing attempts coming from outside that network:
Note that safeguarding your local network from external attempts at IP address spoofing won’t prevent other types of attacks such as ARP spoofing, DNS spoofing, or (as mentioned above) local IP address spoofing. Therefore, use the following general principles not to prevent such attacks but to prevent them from having negative consequences:
While most IP spoofing attempts are initiated by cybercriminals, there are potential legitimate uses for spoofing, for example, testing network configurations and system functionality.
In an IP spoofing attack, a malicious hacker sends IP packets with a modified source IP address to pretend to be another machine. This technique is used in man-in-the-middle attacks.
IP spoofing is not considered very dangerous on its own because it is extremely difficult for the attacker to predict the correct sequence numbers needed for a successful attack. To be useful in a man-in-the-middle attack on web assets, IP spoofing also needs to be combined with other techniques, such as SSL stripping or SSL hijacking.
IP spoofing cannot be prevented in local networks, so it is most likely to succeed if the victim uses public WiFi hotspots. You should always be vigilant when using public networks and use VPN connections whenever possible to avoid most man-in-the-middle attack techniques.
Find out more about how to prevent man-in-the-middle attacks (MITM).