IPFYI
📚 IP Address Basics 7 นาทีในการอ่าน

IP Spoofing: Risks and Prevention

Learn how attackers forge source IP addresses, the threats IP spoofing enables, and the defenses that protect against it.

What Is IP Spoofing?

IP spoofing is the practice of forging the source IP address in a packet header so that the packet appears to come from a different machine. Because the IP protocol does not inherently verify the source address, any device can craft packets with arbitrary source IPs.

Spoofing is trivial at the packet level. Tools like Scapy or hping3 can generate packets with any source address in seconds. The challenge for attackers is that they typically cannot receive responses (since replies go to the spoofed address), which limits spoofing to certain attack types.

Attacks Enabled by IP Spoofing

  • DDoS amplification -- The attacker sends requests to open services (DNS, NTP, memcached) with the victim's IP as the source. The services send large responses to the victim, overwhelming their bandwidth.
  • SYN flood -- The attacker sends TCP SYN packets with random spoofed source IPs. The target responds with SYN-ACK to non-existent hosts, filling its connection table.
  • Reflection attacks -- Similar to amplification but focused on reflecting traffic from many sources toward a single target.
  • Bypassing IP-based authentication -- Some legacy systems trust packets from specific IPs without further verification. Spoofing can bypass these controls.

Why IP Spoofing Is Still Possible

The IPv4 protocol was designed in an era of mutual trust among network operators. Source address verification was not built into the protocol. While standards like BCP38/RFC 2827 recommend that ISPs filter spoofed traffic, adoption remains incomplete.

Defenses Against IP Spoofing

Network-Level Defenses

  • Ingress filtering (BCP38) -- Routers drop outbound packets with source addresses that do not belong to the network. If every ISP implemented this, spoofing would be nearly impossible.
  • Reverse path filtering (uRPF) -- The router checks whether the source address of an incoming packet could be reached via the interface it arrived on.
# Enable strict reverse path filtering on Linux
sysctl -w net.ipv4.conf.all.rp_filter=1

Application-Level Defenses

  • SYN cookies -- Protect against SYN floods by encoding connection state in the SYN-ACK sequence number rather than allocating memory.
  • Rate limiting -- Limit the number of requests per source IP.
  • Encryption and authentication -- Protocols like TLS, SSH, and IPsec verify the identity of communicating parties, making spoofed packets useless even if they arrive.

Monitoring for Spoofing

Network administrators can detect spoofing attempts by:

  • Monitoring for traffic with source addresses outside expected ranges.
  • Watching for asymmetric traffic patterns (high outbound SYN-ACK with no matching SYN).
  • Using flow analysis tools like NetFlow or sFlow to identify anomalies.

ดูเพิ่มเติม

Anycast คำศัพท์ Broadcast คำศัพท์ CIDR คำศัพท์ DHCP คำศัพท์ Dynamic IP คำศัพท์ IPv4 คำศัพท์ IPv6 คำศัพท์ Loopback Address คำศัพท์ IPv4 vs IPv6 เปรียบเทียบ Public vs Private IP Addresses เปรียบเทียบ Static vs Dynamic IP Addresses เปรียบเทียบ NAT vs PAT เปรียบเทียบ