Spoofing is an impersonation of a user, device or client on the Internet. It’s often used during a cyberattack to disguise the source of attack traffic.
The most common forms of spoofing are:
- DNS server spoofing – Modifies a DNS server in order to redirect a domain name to a different IP address. It’s typically used to spread viruses.
- ARP spoofing – Links a perpetrator’s MAC address to a legitimate IP address through spoofed ARP messages. It’s typically used in denial of service (DoS) and man-in-the-middle assaults.
- IP address spoofing – Disguises an attacker’s origin IP. It’s typically used in DoS assaults.
What is IP address spoofing
Computer networks communicate through the exchange of network data packets, each containing multiple headers used for routing and to ensure transmission continuity. One such header is the ‘Source IP Address’, which indicates the IP address of the packet’s sender.
IP address spoofing is the act of falsifying the content in the Source IP header, usually with randomized numbers, either to mask the sender’s identity or to launch a reflected DDoS attack, as described below. IP spoofing is a default feature in most DDoS malware kits and attack scripts, making it a part of most network layer distributed denial of service DDoS attacks.
IP Address spoofing in DDoS attacks
IP address spoofing is used for two reasons in DDoS attacks: to mask botnet device locations and to stage a reflected assault.
Masking botnet devices
A botnet is a cluster of malware-infected devices remotely controlled by perpetrators without the knowledge of their owners. They can be instructed to collectively access a given domain or server, providing perpetrators with the computing and networking resources to generate huge traffic floods. Such floods enable botnet operators, (a.k.a. shepherds), to max out their target’s resource capacity, resulting in server downtime and network saturation.
Botnets are typically comprised of either random, geographically dispersed devices, or computers belonging to the same compromised network (e.g., hacked hosting platform).
By using spoofed IP addresses to mask the true identities of their botnet devices, perpetrators aim to:
- Avoid discovery and implication by law enforcement and forensic cyber-investigators.
- Prevent targets from notifying device owners about an attack in which they are unwittingly participating.
- Bypass security scripts, devices and services that attempt to mitigate DDoS attacks through the blacklisting of attacking IP addresses.
A reflected DDoS attack uses IP spoofing to generate fake requests, ostensibly on behalf of a target, to elicit responses from under protected intermediary servers. The perpetrator’s goal is to amplify their traffic output by triggering large responses from much smaller requests.
Common reflected DDoS attack methods include:
- DNS amplification – An ANY query originating from a target’s spoofed address is sent to numerous unsecured DNS resolvers. Each 60 byte request can prompt a 4000 byte response, enabling attackers to magnify traffic output by as much as 1:70.
- Smurf attack – An ICMP Echo request is sent from a target’s spoofed address to an intermediate broadcast network, triggering replies from every device on that network. The degree of amplification is based on the number of devices to which the request is broadcast. For example, a network with 50 connected hosts results in a 1:50 amplification.
- NTP amplification – A get monlist request, containing a target’s spoofed IP address, is sent to an unsecure NTP server. As in DNS amplification, a small request triggers a much larger response, allowing a maximum amplification ratio of 1:200.
IP address spoofing in application layer attacks
For application layer connections to be established, the host and visitor are required to engage in a process of mutual verification, known as a TCP three-way handshake.
The process consists of the following exchange of synchronization (SYN) and acknowledgement (ACK) packets:
- Visitor sends a SYN packet to a host.
- Host replies with a SYN-ACK.
- Visitor acknowledges receipt of the SYN-ACK by replying with an ACK packet.
Source IP spoofing makes the third step of this process impossible, as it prohibits the visitor from ever receiving the SYN-ACK reply, which is sent to the spoofed IP address.
Since all application layer attacks rely on TCP connections and the closure of the 3-way handshake loop, only network layer DDoS attacks can use spoofed addresses.
IP address spoofing in security research
In security research, IP data derived from network layer assaults is often used to identify the country of origin of attacker resources. IP address spoofing, however, makes this data unreliable, as both the IP address and geolocation of malicious traffic is masked.
When reading reports relying solely on network IP data, it’s necessary to be aware of these limitations. For example, a report by a mitigation provider that doesn’t protect against application layer attacks can’t be relied on to provide accurate locations of botnet devices.
As a result, any substantial research into botnet countries of origin can only be based on application layer attack data.
Anti-spoofing in DDoS protection
As mentioned, IP address spoofing is commonly used to bypass basic security measures that rely on IP blacklisting— the blocking of addresses known to have been previously involved in an attack.
To overcome this, modern mitigation solutions rely on deep packet inspection (DPI), which uses granular analysis of all packet headers rather than just source IP address. With DPI, mitigation solutions are able to cross-examine the content of different packet headers to uncover other metrics to identify and filter out malicious traffic.
For example, a mitigation service can employ DPI to observe a DDoS traffic stream and identify an influx of packets with suspiciously-identical TTLs and Total Length headers that don’t match a normal pattern. By tracking such small abnormalities, the service can create a granular profile of an attacking packet and use it to weed out malicious traffic without impacting regular visitor flow.
The downside of DPI is that the process is very resource intensive. When performed on scale, such as during a DDoS attack, DPI is likely to cause performance degradation—sometimes even making the protected network almost completely unresponsive.
To overcome this, Imperva scrubbing is performed by a purpose-built mitigation hardware (codename Behemoth) that runs DPI against ~100 million packets per second.
A cluster of Behemoth scrubbers mitigates a 470 Gbps DDoS attack—one of the largest on record.
Built from the ground up, every Behemoth scrubber provides granular visibility of all incoming data, thus ensuring that attack traffic never enters your network. Meanwhile, your valid visitor traffic flows through unimpeded.
Learn more about Imperva DDoS protection services.