In the world of network security, spoofing has nothing to do with comedy movies. Instead, it’s a common and dangerous form of hijacking used by cyber-criminals to gain control of target machines.
A basic IP spoofing definition is that it involves using IP address information to imitate an internet user. This information is contained in all of the packets of data users send across the web, and unless you use some form of encryption, it’s available for people to intercept and use.
With the protection of a stranger’s online identity, criminals can carry out their attacks safely insulated from the attention of law enforcement agencies.
Some experts liken IP address spoofing to the camouflage worn by soldiers during military operations. With the protection of a stranger’s online identity, criminals can carry out their attacks safely insulated from the attention of law enforcement agencies.
This practice can lead to serious security breaches and major losses for businesses and individuals alike, so everyone should know a little more about what is IP spoofing and how they can prevent it.
Looking at IP spoofing in more detail
Also known as IP address forgery or host file hijacking, IP address spoofing is nothing new. In fact, the earliest major spoofing attacks date back to the early 1990s. Almost as soon as the internet became publicly available, hackers were ready to pounce, launching notorious attacks like the “Christmas Day” attack by Kevin Mitnick against security specialist Tsutomu Shimomura.
Since then, the form of attacks has changed little. At its core, an IP spoofing attack still targets the Internet Protocol (IP) which authenticates connections between computers on the web. When IP is used in unencrypted form, the packets of data sent via the Transmission Control Protocol (TCP, a part of IP), can be manipulated and refashioned to suit the needs of attackers.
This gives attackers the opportunity to assume the identity of anyone sending data packets during their IP spoofing, meaning that computers at the other end of a transmission can’t tell who is an attacker and who is a genuine user. With this confusion, hackers can then implant worms or trojans fairly easily. If users can’t tell authentic emails from spoofs, they are much more likely to click on malicious links.
Moreover, IP spoofing has become a tool of choice during Denial of Service (DoS) attacks, where hackers take control of numerous addresses, making their activities much harder to trace. Without knowledge of who is attacking a target site, neutralizing DoS attacks is much, much harder.
How IP spoofing works
During an IP spoofing attack, hackers could modify a number of elements of IP packets: the packet header, the checksum and the order value. However, things aren’t as simple as just replacing genuine data with malicious data.
To perpetrate an IP spoofing attack, hackers need to understand the order in which data packets are delivered. To do so, they need the sequence and acknowledgment numbers found in the TCP packet header.
In some cases, these numbers can be “sniffed” via public wi-fi networks, providing the code to hijack a users computer (also known as session hijacking or non-blind spoofing). But in others, the process is more technical.
In these attacks (known as blind spoofing), hackers don’t know the sequence and acknowledgment numbers and may need to bombard target computers with packet requests. If it hasn’t been properly secured, the target machine may then reveal its method for sourcing sequence numbers. With this knowledge, the hackers can then modify data packets destined for the target and proceed with their spoofing operations.
How can you recognize IP spoofing?
Because of the potentially serious implications of IP address spoofing, it is essential for security conscious users and organizations to do whatever they can to detect spoofing. However, as with most cyber-attacks, this isn’t as simple as you might think.
The most common form of defense is to employ network monitoring tools.
These tools can track every device which attempts to connect with a specific network, and run network scans when single users attempt multiple access attempts – a common sign of IP spoofing.
This may be combined with IP filtering, with quarantine-like systems for suspicious traffic. And it is usually used with network configuration options which screen out packets coming from external sources, but which claim to originate from inside internal networks (another classic spoofing symptom).
Any network that wants to inoculate itself against spoofing should also use random sequence number generation as standard. This has generally been phased in across the web, but pockets of vulnerable servers may still exist, meaning that network audits need to take it into account.
Thirdly, users seeking to protect their systems against IP address spoofing should use protocols like IPSec to encrypt the data sent to and from their servers. These protocols largely negate the transparency of IP/TCP, making it far harder for spoofers to secure access.
These techniques are mainly appropriate for businesses and larger organizations which can source IT specialists with in-depth security knowledge. So how can ordinary users take action to head off an IP spoofing attack?
How to prevent IP spoofing and protect yourself online
Nobody wants to be used as a weapon in a DoS attack, and they almost certainly don’t want to receive malicious code in their personal emails. The consequences range from mild inconvenience to theft and financial disaster, so IP spoofing is definitely something individuals need to think about.
Unlike businesses, you probably won’t be able to install off the shelf network security systems or employ an IT team to filter IP packets. So what can you do? Well, there are quite a few courses of action available for individuals who want to protect against online spoofing attacks.
Choose your ISP wisely
ISPs occupy a critical role in online security systems. For a spoofing attack to work, hackers will have to operate via connections supplied by ISPs, who could theoretically use tools like response rate limiting or source address validation. Before you choose an ISP, ask them about their systems for preventing spoofing. If they don’t have a credible policy in place (and many don’t), look elsewhere.
Stay secure when using the web
When you are using email clients or visiting websites, you can avoid many of the biggest online risks by sticking to connections which use TLS (Transport Layer Security) or SSL (Secure Socket Layer). Websites with the “S” at the end of HTTP provide this kind of security, which encrypts data transmitted via their servers. Good email providers should also have this kind of encryption in place.
Avoid risks by sticking to connections which use TLS or SSL.
Install a spoofing detector
If you are really concerned about falling victim to IP spoofing, tools like XArp claim to be able to detect and neutralize spoofing attacks in real time. If you take this route, it’s definitely worth spending a little cash to download the premium version, as it comes with many more features than the free download.
Use a VPN
Another popular way to provide a decent level of anti-spoofing protection is to use a Virtual Private Network (VPN). These tools mask your IP address and encrypt the data that arrives and leaves your computer or mobile phone. This makes packet sniffing or sequence number analysis much, much harder.
With strong encryption in place, there is no real reason to worry about IP address spoofing meaning you can surf the web without too much stress. But be sure to source tools which are reliable and reputable.
With few exceptions, free tools will deliver stripped down services and may not be as secure as they claim to be. For instance, poor quality VPNs are prone to IP address leakage, putting IP packets at risk from spoofers.
Secure your systems against the next IP spoofing attack
Man-in-the-middle attacks, session hijacking, IP spoofing, IP address forgery, whatever you want to call it – when malicious actors gain access to the data you send and receive, bad things are likely to happen.
Take DoS attacks, for example. According to the online analytics consultancy Neustar, 84 percent of US companies experienced a denial of service attack in 2017 and the average cost of those attacks was $2.5 million. There are few statistics for the cost of session hijacks and malware attacks via spoofing, but the bill for American web users must run into the hundreds of millions every year.
All of this means that everyone needs a working understanding of what is IP spoofing, and everyone should act on that information. There are different solutions for businesses and home users, so take the right course of action and be ready for the next attack.
It’s sure to come sometime, and if you’re prepared, you’ll hardly notice a thing. But if you aren’t, the consequences can be very costly indeed.