IP Antispoofing — Types and Practical Application

From Antispoofing Wiki

IP antispoofing is a security measure, which helps to prevent impersonation attacks aimed at a user's IP address.

Definition & Problem Overview

IP spoofing is a type of cyberattack, which disguises harmful or decoy websites as trusted platforms for fraudulent and harmful purposes. These purposes include phishing private data, stealing digital or physical assets, and sabotaging online entities. IP antispoofing is a countermeasure against such activities and works by differentiating legitimate and fake web resources.

IP spoofing focuses on the data packets that are transmitted online. Each packet has a header — a segment of the Internet Protocol — which contains address information, allowing the data to reach its final destination. Perpetrators alter the packet header to make the network accept it, which grants access to the attackers, among all else.



IP spoofing encompasses a large number of techniques like email spoofing and Distributed Denial-of-Service attacks (DDoS) etc. According to Securelist, DDoS saw a colossal rise by 3,000% in 2022 alone.

IP spoofing attacks have severe consequences to both individuals and organizations. Certain attacks can cause the paralysis of large remotely controlled systems like power grids, banking or healthcare servers, public surveillance, satellite constellations, which can in-turn affect millions of people.


Types of IP Spoofing

IP spoofing employs a number of methods, which range in difficulty, efficacy and nativity. (Nativity implies that some techniques belong to specific platforms). Some common types are listed here:

Email

Email spoofing is one of the most common form of IP attack. Masquerading as trusted institutions and tampering with their packet header is the most employed tactic. Statistics show that a cyberattack occurs every 39 seconds, with email spoofing constituting 91% of them. Email spoofing often contains content that prompts a target to execute a certain action: clicking on a link that leads to a malware-infected website, resetting a password, ‘confirming’ contact information or providing personal identification data. Often, a target is asked to authorize a payment or produce credit card details.


URL

Another attack method is disguising a URL link to make it look like a web address of a trusted online platform. This tactic is also known as website spoofing or URL hijacking. It is typically orchestrated with typosquatting — a technique that involves replacing symbols in a weblink to make it appear legitimate. Such a web link often redirects to the simulated page of a seemingly bona fide organization like a bank, online store, bait-and-switch webpages that withdraw money from a bank card under the pretext of a sale, online surveys to collect private information, etc.


Botnet device masking

A botnet is a network of ‘zombie computers’ — often hijacked — in which a bot is assigned to every device. The botnet is controlled from a single place by a "bot-herder" via a Command-&-Control server (C&C). This is necessary to make the process synchronous.

Botnets serve to automate large-scale attacks for stealing valuable data, sabotaging servers, spreading malicious software and even selling access to third-party criminals. In this scenario, IP spoofing helps the malicious actors to stay undetected for as long as possible. By hiding under the guise of a legitimate IP address, they can achieve a smokescreen effect.

Interestingly, every gadget with an internet connection can be used for creating a botnet. This includes smartphones and Internet of Things gadgets as well.


DNS

This method targets the Domain Name System (DNS), which allows a website to be found during a search query. With the use of wrong identical numbers fraudsters redirect a targeted computer to an identical copy of a legitimate website.


Reflected DDoS

Distributed Denial of Service is an eminent attack type, which employs a colossal volume of data packets and spoofed IPs to sabotage and crash websites and servers.

Reflected DDoS or reflection amplification is based on a similar principle, but employs some additional reply-amplifying techniques:

  • DNS amplification. It serves to increase the traffic output coming from the servers of the attacked system. This is possible by targeting unsecured DNS resolvers from the spoofed address.
  • ICMP Echo. It targets the intermediate broadcast network, eliciting a reply from every device connected to the said network. (It is also known as ‘Smurf attack’.)
  • NTP server amplification. In this attack, a "get monlist" request is transmitted to an unsecure NTP server, causing an amplification ratio of 1:200.

These techniques employ a spoofed IP address to fool the victim's system.

Man-in-the-middle

This tactic includes intercepting and altering packets that flow between two computers. Once it is done, the packets can be transmitted to gain access to communication accounts which allows stealing data, hijacking accounts, and more.

Application layer attacks

In this case, criminals can intercept data with the help of SYNchronize-ACKnowledge packet (SYN/ACK) used in TCP protocol. This method exploits vulnerabilities of mobile or web applications. In combination with malware, they allow the perpetrators to receive the responses from the trusted server.

IP Antispoofing Methods

Detecting IP spoofs is a challenging and difficult task. This is because IP spoof attacks do not leave ‘visible’ traits of tampering, since they occur at the network layers. As a result, connection requests appear legitimate to the receiver.

At the same time, a number of security measures have been developed to resist IP spoof attacks. Among the proposed methods are:

Common Techniques

Common methods refer to general advice regarding the network security:

  • Monitoring. Networks should be closely monitored for any unusual activity.
  • Packet filtering. It allows spotting inconsistencies like source IP addresses that do not match.
  • Verification. Full-bodied verification is recommended for every individual computer.
  • Attack prevention. All IP addresses should be verified, while an attack blocker must be constantly enabled.
  • Firewall. At least some of the computers should be shielded by the firewall that filters traffic, detects and blocks spoof IP addresses, while also denying access to unauthorized users.

At the same time, more specific measures are also proposed.

Mutual Egress Filtering Method (MEF)

Mutual Egress Filtering Method (MEF) is an antispoofing technique applied to border routers of autonomous systems with the help of Access Control Lists. If an IP contains packets that belong to a spoofing attack and are not a part of the MEF-enhanced autonomous system, these packets will be dropped. A strong advantage of MEF is that it does not require router upgrades. At the same time, the system needs to be accepted universally to become fully efficient.


BGP Antispoofing Extension (BASE)

BGP Antispoofing Extension (BASE) is based on the idea of in-network filtering. It is based on three assumptions:

  • Per-AS key. An autonomous system (AS) has a secret key shared within it.
  • Ample marking space. An IP header should have enough space for storing a marking value.
  • Router marking & filtering. BASE routers at the AS border mark the outgoing and sieve the incoming packets that do not have the correct marking.

If a BASE-protected target is attacked, the system will elicit the markings to check their validity and filter the incoming data flood.

"Virtual Anti-Spoofing Edge" Filtering Mechanism (VASE)

VASE is a cost-efficient solution for detecting IP spoofing attacks. Its on-demand principle implies that while in the stand-by mode or ‘peace time’, the system does not have to be 100% active, thus economizing resources. When the attack occurs, it will use sampling followed by filtering.

Inter-AS Antispoofing

The concept offers a Deployable Inter-AS Anti-spoofing method (DIA) that is simple, and affordable to deploy. Additionally, it takes into consideration the complexities native to autonomous systems: multiple border routers, etc. The system comprises a Central Controller (DCC), one/more Border Routers (DBR), zero/more Legacy Border Routers (LBR). Besides, every DAS pair shares a secret key, providing end-to-end verification. The system will also conduct packet snapping if abnormal activities are detected, exceeding the traffic threshold. This will trigger DCC, which will filter the malicious packets with DBRs if an attack is confirmed.


References

  1. What is IP spoofing?
  2. Packet Header Definition
  3. DDoS attacks in Q1 2022
  4. IP Spoofing
  5. Phishing attacks
  6. How Many Cyber Attacks Happen Per Day in 2022?
  7. What is Typosquatting? – Definition and Explanation
  8. Website Spoofing
  9. What is a Botnet?
  10. Botnet functioning scheme
  11. DNS Spoofing
  12. Understanding Denial-of-Service Attacks
  13. SYN/ACK in the TCP Protocol
  14. Toward Incentivizing Anti-Spoofing Deployment
  15. An incrementally deployable anti-spoofing mechanism for software-defined networks
  16. VASE: Filtering IP spoofing traffic with agility
  17. A deployable approach for inter-AS anti-spoofing