Burger menu
-


IP Antispoofing — Types and Practical Application

IP anti-spoofing is a security approach, which prevents online scam based on the IP address tampering: URL hijacking, man-in-the-middle, etc.

Definition & Problem Overview

IP spoofing is a type of cyberattack, which disguises harmful or decoy websites as trusted platforms for fraudulent and harmful purposes. These purposes include phishing private data, stealing digital or physical assets, and sabotaging online entities. IP antispoofing is a countermeasure against such activities and works by differentiating legitimate and fake web resources.

IP spoofing focuses on the data packets that are transmitted online. Each packet has a header — a segment of the Internet Protocol — which contains address information, allowing the data to reach its final destination. Perpetrators alter the packet header to make the network accept it, which grants access to the attackers, among all else.

IP spoofing of a victim's server using a Bot computer
IP spoofing scheme

This threat encompasses numerous techniques like email spoofing and Distributed Denial-of-Service attacks (DDoS) etc. According to Securelist, DDoS saw a colossal rise by 3,000% in 2022 alone.

IP spoofing attacks have severe consequences to both individuals and organizations. Certain attacks can cause the paralysis of large remotely controlled systems like power grids, banking or healthcare servers, public surveillance, satellite constellations, which can in-turn affect millions of people.

IP spoofing changes the source IP address in packet headers
IPv4 Network packet headers

Types of IP Spoofing

IP spoofing employs a number of methods, which range in difficulty, efficacy and nativity. (Nativity implies that some techniques belong to specific platforms). Some common types of spoofing attacks are listed here:

Email

Email spoofing is one of the most common form of IP attack. Masquerading as trusted institutions and tampering with their packet header is the most employed tactic. Statistics show that a cyberattack occurs every 39 seconds, with email spoofing constituting 91% of them. Email spoofing often contains content that prompts a target to execute a certain action: clicking on a link that leads to a malware-infected website, resetting a password, ‘confirming’ contact information or providing personal identification data. Often, a target is asked to authorize a payment or produce credit card details.

Email spoofing attempt disguised as a "password reset" letter
Email spoofing attempt disguised as a "password reset" letter

URL

Another attack method is disguising a URL link to make it look like a web address of a trusted online platform. This tactic is also known as website spoofing or URL hijacking. It is typically orchestrated with typosquatting — a technique that involves replacing symbols in a weblink to make it appear legitimate. Such a web link often redirects to the simulated page of a seemingly bona fide organization like a bank, online store, bait-and-switch webpages that withdraw money from a bank card under the pretext of a sale, online surveys to collect private information, etc.

Typosquatting example

Botnet device masking

A botnet is a network of ‘zombie computers’ — often hijacked — in which a bot is assigned to every device. The botnet is controlled from a single place by a "bot-herder" via a Command-&-Control server (C&C). This is necessary to make the process synchronous.

Botnets serve to automate large-scale attacks for stealing valuable data, sabotaging servers, spreading malicious software and even selling access to third-party criminals. In this scenario, IP spoofing helps the malicious actors to stay undetected for as long as possible. By hiding under the guise of a legitimate IP address, they can achieve a smokescreen effect.

Interestingly, every gadget with an internet connection can be used for creating a botnet. This includes smartphones and smart appliances with the latter requiring anti-spoofing for IoT.

Botnet functioning scheme
Botnet functioning scheme

DNS

This method targets the Domain Name System (DNS), which allows a website to be found during a search query. With the use of wrong identical numbers fraudsters redirect a targeted computer to an identical copy of a legitimate website.

Victims are directed to fake websites through fake DNS entries
DNS spoofing schematic

Reflected DDoS

Distributed Denial of Service is an eminent attack type, which employs a colossal volume of data packets and spoofed IPs to sabotage and crash websites and servers.

Reflected DDoS or reflection amplification is based on a similar principle, but employs some additional reply-amplifying techniques:

  • DNS amplification. It serves to increase the traffic output coming from the servers of the attacked system. This is possible by targeting unsecured DNS resolvers from the spoofed address.
  • ICMP Echo. It targets the intermediate broadcast network, eliciting a reply from every device connected to the said network. (It is also known as ‘Smurf attack’.)
  • NTP server amplification. In this attack, a "get monlist" request is transmitted to an unsecure NTP server, causing an amplification ratio of 1:200.

These techniques employ a spoofed IP address to fool the victim's system.

Man-in-the-middle

This tactic includes intercepting and altering packets that flow between two computers. Once it is done, the packets can be transmitted to gain access to communication accounts which allows stealing data, hijacking accounts, and more.

Application layer attacks

In this case, criminals can intercept data with the help of SYNchronize-ACKnowledge packet (SYN/ACK) used in TCP protocol. This method exploits vulnerabilities of mobile or web applications. In combination with malware, they allow the perpetrators to receive the responses from the trusted server.

IP Antispoofing Methods

IP spoofing detection is a challenging and difficult task. This is because IP spoof attacks do not leave ‘visible’ traits of tampering, since they occur at the network layers. As a result, connection requests appear legitimate to the receiver.

At the same time, a number of security measures have been developed to resist IP spoof attacks. Among the proposed methods are:

Common Techniques

Common methods refer to general advice regarding the network security:

  • Monitoring. Networks should be closely monitored for any unusual activity.
  • Packet filtering. It allows spotting inconsistencies like source IP addresses that do not match.
  • Verification. Full-bodied verification is recommended for every individual computer.
  • Attack prevention. All IP addresses should be verified, while an attack blocker must be constantly enabled.
  • Firewall. At least some of the computers should be shielded by the firewall that filters traffic, detects and blocks spoof IP addresses, while also denying access to unauthorized users.

At the same time, more specific measures are also proposed.

Mutual Egress Filtering Method (MEF)

Mutual Egress Filtering Method (MEF) is an antispoofing technique applied to border routers of autonomous systems with the help of Access Control Lists. If an IP contains packets that belong to a spoofing attack and are not a part of the MEF-enhanced autonomous system, these packets will be dropped. A strong advantage of MEF is that it does not require router upgrades. At the same time, the system needs to be accepted universally to become fully efficient.

Mutual Egress Filtering Method for IP antispoofing
Overview of the MEF system

BGP Antispoofing Extension (BASE)

BGP Antispoofing Extension (BASE) is based on the idea of in-network filtering. It is based on three assumptions:

  • Per-AS key. An autonomous system (AS) has a secret key shared within it.
  • Ample marking space. An IP header should have enough space for storing a marking value.
  • Router marking & filtering. BASE routers at the AS border mark the outgoing and sieve the incoming packets that do not have the correct marking.

If a BASE-protected target is attacked, the system will elicit the markings to check their validity and filter the incoming data flood.

"Virtual Anti-Spoofing Edge" Filtering Mechanism (VASE)

VASE is a cost-efficient solution for detecting IP spoofing attacks. Its on-demand principle implies that while in the stand-by mode or ‘peace time’, the system does not have to be 100% active, thus economizing resources. When the attack occurs, it will use sampling followed by filtering.

Inter-AS Antispoofing

The concept offers a Deployable Inter-AS Anti-spoofing method (DIA) that is simple, and affordable to deploy. Additionally, it takes into consideration the complexities native to autonomous systems: multiple border routers, etc. The system comprises a Central Controller (DCC), one/more Border Routers (DBR), zero/more Legacy Border Routers (LBR). Besides, every DAS pair shares a secret key, providing end-to-end verification. The system will also conduct packet snapping if abnormal activities are detected, exceeding the traffic threshold. This will trigger DCC, which will filter the malicious packets with DBRs if an attack is confirmed.

Deployable Inter-AS Anti-spoofing method
DIA overview

FAQ

IP anti-spoofing definition

IP spoofing is a cyberattack type aimed at masquerading malicious websites as legitimate.

IP anti-spoofing is a protective measure, which prevents IP spoofing attacks. These attacks camouflage potentially dangerous websites as benign. It is executed for malicious purposes: phishing sensitive data, stealing money, digital or physical belongings, or disrupting online operations (server crashing).

IP spoofing implies creation of a fake IP address, which includes alteration of the data packet headers, which contain the address information in a respective segment of the Internet Protocol. Distributed Denial-of-Service attacks or DDoS is a prominent example of such a practice. Antispoofing can prevent them with packet filtering and other measures.

What are the main IP anti-spoofing methods?

IP anti-spoofing proposes some methods on IP attack prevention.

In liveness taxonomy, the following IP spoofing detection and prevention techniques are utilized:

  • Mutual Egress Filtering Method (MEF). It is applied to border routers of autonomous systems and exploits Access Control Lists. Packets that aren’t a part of a MEF-shielded system are rejected.
  • BGP Antispoofing Extension (BASE). It operates using three assumptions: Per-AS key, Ample marking space and Router marking & filtering. Simply put, it checks the marking validity of the incoming data.
  • Virtual Anti-Spoofing Edge Filtering Mechanism (VASE). It employs sampling and filtering, while working in the stand-by mode.

See the Antispoofing Wiki to see more protection techniques.

How to counteract IP spoofing attacks?

There are some effective approaches to prevent IP spoofing.

A few common techniques are proposed to swat potential IP spoofing. They include:

  • Monitoring. All networks should be supervised on the subject of any abnormal activities.
  • Inconsistency detection. Packets should be filtered, so any inconsistencies like non-matching IP addresses can be located and timely reported.
  • Verification. Every computer within the network should be verified. Every IP address must undergo verification as well.
  • Attack blocking. An attack blocker should remain active at all times.
  • Firewall. It allows filtrating unauthorized users, suspicious traffic and IPs.

See the Antispoofing Wiki to see more preventive techniques.

What is the general IP spoofing scheme?

IP spoofing has a simple, yet quite disruptive track algorithm.

In essence, the main goal of an IP spoofing attack is to make a decoy website look authentic and unsuspicious. A typical modus operandi that culprits employ is masquerading it as a trustworthy web resource and modifying its packet headers or camouflaging a URL link, so a target would be redirected to a harmful website without realizing it.

Other ways to execute an IP spoofing attack include interception of packet headers flowing between devices and their tampering, overloading websites and servers with an immense volume of data packets to cause a crashing, etc. IP anti-spoofing relies on differentiation of fake and genuine websites.

What are the main types of IP spoofing attacks?

There are several types of IP attacks employed by bad actors.

The following IP attack types are highlighted:

  • Email spoofing. Fraudsters stylize an email as a message coming from a legit institution and tamper its packet header, while prompting to execute some action: clicking on a link, etc.
  • URL spoofing. A harmful URL is disguised as a trusted web address.
  • Botnet masking. A bot herder assigns a bot to a group of devices to launch an attack.
  • DNS spoofing. A user is redirected to a harmful website with the help of wrong identical numbers.
  • Application layer attack. A (SYN/ACK) packet is used to intercept data.

See the Antispoofing Wiki to see more malicious techniques.

References

  1. What is IP spoofing?
  2. Packet Header Definition
  3. DDoS attacks in Q1 2022
  4. IP Spoofing
  5. Phishing attacks
  6. How Many Cyber Attacks Happen Per Day in 2022?
  7. What is Typosquatting? – Definition and Explanation
  8. Website Spoofing
  9. What is a Botnet?
  10. Botnet functioning scheme
  11. DNS Spoofing
  12. SYN/ACK in the TCP Protocol
  13. Toward Incentivizing Anti-Spoofing Deployment
  14. An incrementally deployable anti-spoofing mechanism for software-defined networks
  15. VASE: Filtering IP spoofing traffic with agility
  16. A deployable approach for inter-AS anti-spoofing
Avatar Antispoofing

1 Followers

Editors at Antispoofing Wiki thoroughly review all featured materials before publishing to ensure accuracy and relevance.

Contents

Hide