IP Spoofing is probably the ultimate trick or attack that an attacker can execute on the target system. Almost all wannabe computer experts dream of being able to spoof their IP Address and fool the target system into establishing illegitimate connections. If successfully executed, IP spoofing is definitely one of the smoothest and classic attacks on the Internet. However, IP spoofing attacks are quite complex and very few attackers have actually been able to spoof their identity successfully.
IP Spoofing is a process wherein an attacker fools or tricks the target system into believing that the data packets being sent actually originated on a system other than the real source system. In other words, IP spoofing is a technique that allows an attacker to change or disguise his real identity while communicating with the target system. In this technique, the data packets that the attacker sends to the target system will seem to originate at some other arbitrary system.
1. Attacker: 184.108.40.206 (REAL) 2. Victim: 220.127.116.11 (VICTIM) 3. Fake: 18.104.22.168 (FAKE)
Under ordinary circumstances, when REAL sends certain data packets to the VICTIM system, then the source address of these packets will clearly have REAL as the source address. However, in case of IP spoofing, REAL will send data packets to VICTIM in such a manner that the source address of these packets will be the FAKE system. In other words, IP spoofing is a process wherein REAL is able to send data to VICTIM so that it seems to have originated at FAKE. This process of fooling the remote system into believing that you are someone else is known as IP spoofing and is commonly exploited to carry out a variety of attacks.
A very good real life analogy to understand IP spoofing better is that of three people: A, B and C. Consider a scenario wherein A wants to fool C over the phone into believing that it is talking to B. In order to achieve this goal, A will telephone C and disguise his voice so that he sounds like B. If A can successfully disguise his true identity and pretend to be (or sound like) B, then a successful telephone spoofing is executed. In an IP spoofing attack, three computers are involved instead of three people. However, taking the analogy of the three people a bit further, it is quite clear that for the telephone spoofing to succeed, the following must be true:
The biggest challenge that an attacker faces while performing IP spoofing is the fact that the attack is a blind one. In other words, since all data packets being sent to the target computer in an IP spoofing attack are from spoofed addresses, hence the attacker never receives any update on the status of the attack. In other words, an IP spoofing attack is also known as a blind attack because throughout the attack, the attacker does not know whether the attack is successful or not. If something goes wrong, even then on most occasions the attacker remains oblivious about the problem. IP spoofing attacks are literally being performed blindly with the attacker taking the liberty of assuming that things went as planned.
This blind nature of the IP spoofing attack becomes evident in the first step of the attack itself. Typically in such an attack, the ATTACKER sends spoofed data packets to the VICTIM making it believe that they were actually sent by FAKE. Assuming that these spoofed data packets were successful, then VICTIM will reply to FAKE and not ATTACKER. Since all replies sent by VICTIM reach FAKE, as a result, ATTACKER does not have any idea or feedback on the progress of the attack. Typically, according to the TCP/IP connection establishment rules, each time IP spoofing is executed, the following steps are followed:
of any IP Address, then typically the below three way handshake would take place:
1. REAL sends a SYN packet to VICTIM.
2. VICTIM sends back a SYN/ACK packet to REAL.
3. REAL acknowledges this by send back an ACK packet to VICTIM.
In this case, since REAL did not attempt to spoof its identity, hence, it received a continuous update on the status of the connection. However, if REAL is an ATTACKER and wants to spoof his IP Address and make it appear to be FAKE, then the procedure is quite different. In such a case, the following steps are followed:
1. ATTACKER sends a SYN packet to VICTIM in such a manner that it seems to have originated at FAKE. In purely networking terms, in the first step, VICTIM receives a connection request (SYN packet) from FAKE.
2. Since VICTIM received the SYN packet from FAKE, hence in the second step, it sends back a SYN/ACK packet to FAKE. This means that ATTACKER does not receive any reply or packets from VICTIM in this step. This step brings us to the blind part in IP spoofing where ATTACKER needs to only wait for some time to pass. ATTACKER then assumes that in this time the FAKE has received a SYN/ACK packet from VICTIM. There is no way for ATTACKER to find out
whether the VICTIM has actually sent a SYN/ACK packet to FAKE or not. This means that there is no way for the attacker to figure out whether the target computer has fallen for the IP spoofing attack or not.
3. After waiting for some time to pass, ATTACKER then sends a spoofed ACK packet to VICTIM to acknowledge that FAKE has indeed received the SYN/ACK packet. Again, this is a blind step that simply assumes that VICTIM has actually sent the SYN/ACK packet and that FAKE has indeed received it as well.
Unfortunately, the above procedure itself presents us with a very unique problem. In the second step in IP spoofing, VICTIM sends a SYN/ACK packet to FAKE in response to the spoofed SYN packet sent by the ATTACKER. This response sent by VICTIM to FAKE can lead to a few complications. Depending upon the state of FAKE there can be two cases:
If FAKE is a real system on the Internet, then the SYN/ACK packet sent by VICTIM will actually arrive at FAKE. Since FAKE never actually requested for a connection to be established, hence, when FAKE receives this packet, it will not know as to what to do with it. Since FAKE does not know as to what should be done with the packet, it will simply discard it and send back a NACK (Non Acknowledgement) packet to VICTIM. Typically, a NACK message is sent by a system to terminate a connection, resulting in no further communication between the two systems.
When VICTIM receives this NACK packet from FAKE, it will immediately terminate the spoofed connection request initiated by ATTACKER. As a result, the spoofed connection attempt between VICTIM and FAKE will be turned down and discarded. This means that if FAKE exists and does actually send a NACK packet to VICTIM then REAL\u2019s attempt to perform IP spoofing will fail.
The above problem can be compared to the analogy of a telephone conversation. If\u2018A \u2019 telephones\u2018C \u2019 and pretends to be\u2018B\u2019, then this spoof can be successful only if\u2018B\u2019 does not interrupt the spoofing process. This brings us to the first golden rule of IP spoofing:
Now bringing you back...
Does that email address look wrong? Try again with a different email.