IP SPOOFING

1
Preface---------------------------------------------------------------------------------------3

Acknowledgement-------------------------------------------------------------------------4

Introduction---------------------------------------------------------------------------------5

What is IP Spoofing-----------------------------------------------------------------------6

How IP Spoofing Works------------------------------------------------------------------6

Why IP Spoofing is Used-----------------------------------------------------------------6

Brief History of IP Spoofing-------------------------------------------------------------7

Why IP Spoofing is Easy-----------------------------------------------------------------8

Applications of IP spoofing---------------------------------------------------------------9

Spoofing Attacks-------------------------------------------------------------------------10

ADVANTAGES--------------------------------------------------------------------------12

DISADVANTAGES---------------------------------------------------------------------13

Future Scope------------------------------------------------------------------------------14

CONCLUSION---------------------------------------------------------------------------14

Reference----------------------------------------------------------------------------------15

2
Preface

I have made this report file on the topic “IP spoofing”. I have tried my best to elucidate all
the relevant detail to the topic to be included in the report. While in the beginning I have
tried to give a general view about this topic.

My efforts and wholehearted co-corporation of each and everyone has ended on a

successful note. I express my sincere gratitude to Mrs ARATHY BHASKARAN who
assisting me throughout the prepration of this topic. I thank him for providing me the
reinforcement, confidence and most importantly the track for the topic whenever I needed
it.

3
Acknowledgement
I would like to thank respected Mrs NIMISHA V MOHAN (HOD) and Mrs ARATHY
BHASKARAN for giving me such a wonderful opportunity to expand my knowledge for
my own branch and giving me guidelines to present a seminar report. It helped me a lot to
realize of what we study for.

Secondly, I would like to thank my parents who patiently helped me as i went through my
work and helped to modify and eliminate some of the irrelevant or un-necessary stuffs.

Thirdly, I would like to thank my friends who helped me to make my work more organized
and well-stacked till the end.

Last but clearly not the least, I would thank The Almighty for giving me strength to complete
my report on time.

4
INTRODUCTION
Criminals have long employed the tactic of masking their true identity, from disguises to
aliases to caller-id blocking.

It should come as no surprise then, that criminals who conduct their nefarious activities on
networks and computers should employ such techniques. IP spoofing is one of the most
common forms of on-line camouflage.

In IP spoofing, an attacker gains unauthorized access to computer or a network by making it

appear that a malicious message has come from a trusted machine by “spoofing” the IP
address of that machine.

Spoofing is a type of cyber-attack in which the attacker uses a device or network to trick
other computer networks into believing they are a legitimate entity to take over the devices
themselves as zombies for malicious use, gain access to sensitive data, or launch Denial-of-
Service (DoS) attacks. IP spoofing is the most common type of spoofing.

Sometimes called Internet Protocol (IP) spoofing or IP address spoofing, IP spoofing refers to
impersonating another computer system by creating IP packets with false source IP
addresses. IP spoofing detection can often be difficult. This is because IP spoofing allows
cybercriminals to engage in malicious activity such as infecting a device with malware,
stealing data, or crashing a server, without detection.

Attackers often engage in IP spoofing to target devices with man-in-the-middle attacks and
distributed denial of service (DDoS) attacks, as well as their surrounding infrastructures. The
goal of DoS attacks and IP spoofing attacks is to flood a target with traffic and overwhelm it,
while preventing mitigation efforts by hiding the identity of the attack source.

5
Brief History of IP Spoofing

The concept of IP spoofing was initially discussed in academic circles in the 1980's.
In the April 1989 article entitled: “Security Problems in the TCP/Protocol Suite”, author S. M
Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to
computer networks.

Bellovin describes how Robert Morris, creator of the now infamous Internet Worm, figured
out how TCP created sequence numbers and forged a TCP packet sequence. This TCP packet
included the destination address of his “victim” and using an IP spoofing attack Morris was
able to obtain root access to his targeted system without a User ID or password.

Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's
machine, employed the IP spoofing and TCP sequence prediction techniques. While the
popularity of such cracks has decreased due to the demise of the services they exploited,
spoofing can still be used and needs to be addressed by all security administrators.

A common misconception is that "IP spoofing" can be used to hide your IP address while
surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true.
Forging the source IP address causes the responses to be misdirected, meaning you cannot
create a normal network connection. However, IP spoofing is an integral part of many
network attacks that do not need to see responses (blind spoofing).

6
What is IP Spoofing

What is IP spoofing and how can it be prevented? When users transmit data over the internet,
it is first broken into multiple units called packets. The packets travel independently and at
the end, the receiving system reassembles them. Packets contain IP headers with routing
information including the source IP address and the destination IP address. The packet is
similar to a package in transit with its return address represented by the source IP address.

In IP address spoofing, a hacker modifies the source address in the packet header with basic
IP spoofing tools so the receiving system thinks the packet is from a trusted source, such as a
device on a legitimate enterprise network, and accepts it. There is no trace of tampering,
because IP spoofing works at the network level.

To engage in IP spoofing, hackers need only a trusted IP address and the ability to intercept
packets and replace authentic IP headers with fraudulent versions. Traditional “castle and
moat” network defense structures are highly vulnerable to IP spoofing and other attacks that
prey on trusted relationships.

Although identity theft and online fraud or cybercriminals attacking corporate servers and
websites are the most common examples of IP spoofing, it also has legitimate applications.
For example, before websites live, organizations may use IP spoofing tests to ensure the site
can handle volume without being overwhelmed. This kind of IP spoofing is not illegal.

An IP (Internet Protocol) address is the address that reveals the identity of your Internet
service provider and your personal Internet connection. The address can be viewed during
Internet browsing and in all of your correspondences that you send.

IP spoofing hides your IP address by creating IP packets that contain bogus IP addresses in
an effort to impersonate other connections and hide your identity when you send
information. IP spoofing is a common method that is used by spammers and scammers to
mislead others on the origin of the information they send.

7
Types of IP Spoofing
Among the most common IP spoofing techniques are:

Distributed Denial of Service (DDoS) attacks

In a DDoS attack, hackers overwhelm computer servers with packets of data using spoofed IP
addresses. This enables them to hide their identity while slowing down or crashing a network
or site with massive amounts of traffic.

Masking botnet devices

A botnet is a network of devices controlled by a hacker from a single location using IP

spoofing software. Cybercriminals obtain access to computers by IP spoofing and masking
botnets. Each bot in the network has a spoofed IP address, so IP spoofing allows the attacker
to mask the botnet without being traced, maximizing their rewards by prolonging the duration
of an attack.

Man-in-the-middle attacks

A ‘man-in-the-middle’ attack is another malicious IP spoofing technique. This method

interrupts two devices as they communicate, alters the packets, and transmits them without
either sender or receiver knowing. By spoofing an IP address and accessing personal
accounts, attackers can direct users to fake websites, steal information, and more, making
man-in-the-middle attacks highly lucrative.

MAC spoofing vs IP spoofing

MAC spoofing attacks take place when malicious clients use MAC addresses that do not
belong to them to generate traffic. The goal is the ability to gain access or get past access
control based on MAC information.

IP spoofing attacks are similar to MAC spoofing attacks, but the client uses an IP address.
The goal is to harm both the initial target and innocent bystanders by prompting the initial
target destination IP address to reply to as many source IP addresses as it can—replies the
attacker never sees, since the source IP addresses are spoofed.

8
IP spoofing vs VPN

A VPN is itself a kind of IP spoofing service. It encrypts the user’s internet connection to
protect the sensitive data being sent and received. So although the traditional use case for the
VPN we think of here is to protect users from those who want to spy on our IP addresses—
for any reason—they can also be used to spoof location.

What is AWS IP spoofing protection?

Amazon EC2 instances are protected by host-based, AWS-controlled firewall infrastructure

that will not allow them to send spoofed network traffic with a source MAC or IP address
other than its own.

9
How IP Spoofing Works

Let’s start with some background: Data transmitted over the internet is first broken into
multiple packets, and those packets are sent independently and reassembled at the end. Each
packet has an IP (Internet Protocol) header that contains information about the packet,
including the source IP address and the destination IP address.

In IP spoofing, a hacker uses tools to modify the source address in the packet header to make
the receiving computer system think the packet is from a trusted source, such as another
computer on a legitimate network, and accept it. This occurs at the network level, so there are
no external signs of tampering.

In systems that rely on trust relationships among networked computers, IP spoofing can be
used to bypass IP address authentication. A concept sometimes referred to as the ‘castle and
moat’ defense, which is where those outside the network are considered threats, and those
inside the ‘castle’ are trusted. Once a hacker breaches the network and makes it inside, it's
easy to explore the system. Because of this vulnerability, using simple authentication as a
defense strategy is increasingly being replaced by more robust security approaches, such as
those with multi-step authentication.

10
While cybercriminals often use IP spoofing to carry out online fraud and identity theft or shut
down corporate websites and servers, there can also sometimes be legitimate uses. For
example, organizations may use IP spoofing when testing websites before putting them live.
This would involve creating thousands of virtual users to test the website to see if the site can
handle a large volume of logins without being overwhelmed. IP spoofing is not illegal when
used in this way.

The Internet Protocol or IP is used for sending and receiving data over the Internet and
computers that are connected to a network. Each packet of information that is sent is
identified by the IP address which reveals the source of the information.

When IP spoofing is used the information that is revealed on the source of the data is not the
real source of the information. Instead the source contains a bogus IP address that makes the
information packet look like it was sent by the person with that IP address. If you try to
respond to the information, it will be sent to a bogus IP address unless the hacker decides to
redirect the information to a real IP address.

11
How to Detect Spoofing Attacks

The best way to prevent a spoofing attack, on the user education side of things, is to keep
a lookout for signs that you are being spoofed. For example, a phishing attack that uses
email spoofing may feature unusual grammar, poor spelling, or awkward language. The
message contained may be urgent in nature, designed to provoke panic and telling you to
take immediate action.

You may also notice, upon further inspection, that the sender’s email address is off by
one letter or that the URL featured within the message has a slightly different spelling
than it should. A best-in-class incident detection and response solution can protect your
organization even further by proactively notifying you in the event that anomalous user
activity is detected.

If you suspect that you have received a spoofed message, whether it has arrived via
email, text, or another channel, do not click on any of the links or attachments in the
message. To verify that the message is accurate, reach out to the sender using contact
information that you have found on your own. Do not use any phone numbers or other
addresses that may appear in the message, as they may simply connect you to the
attacker. Likewise, if the message is asking you to log into an account, don’t click on the
link provided but instead open up a separate tab or window in your browser and log in as
you normally would.

How to Prevent Spoofing Attacks

IP spoofing attacks are difficult to spot, designed to conceal the identity of attackers. Server-
side teams have the task of doing what they can to prevent IP spoofing. IP spoofing
protection for IT specialists includes:

Monitoring. Monitor networks for unusual activity.

Packet filtering. Detect inconsistencies with packet filtering—for example, outgoing packets
with source IP addresses that don’t match the network.
Verification. Deploy robust verification methods, including on the network.
Authentication. Authenticate all IP addresses with a network attack blocker.

12
Firewalls and IP spoofing. Placing some or all computing resources behind an IP spoofing
firewall.

IP spoofing protection for end users is more hit and miss, because technically speaking, end-
users can’t prevent IP spoofing. However, end users can minimize risk by engaging in best
practices for cyber hygiene that ensure optimal online security:

 Use strong authentication and verification methods for all remote access. Do not
authenticate users or devices based solely on IP address.
 Ensure secure system passwords and change default usernames and passwords to
strong versions that contain at least 12 characters and a mix of numbers, upper- and
lower-case letters, and symbols.
 Be cautious on public Wi-Fi networks and avoid sharing sensitive information or
conducting banking, shopping, or other financial transactions over unsecured public
Wi-Fi. Use a VPN to stay safer if you do need to use public hotspots.
 Use antivirus software and other security software that monitors suspicious network
activity.
 Use encryption protocols to protect all traffic to and from the server.
 Visit HTTPS sites that encrypt data with an up-to-date SSL certificate, so users are
less vulnerable to attacks. Sites with URLs that start HTTP instead of HTTPS are not
secure; look for the padlock icon in the URL address bar.
 Update and patch network software.
 Watch for phishing attempts and use comprehensive antivirus protection to guard
against viruses, hackers, malware, and other online threats. It’s also essential to keep
your software up-to-date to ensure it has the latest security features.
 Performing ongoing network monitoring.

13
What is Source IP spoofing
IP address spoofing, or IP spoofing, is the forging of a source IP address field in IP packets
with the purpose of concealing the identity of the sender or impersonating another computing
system.

Fundamentally, source IP spoofing is possible because Internet global routing is based on the
destination IP address. Or, more precisely, an Internet router with a default configuration (i.e.
no special policy applied, like reverse path filtering) forwards packets from one interface to
another looking up only the destination IP address.

An application with sufficient privileges can modify the source IP address field of an IP
packet to any syntactically correct value, and in most cases the packet will be sent through
the network interface and in many cases will reach the destination.

Of course, an incorrect source IP address may hinder normal operation of communications:

responses from the destination application or intermediary nodes (e.g. ICMP responses) will
not reach the sender. But attacks mounted using the spoofing technique do not rely on
properly set up communication flows. On the contrary, they abuse this feature, directing
traffic flow of responses to the target identified by the forged source IP address.

How IP Spoofing Happens

To better understand IP spoofing, let’s give you some context on how the internet sends and
uses data.

Every computer uses an IP address, and any data you send is broken into many chunks
(“packets”). Each packet travels on an individual basis. Then once they reach the end of the
chain, they’re reassembled and presented as a whole. Moreover, every packet also has its
identifiable information (a “header”) that will include the IP address from both the source and
the destination.

14
In theory, this is supposed to ensure that data arrives at a destination free from tampering.
However, this isn’t always the case.

IP spoofing uses the source IP header and changes some of the details to make it appear as
though it’s genuine. As such, this can breach even the most stringent and secure of networks.
The result is that web engineers often try to find new ways to protect information traveling
across the web.

For example, IPv6 is a newer protocol that builds encryption and authentication. For end-
users, secure shell (SSH) and secure socket layers (SSL) help mitigate attacks, but we’ll
discuss why this can’t eradicate the problem later. The greater number of encryption steps
you implement, the better you can protect your computer, in theory at least.

It’s also worth noting that IP spoofing is not an illegal practice, which is why it’s prevalent.
There are lots of legitimate uses for IP spoofing that we’ll discuss in another section. As such,
while the IP spoofing itself gets a hacker’s foot in the door, it might not be the only technique
used to breach trust.

Why Your IP Is a Target for Spoofing

Taking all moral and ethical considerations aside, another’s user identity has immense value
and worth. After all, there are many bad actors who, given the opportunity, would gladly use
someone else’s identity to obtain something, free from moral repercussions.

Spoofing IP addresses is a high-value pursuit for many malicious users. The act of IP
spoofing doesn’t hold much value, but the opportunities you’ll gain could be the jackpot.

For example, through IP spoofing, a user could impersonate a more trusted address to gain
personal information (and more) from an unsuspecting user.

This can also have a knock-on effect when it comes to other users too. A hacker doesn’t need
to spoof the IP of every target — they only need one to breach the defenses. By using these

15
unearned credentials, the same hacker can also gain the trust of others in the network too and
lead them to share personal information.

As such, the IP itself isn’t valuable. However, depending on what’s done with the spoofed IP,
the payoff can be huge, and the potential for access to other systems through IP spoofing isn’t
insignificant either.

Why IP Spoofing is Used

IP spoofing is used to commit criminal activity online and to breach network security.
Hackers use IP spoofing so they do not get caught spamming and to perpetrate denial of
service attacks. These are attacks that involve massive amounts of information being sent to
computers over a network in an effort to crash the entire network. The hacker does not get
caught because the origin of the messages cannot be determined due to the bogus IP address.

IP spoofing is also used by hackers to breach network security measures by using a bogus IP
address that mirrors one of the addresses on the network. This eliminates the need for the
hacker to provide a user name and password to log onto the network

Why IP Spoofing is Easy To Occur

 Problem with the Routers. IP routing is hop by hop. Every IP packet is routed
separately. The route of an IP packet is decided by all the routers the packet goes
through.

 Routers look at Destination addresses only.

 Authentication based on Source addresses only

 To change source address field in IP header field is easy

16
Applications of IP spoofing

Many other attacks rely on IP spoofing mechanism to launch an attack, for example SMURF
attack (also known as ICMP flooding) is when an intruder sends a large number of ICMP
echo requests (pings) to the broadcast address of the reflector subnet.

The source addresses of these packets are spoofed to be the address of the target victim. For
each packet sent by the attacker, hosts on the reflector subnet respond to the target victim,
thereby flooding the victim network and causing congestion that results in a denial of service
(DoS).

Therefore, it is essential best practice to implement anti spoofing mechanisms to prevent IP

spoofing wherever feasible.

Anti spoofing control measures should be implemented at every point in the network where
practical, but they are usually most effective at the borders among large address blocks or
among domains of network administration.

IP address spoofing involving the use of a trusted IP address can be used by network
intruders to overcome network security measures, such as authentication based on IP
addresses. This type of attack is most effective where trust relationships exist between
machines.

For example, it is common on some corporate networks to have internal systems trust each
other, so that users can log in without a username or password provided they are connecting
from another machine on the internal network – which would require them already being
logged in. By spoofing a connection from a trusted machine, an attacker on the same network
may be able to access the target machine without authentication.

IP address spoofing is most frequently used in denial-of-service attacks, where the objective
is to flood the target with an overwhelming volume of traffic, and the attacker does not care
about receiving responses to the attack packets. Packets with spoofed IP addresses are more
difficult to filter since each spoofed packet appears to come from a different address, and they
hide the true source of the attack.

17
Denial of service attacks that use spoofing typically randomly choose addresses from the
entire IP address space, though more sophisticated spoofing mechanisms might avoid non-
routable addresses or unused portions of the IP address space.

The proliferation of large botnets makes spoofing less important in denial of service attacks,
but attackers typically have spoofing available as a tool, if they want to use it, so defenses
against denial-of-service attacks that rely on the validity of the source IP address in attack
packets might have trouble with spoofed packets.

In DDoS attacks, the attacker may decide to spoof the IP source address to randomly
generated addresses, so the victim machine cannot distinguish between the spoofed packets
and legitimate packets. The replies would then be sent to random addresses that do not end up
anywhere in particular. Such packages-to-nowhere are called the backscatter, and there
are network telescopes monitoring backscatter to measure the statistical intensity of DDoS
attacks on the internet over time.[

Examples of IP Spoofing

Attackers use spoofed IP addresses to launch DDoS attacks and overwhelm computer servers
with massive packet volumes. Large botnets containing tens of thousands of computers are
often used to send geographically dispersed packets, and each can spoof multiple source IP
addresses simultaneously. This makes for automated attacks that are difficult to trace.

Examples of DDoS IP spoofing, man-in-the-middle attacks, and botnets include the

following:

GitHub. In 2018, Attackers spoofed the GitHub code hosting platform’s IP address in what
was believed to be the largest DDoS attack ever. Attackers sent queries to servers that speed
up database-driven sites, and those servers then amplified the returned data from the requests
by a factor of about 50, causing an outage.

In 2015 Europol enforced against the man-in-the-middle attack—an action that spanned the
continent. The hackers used IP spoofing to intercept payment requests between customers

18
and businesses and accessed organizations’ corporate email accounts. They ultimately tricked
customers into sending money to their bank accounts.

In 2011, a botnet called GameOver Zeus infected 1 million computers worldwide with
malware designed to steal banking credentials. It helped the users to steal over $100 million
and took a massive investigation and 3 years to shut down in 2014.

In 1994, hacker Kevin Mitnick launched an IP spoofing attack against the computer of rival
hacker Tsutomu Shimomura and flooded it with SYN requests from routable but inactive
spoofed IP addresses. The computer’s memory filled with SYN requests as it was unable to
respond to the requests—a technique called SYN scanning.

IP spoofing may also be used to test websites before or while they go live, and to test how
systems respond to various attacks and security threats.

19
Spoofing Attacks

There are a few variations on the types of attacks that successfully employ IP spoofing.
Although some are relatively dated, others are very pertinent to current security c oncerns.

Non-blind spoofing

This type of attack takes place when the attacker is on the same subnet as the victim. The
sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty
of calculating them accurately. The biggest threat of spoofing in this instance would be
session hijacking.

This is accomplished by corrupting the data stream of an established connection, then

reestablishing it based on correct sequence and acknowledgement numbers with the attack
machine. Using this technique, an attacker could effectively bypass any authentication
measures taken place to build the connection.

Blind Spoofing

This is a more sophisticated attack, because the sequence and acknowledgement numbers are
unreachable. In order to circumvent this, several packets are sent to the target machine in
order to sample sequence numbers.

While not the case today, machines in the past used basic techniques for generating sequence
numbers. It was relatively easy to discover the exact formula by studying packets and TCP
sessions. Today, most OSs implement random sequence number generation, making it
difficult to predict them accurately.

If, however, the sequence number was compromised, data could be sent to the target. Several
years ago, many machines used host-based authentication services (i.e. Rlogin). A properly
crafted attack could add the requisite data to a system (i.e. a new user account), blindly,
enabling full access for the attacker who was impersonating a trusted host.

Man in the Middle Attack

20
Both types of spoofing are forms of a common security violation known as a man in the
middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate
communication between two friendly parties.

The malicious host then controls the flow of communication and can eliminate or alter the
information sent by one of the original participants without the knowledge of either the
original sender or the recipient.

In this way, an attacker can fool a victim into disclosing confidential information by
“spoofing” the identity of the original sender, who is presumably trusted by the recipient.

Denial of Service Attack

IP spoofing is almost always used in what is currently one of the most difficult attacks to
defend against – denial of service attacks, or DoS. Since crackers are concerned only with
consuming bandwidth and resources, they need not worry about properly completing
handshakes and transactions.

Rather, they wish to flood the victim with as many packets as possible in a short amount of
time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to
make tracing and stopping the DoS as difficult as possible.

When multiple compromised hosts are participating in the attack, all sending spoofed traffic;
it is very challenging to quickly block traffic.

IP address spoofing attacks

In an IP spoofing attack, an attacker will send IP packets from a spoofed IP address to

hide their true identity. Attackers most often use IP address spoofing attacks in DoS
attacks that overwhelm their target with network traffic. In such an attack, a malicious
actor will use a spoofed IP address to send packets to multiple network recipients.

The owner of the real IP address is then flooded with all of the responses, potentially
experiencing a disruption in network service. An attacker may also spoof a computer or
device’s IP address in an attempt to gain access to a network that authenticates users or
devices based on their IP address.

21
Caller ID spoofing attacks

Spoofing attacks can also arrive as phone calls. In a caller ID spoofing attack, a scammer
makes it appear as if their call is coming from a number the victim knows and trusts or,
alternatively, a number that is associated with a specific geographic location. A caller ID
spoofer may even use a number that has the same area code and the first few digits as the
victim’s phone number, hoping that they will answer the call upon noticing a familiar
number. This practice is known as neighbor spoofing.

If a victim of caller ID spoofing answers the call, the scammer on the other end of the
line may impersonate a loan officer or other representative of an official-seeming
institution. The fake representative will then often try to persuade the victim to give up
sensitive information that can be used to commit fraud or perpetrate other attacks.

Email address spoofing attacks

Email spoofing involves sending emails using false sender addresses. Attackers often use
email address spoofing in socially engineered phishing attacks hoping to deceive their
victims into believing an email is legitimate by pretending that it came from a trusted
source. If the attacker is able to trick their victims into clicking on a malicious link
within the email, they can steal their login credentials, financial information, or
corporate data. Phishing attacks involving email spoofing may also infect victims’
computers with malware or, in cases like business email compromise (BEC) scams, try
to trick the victims into initiating a transfer of funds. Variants of phishing such as spear
phishing or whaling may be carefully tailored to specific individuals within the company
and tend to have a higher success rate.

Website spoofing attacks

In a website spoofing attack, a scammer will attempt to make a malicious website look
exactly like a legitimate one that the victim knows and trusts. Website spoofing is often
associated with phishing attacks. When a victim clicks on a link in a phishing email, the
link may take them to a website that looks just like a site they use—for example, the
login page to a banking site. From there, the victim will see exactly the same logo,
branding, and user interface they would expect. When they provide login credentials or

22
other personal information, however, the spoofed website will quietly harvest that
information for use in an attack or fraud attempt.

ARP spoofing attacks

Address Resolution Protocol (ARP) resolves an IP address to its physical Media Access
Control (MAC) address for the purpose of transmitting data across a Local Area Network
(LAN). In an ARP spoofing attack, a malicious actor sends spoofed ARP messages
across a local area network for the purposes of linking their own MAC address with a
legitimate IP address. That way, the attacker can steal or modify data that was meant for
the owner of that IP address.

An attacker wishing to pose as a legitimate host could also respond to requests they
should not be able to respond to using their own MAC address. With some precisely
placed packets, an attacker can sniff the private traffic between two hosts. Valuable
information can be extracted from the traffic, such as exchange of session tokens,
yielding full access to application accounts that the attacker should not be able to access.
ARP spoofing is sometimes employed in MITM attacks, DoS attacks, and session
hijacking.

DNS server spoofing attacks

In much the same way ARP resolves IP addresses to MAC addresses on a LAN, the
Domain Name System (DNS) resolves domain names to IP addresses. When conducting
a DNS spoofing attack, an attacker attempts to introduce corrupt DNS cache information
to a host in order to impersonate that host’s domain name—for example,
www.onlinebanking.com. Once that domain name has been successfully spoofed, the
attacker can then use it to deceive a victim or gain unauthorized access to another host.

DNS spoofing can be used for a MITM attack in which a victim inadvertently sends
sensitive information to a malicious host, thinking they are sending that information to a
trusted source. Or, the victim may be redirected to a site that contains malware. An
attacker who has already successfully spoofed an IP address could have a much easier
time spoofing DNS simply by resolving the IP address of a DNS server to the attacker’s
own IP address.

23
IP Spoofing Tools

IP spoofing creates IP (Internet Protocol) packets with false source IP addresses to

impersonate another computing system. It includes using a trusted IP address that network
intruders can use to overcome network security measures, such as authentication based on IP
addresses. This type of attack is most effective where trust relationships exist between
machines. Various IP spoofing tools are used to create false IP addresses and are not always
employed for malicious intent.

List of IP Spoofing Tools

Given below is the list of IP spoofing tools:

1. Net Commander
Net commander is an IP spoofing tool that controls and manages the trip lite B070 and B072
series net commander IP KVM switches and the servers, UPS systems, computers, and
environmental sensors connected to them. It provides a single centralized list of all servers
connected to KVM switches. It allows push configuration like firmware upgrades
simultaneously to Multiple KVms. In addition, the net commander allows access to the
remote KVM sessions.

2. Synner
Another IP spoofing tool is Synner. It is a custom packet generator tool to test firewalls and
DOS attacks. It can send a large amount of prebuilt tcp packets quickly. These TCP packets
include Macs, tcp flags, user-defined IPs, payload settings, and Windows size. With the help
of Synner, users can Sketch the custom distribution and relationships. Synner also provides
instant feedback on every user interaction by visualizing a preview of generated data. It
allows users to generate realistic-looking data.

3. Fakenetbios
The creators designed Fakenetbios as an IP spoofing tool to simulate Windows hosts on
LAN. It is categorized into two types Fakenetbios DGM and Fakenetbios NS. Both are
standalone tools. Fakenetbios DGN sends Netbios diagram service packets in port UDP 138

24
and simulates the Windows host’s broadcast. It periodically sends Netbios announces over a
network to simulate the Windows computer and fools the computer browser service running
over the LAN. Fakenetbios Ns is a Netbios name service daemon listening in port 137. It
responds to Netbios name request like a real Windows computer.

4. nbnspoof
The nbnspoof is an IP spoofing tool that creates automatic crafting response Netbios name
service name queries. When a Windows machine fails to resolve the domain names by WINS
and DNS, nbnspoof sends Netbios name server query and looks for the name in question to
match any computer names on any local network. Crafting a response to these requests is
useful for the attacker when the victim mis type the domain name or If the DNS server cannot
reach it. The Nbnspoof tool is specifically designed to showcase and demonstrate this type of
attack. It is also useful in illustrating how to develop small network security tools.

5. Dns Spoof
Another IP spoofing tool designed to receive DNS queries from hosts other than yours is
DNS spoof. To spoof the. a selected domain name, first, we need to activate the arp spoof or
dhcp6 spoof module. To start the dns spoof in the background, it uses this command –
dns.spoof on. Similarly, to end the dns spoof in the background it uses this command –
dns.spoof off. It uses various parameters such as domains, addresses, all, and hosts. domains
define the value of the domain name to spoof. address defines the IP address to map the
domain. The host file maps the domain to an IP address if the host is not empty. All
parameters are used for verification; if true, the module will reply to every DNS request. If
false, the module replies only to the targeted local PC.

6. rbndr
Another IP spoofing tool is rbndr. It is a simple, non-confirming name server tool that tests
the software against DNS rebinding vulnerabilities. It responds to the queries by randomly
selecting one of the addresses specified in the hostname and returning it as the answer. Rbndr
is an easy way to test for vulnerable software without changing or setting up the server. You
may access any IP address if the software associates the result with just the hostname, not the
hostname and IP address.

25
ADVANTAGES

 Multiple Servers :

Sometimes you want to change where packets heading into your network will go.
Frequently this is because you have only one IP address, but you want people to be able to
get into the boxes behind the one with the `real' IP address.

 Transparent Proxying :

Sometimes you want to pretend that each packet which passes through your Linux box is
destined for a program on the Linux box itself.

This is used to make transparent proxies: a proxy is a program which stands between your
network and the outside world, shuffling communication between the two.

The transparent part is because your network won't even know it's talking to a proxy, unless
of course, the proxy doesn't work.

DISADVANTAGES

 Blind to Replies

A drawback to ip source address spoofing is that reply packet will go back to the spoofed ip
address rather than to the attacker.

This is fine for many type of attack packet. However in the scanning attack as we will see
next the attacker may need to see replies .in such cases, the attacker can not use ip address
spoofing.

26
 Serial attack platforms :

However, the attacker can still maintain anonymity by taking over a chain of attack
hosts. The attacker attacks the target victim using a point host-the last host in the attack
chain.

Even if authorities learn the point host’s identity .They might not be able to track the attack
through the chain of attack hosts all the way back to the attackers base host.

27
Other Types of Network Spoofing

There are various types of spoofing, and some of them happen on IP-based networks, but
most do not change the IP addresses of packets, so they are not IP address spoofing. Some
other types of spoofing types that still involve IP addresses include:

An address resolution protocol or ARP spoofing vs IP spoofing attack occurs when an

attacker spoofs and sends false ARP messages rather than packets. In this case, the attack
happens over a local area network (LAN) at the data link layer and links the media access
control address of the attacker to a legitimate IP address of a server or computer on the
network.

In a domain name system (DNS) spoofing attack, the attacker alters DNS records rather than
packets to divert internet traffic toward fake servers and away from legitimate sites.

Other types of spoofing may not affect IP addresses at all, or at least not directly:

Caller ID spoofing alters a caller ID display to make a phone call appear to originate from a
different location.

Email spoofing alters email header fields to show a different sender and is often used in
phishing attacks.

Global positioning system (GPS) spoofing allows the user of a device to trick it into
displaying a different location using navigation information from a third-party application.

Short Message Service (SMS) or text message spoofing allows senders to obscure their real
phone numbers. Legitimate organizations may use this method to replace phone numbers that
are difficult-to-remember with alphanumeric IDs, but attackers may also use this technology
to include malware downloads or links to phishing sites in texts.

URL spoofing uses URLs that are nearly identical to real ones to lure targets to enter
sensitive information.

28
Legitimate uses for IP spoofing

IP spoofing also may be used by companies in non-malicious ways.

For example, companies may use IP spoofing when performing website tests
to make sure they work when they go live.

In this case, thousands of virtual users might be created to test a website. This
non-malicious use helps gauge a website’s effectiveness and ability to
manage numerous logins without being overwhelmed.

29
CONCLUSION

IP spoofing is less of a threat today due to the patches to the Unix Operating system and the
widespread use of random sequence receive numbering.

Many security experts are predicting a shift from IP spoofing attacks to application-related
spoofing in which hackers can exploit a weakness in a particular service to send and
information under false identities.As Security professionals, we must remain current with the
Operating Systems that we use in our day to day activities. A steady stream of changes and
new challenges is assured as the hacker community continues to seek out vulnerabilities and
weaknesses in our systems and our networks.

IP spoofs are dangerous for networks, databases, computers and users. It is a must that any
one – in one way or the other – is informed about it. It is also important that each person
takes responsibility and protects themselves from these sorts of attacks; our data is the
future, let’s keep it safe.

30
Reference
• www.google.com
• www.wikipedia.com
• www.youtube.com
• https://www.wallarm.com/what/ip-spoofing-definition-types-and-protection
• https://www.kaspersky.com/resource-center/threats/ip-spoofing
• https://www.geeksforgeeks.org/ip-spoofing/

31