Spoofing is a specific type of cyber-attack in which someone attempts to use a computer, device, or network to trick other computer networks by masquerading as a legitimate entity. It's one of many tools hackers use to gain access to computers to mine them for sensitive data, turn them into zombies (computers taken over for malicious use), or launch Denial-of-Service (DoS) attacks. Of the several types of spoofing, IP spoofing is the most common.
How spoofing works
To start, a bit of background on the internet is in order. The data transmitted over the internet is first broken into multiple packets, and those packets are transmitted independently and reassembled at the end. Each packet has an IP (Internet Protocol) header that contains information about the packet, including the source IP address and the destination IP address.
In IP spoofing, a hacker uses tools to modify the source address in the packet header to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it. Because this occurs at the network level, there are no external signs of tampering.
This type of attack is common in Denial-of-Service (DoS) attacks, which can overwhelm computer networks with traffic. In a DoS attack, hackers use spoofed IP addresses to overwhelm computer servers with packets of data, shutting them down. Geographically dispersed botnets — networks of compromised computers — are often used to send the packets. Each botnet potentially contains tens of thousands of computers capable of spoofing multiple source IP addresses. As a result, the automated attack is difficult to trace.
A variation on this approach uses thousands of computers to send messages with the same spoofed source IP address to a huge number of recipients. The receiving machines automatically transmit acknowledgement to the spoofed IP address and flood the targeted server.
Another malicious IP spoofing method uses a "Man-in-the-Middle" attack to interrupt communication between two computers, alter the packets, and then transmit them without the original sender or receiver knowing. Over time, hackers collect a wealth of confidential information they can use or sell.
In systems that rely on trust relationships among networked computers, IP spoofing can be used to bypass IP address authentication. The idea behind the "castle and moat" defense is simple: Those outside the network are considered threats, and those inside the castle are trusted. Once a hacker breaches the network and makes it inside, it's easy to explore the system. Considering that vulnerability, using simple authentication as a defense strategy is being replaced by more robust security approaches, such as those with multi-step authentication.
Steps to Avoid Spoofing
Most of the strategies used to avoid IP spoofing must be developed and deployed by IT specialists. The options to protect against IP spoofing include monitoring networks for atypical activity, deploying packet filtering to detect inconsistencies (like outgoing packets with source IP addresses that don't match those on the organization's network), using robust verification methods (even among networked computers), authenticating all IP addresses, and using a network attack blocker. Placing at least a portion of computing resources behind a firewall is also a good idea.
Web designers are encouraged to migrate sites to IPv6, the newest Internet Protocol. It makes IP spoofing harder by including encryption and authentication steps. Most of the world's internet traffic still uses the previous protocol, IPv4. The Seattle Internet Exchange (one of two in the world showing IPv6 traffic statistics) indicates that only about 11 percent of traffic has migrated to the newer, more secure protocol as of mid-November 2017.
For end users, detecting IP spoofing is virtually impossible. They can minimize the risk of other types of spoofing, however, by using secure encryption protocols like HTTPS — and only surfing sites that also use them.