What is IP Spoofing? | IP Spoofing Detection — Exploitbyte
IP Spoofing refers to changing source IP Adresses so that the attack appears to be come from someone else.
When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address.
IP Spoofing using Hping2:
Hping2 www.example.com -a xx.xx.xx.xx
“You will not be able to complete the three-way handshake and open a successful TCP Connection with spoofed IP Address”.
IP Spoofing Detection Techniques : Direct TTL Probes
Send Packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked; it is a spoofed packet.
This Techniques is successful when attacker is in a different subnet from victim.
“Normal Traffic from one host can vary TTL’s depending on traffic patterns”
IP Spoofing Detection Techniques: IP Identification Number.
Send probe to host of suspect spoofed traffic that triggers reply an Compare IP ID with suspect traffic.
If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed.
This Technique is successful even if the attacker is in the same subnet.
IP Spoofing Detection Techniques: TCP Flow Control Method
Attackers sending spoofed TCP packets, will not recieve the target’s SYN-ACK packets.
Attackers cannot therefore be responsive to change in the congestion window size
When recieved traffic continues after a windows size is exhausted, most probably the packets are spoofed.
IP Spoofing Countermeasures
Use Multiple firewalls providing multi-layered depth of protection.
Do not reply on IP-based authentication.
Use random initial sequence number to prevent IP Spoofing attacks based on sequence number spoofing.
Egress Filtering: Filter all outgoing packets with an invalid local IP address a source address.
Originally published at https://exploitbyte.com on March 31, 2020.