IP spoofing. Definition, Types and Protection
Disguises are as old as nature itself. It is the primary mechanism of survival in some animals. Humans too have been able to perfect disguise techniques beyond expectation. For instance, when copies of a supposedly unique fingerprint pattern are made, replicated and used in movies, it usually looks very cool. It does not just stop there; humans have been able to develop masks that give them the apparent identity of another person. This is what spoofing is all about. It’s about pretense, disguise and impersonation.
Technically, spoofing is a body of processes that cyber attackers (or let’s just say attackers) employ to cloak unknown and unsafe sources as trusted sources. That is, they pretend to be a source that you trust so much, they leverage on the trust you have built towards this source, they use social engineering methods (at least to a certain degree) to trick you into letting out your personal information.
It is often a game a psychology and technical understanding. For it work, three parties are needed, the trusted source, the victim, the attacker (with the spoof). Once the trusted source can be successfully impersonated, it just takes a little game of blackmail or gas lighting to get the attacker’s desired result on the unsuspecting victim.
Types Of Spoofing
There are different sources you trust on different social and communication platforms. Due to that, there are different types of spoofing, each specific to different platforms. Let’s check the different types of spoofing available:
- EMAIL SPOOFING – This is a simple as it sounds: attackers send emails to unsuspecting victims after adopting the header of certain trusted sources. Naturally, an unsuspecting individual takes the email seriously because they take to the apparent value of the Email header. In most cases, the attackers request for things like money and personal information. In other instances, they direct the victims to click on links to malware.
- URL SPOOFING – This is commonly known as website spoofing. The approach is simple yet very lethal and convincing. What the attacker does in this case is to leverage on certain things like error in URL spelling (typo squatting) that victims may make when looking for trusted websites on search engines. The attackers design similar logos and landing pages to make the spoof appear very real. On these websites, victims get indiscriminate requests to activate things or accept policies that are not necessarily present on the original website.
- CALLER ID SPOOFING – This is also known as Phone spoofing. In this type of spoofing, attackers find a way of altering the caller ID sent to your mobile phone. You are especially susceptible to this if you use call tracking and identification applications. Attackers design it in such a way that, you get to see a familiar name as the caller identity of a strange mobile number. That way, you are more likely to accept the call and communicate with whoever is on the other end of the call.
- TEXT MESSAGE SPOOFING – In this type of attack, the criminal masquerades as a legitimate recognized sender by altering the header of the text sending number. This means is relatively easy to achieve considering the telecomm ad features that allow header personalization. As much as it easy to achieve, it is easy to see through this form of spoofing
- DNS SPOOFING – DNS is an acronym for domain name system. It is like some sort of internet directory that keeps record of website identification numbers and matches the names to them when a computer sends a search request. In a DNS spoofing attack, the DNS directory is made to match the website names to wrong identical numbers. Consequently, when the computer sends a search request for these websites, they land on the wrong (but identical) page.
- GPS SPOOFING – The attackers often target the global positioning systems of mobile devices and (sometime) vehicles to send wrong location signals. This implies that, an attacker can actually appear to be in a certain location on a GPS system, but in reality, they are somewhere else. On the extreme, this spoofing method could be used to interfere with car movements, spacecraft travel or ship sails.
There are other various types of spoofing; examples include ARP spoofing, facial spoofing (or you could say biometrics spoofing). When it comes to internet and cyber security however, one of the most common and dangerous type of spoofing is the IP spoofing. Let’s consider a brief overview of IP spoofing attacks.
Alternative types of attacks on IP spoofing
Cyber-punks never rely on one technique to carry out an attack as it will narrow down the success scope. They always use multiple processes and methods. Just because of this, we get to see assorted varieties of IP spoofing. Have a look at the most famous ones.
- DDoS or Distributed Denial Of Service
A very common variety of IP spoofing, DDoS involves deceiving IP addresses in a huge quantity and trying to leave the targeted server so overwhelmed that it becomes unresponsive to legitimate users or customers.
There is no data theft involved. But, it can lead to revenue loss if the server is in the online marketplace. As the website won’t be available to use, prospective customers won’t be able to make a purchase.
- Screening of botnet systems
Hackers use the help of IP spoofing to gain access to a specific computer. With the help of IP spoofing, bad actors often mask the botnet. For those who aren’t aware of a botnet, it’s a series of computers that keeps holding over hacker activities from a unified source.
With IP spoofing, hackers manage to bypass the botnet and access the system.
- MITM or Man-in-the-middle threats
IP spoofing is a key technique used in carrying out the MITM attack. This involves placing a corrupted system between two computers so that hackers can decode every communication and data exchange that is taking place.
Cyber-punks use IP spoofing techniques to break into personal communication resources or accounts so that they can be a part of every communication taking place.
If the attempt succeeds, threat actors will be able to decode the communication, create a duped website, steal the data, and even modify any crucial data. If continued for a long time, this threat can do serious damage to the business under this attack. So, it is essential to keep a check on your channels and reset connections from time to time.
IP Address Spoofing
IP’s on the other hand are some sort of identity tags unique to your computer system. The “address tag” that accompanies Internet protocol is very significant. Technically speaking, Internet protocol addresses are certain identifiers – attached to specific networks –that allow computers to communicate effectively with the internet. Essentially, IP addresses are like your identity online (at least to the servers and the other computers). Now imagine someone somehow could replicate that identity perfectly; the implication is obvious, they get to impersonate you to get access to your personal information, data wealth, finances, name it. That is what IP spoofing entails.
Technically, IP spoofing is the process of using an altered source address to generate an internet packet with the goal of obscuring, impersonating another computer system. More often than not, the end goal would be to gain access to some of personal information. However, at times, attackers use the people’s internet identities to commit crimes (probably to deface and blackmail these individuals) or to carry out volumetric distributed denial or service attacks.
To put this in perspective, think of when the old system of receiving mails, you know, the one with hand written letters and deliver post men. If someone wanted to deny you of getting your letters and packages, they just need to find a means of altering the delivery access at the sending point. They could do this by altering the address to look very similar, so that they can avoid being noticed. You would definitely never get any package that way. That is a euphemistic representation of IP spoofing.
IP spoofing is dangerous provides a groundwork for all other types of cyber-attacks. Cyber attackers often need to disguise using legitimate IP addresses to lay the surface for the next complex phases of the attack. For instance, IP spoofing is a major step is ensuring the success of application layer attacks and Distributed denial of service attacks. Let’s see how it contributes to the above mentioned.
IP Spoofing In Application Layer Attack
Application layer attacks are structured to target and leverage on the vulnerabilities of mobile and web applications. These types of attacks are very common in the cyber space. The aim of the attacker is often to render an application non-functional, deface it, or steal the sensitive information of the users of the application in question.
In most application layer attacks, the attackers take advantage of the normal process of connection exchange known as the TCP three way hands shake. Let’s quickly go over the process. In a way three way hands shake;
- The client's computer sends packets to request a connection with the server – this request is made using the SYN
- The server sends acknowledgment messages to the client computer (SYN-ACK)
- The clients send another message to the server, but this time around it is an acknowledgment message (ACK).
Attackers use the IP spoof to make the three stages of this process impossible. Instead of the original server or recipient computer to get the request, a spoof (after disguising as the destination) gets the SYN from the requesting computer. That way, the attacker successfully hijacks the responses the requesting computer is supposed to get from the trusted server. This is where they introduce social engineering methods to direct the unsuspecting user of the requesting computer to a malware.
IP Spoofing In Distributed Denial Of Service (DDoS) Attack
Distributed denial of service attacks are geared at rendering a web application nonfunctional by overwhelming it with traffic or requests that could consume its processing bandwidth. It’s like obstructing the normal route of a group of people, and directing them to a smaller route made to accommodate a smaller amount of people. What this creates is a total uselessness of the victim application. There are quite a number of different DDoS attacks, each with its method. However, the type that epitomizes the essence of DDoS is the volumetric DDOS attacks. This type of DDoS attacks effectively uses volume to consume the processing capacity of victim application.
This is where IP spoofing comes in. IP spoofing is often used to lay the groundwork for volumetric DDoS attacks. For instance, when a trusted source tells you to click on a link, the first reaction would be to click on that link. Cyber –attackers spoof many trusted sources and use social engineering to direct people to a target website. Of course, this requires precision and technical know-how; however, it is one of the most effective ways of carrying out a volumetric DDoS attacks in a way that appears legitimate.
Examples of IP spoofing
This threat is so common that it has already impacted a very huge part of the IT and internet community. It’s often used alone or in combination with other cyber-duping tricks and has caused serious concerns. Refer to these below-mentioned IP spoofing examples.
- DNS spoofing impacted three local banks
Three very famous local Florida-based banks became the target of a nefarious DNS spoofing attack in 2006. The attack was novel and was never witnessed before. The involved cyber-punks managed to take the ISP servers that all these three banks were using.
As they had server control, they were able to route every incoming traffic to a fraud login page. The bank customers, considering that duped login page legitimate, provided sensitive credentials like ATM PIN, CVV, and card number. Hackers accessed that database.
- DDoS spoofing impacted Humana.
Humana is a leading health insurance provider in the US and came under the attack of DDoS spoofing in 2018. Data related to claims, services received, premiums, insurance numbers, and on was exposed. The attack continued for 2 two days.
- DNS spoofing attack on Malaysia Airlines
The attack hampered the official Malaysian Airlines website in 2015 and stopped customers from accessing it. There was no data leak or theft involved. But, many of the customers failed to book flights and check the flight status.
- Europol became the victim of MiTM attack.
In 2015, Europol identified a MiTM attack that involved granting access to payment processing requests to hackers.
How Can You Detect IP Spoofing?
What makes IP spoofing so destructive is its ability to remain stealthy for long. As it exists in the network layer, rookie users won’t be able to infiltrate so deeply. Hence, the threat remains functional. However, it doesn’t mean that IP spoofing detection is impossible.
With little awareness and attentiveness, one can easily sense the presence of an IP spoofing in and around. When IP spoofing affects a system/device, it leads to certain operational changes for sure.
For instance, there will be inconsistency in the IP addresses of the target. Quick and accurate IP spoofing detection is possible by paying attention to those changes.
Packet filtering is the most preferred IP spoofing detection technique that concerned organizations or individuals can adopt. We have automated and integrated packet-filtering systems that analyze endpoint traffic and figure out any inconsistencies in the IP addresses.
In addition, these tools are powerful in identifying deceptive packets as well. The packet filtering process is of two types, and each one is capable of early and accurate IP spoofing detection.
The first kind is ingress filtering which examines the received packets and tries to find out whether the IP header of the request source is legitimate. It takes the help of access control lists to find out this. If the source IP header doesn’t match the list, it will be discarded immediately.
Egress filtering is the second type and helps in IP spoofing by making sure whether or not the source IP addresses of the outgoing packets match with the aimed organization’s network system. This way, it stops insiders from carrying out the attack.
How To Protect Your Network Against IP Spoofing Attack
Due to the extent of the damage an IP spoof could lead to, organizations need to be aware of ways to prevent such attacks. Here are a few tested and effective ways to go about it:
- Firewalls – Use a firewall as a filter for checking and locking out spoof IP. The advent of technology has made it easy to write an algorithm for the behavioral pattern of these sets of IP. You could use this to setup your firewall and lock attackers out.
- Get systems that filter between packets – Packet filtering systems specialize in fishing out spoofing attackers by filtering for spoofed headers. They are very efficient in mail systems and caller-id security.
- Get properly secured with encryption protocols- The most common internet encryption protocol today would be the hypertext transfer protocol. This kind of helps to secure data when requests and server response. When you browse the web, there is a padlock indicator that shows whether your site’s data are safe and encrypted. If a website doesn’t have this, it means that your data is susceptible to a data breach attack, and that the website is susceptible to URL and IP spoof attacks.
- Try being all the safe side with software – There are quite a number of reliable security software around. You could employ the use of a VPN or paid antivirus software. These things provide the first line of defense against attempts at data invasion and spoofing.
- Manually monitoring your network for suspicious activity – Irrespective of the caliber automated defense systems that you may have attackers may be smart enough to always bypass these systems. Due to this, just a good old monitoring would save you from trouble a lot of time. To make this feasible, you may map out a time frame for intermittent checks.
IP spoofs are dangerous for networks, databases, computers and users. It is a must that any one – in one way or the other – is informed about it. It is also important that each person takes responsibility and protects themselves from these sorts of attacks; our data is the future, let’s keep it safe.
IP spoofing - Github topic
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.