^.^;

IP Spoofing

Forge your identity. Spoof the source. Attack from shadows by manipulating IP packet headers to hide your origin.

IntermediatePhase 1: Network AttacksInteractive Dual Perspective

What is IP Spoofing?

IP Spoofing is forging the source IP address in network packets to hide the attacker's identity or impersonate another device. The attacker changes the "From" address in IP packets to make it appear traffic comes from a trusted source.

Normal IP Packet:

Source IP: 192.168.1.100 (Attacker's real IP)
Destination IP: 10.0.0.5 (Target server)
↓ SPOOFED ↓
Source IP: 192.168.1.250 (Fake - trusted server)
Destination IP: 10.0.0.5 (Target server)

Why Attackers Spoof IP Addresses

  • Hide Identity: Conceal attacker's real IP address from logs
  • Bypass Filters: Pretend to be trusted IP to bypass firewall rules
  • DDoS Amplification: Reflect attack traffic off vulnerable servers
  • Session Hijacking: Inject malicious packets into existing TCP sessions

Common IP Spoofing Attacks

1. Blind Spoofing

Attacker sends packets with fake source IP but can't see responses. Used for DDoS (attacker doesn't need replies).

2. Non-Blind Spoofing

Attacker is on same subnet, can sniff responses even with spoofed IP. More dangerous - enables session hijacking.

3. DDoS Reflection/Amplification

Spoof victim's IP as source, send requests to many servers. Servers flood victim with responses (amplifies attack 10-100x).

IP Spoofing Limitations

  • No TCP Handshake: Can't complete 3-way handshake without seeing SYN-ACK (blind spoofing)
  • ISP Filtering: Many ISPs use egress filtering (BCP 38) to block spoofed packets
  • No Response: Replies go to spoofed IP, not attacker (unless on same subnet)
  • Sequence Numbers: Hard to predict TCP sequence numbers for session hijacking

IP Spoofing Tools

Attack Tools:

  • hping3: Craft custom packets with spoofed IPs
  • Scapy: Python packet manipulation library
  • Nmap: --spoof-ip option for spoofed scans

Detection:

  • Wireshark: Analyze packet source IPs
  • IDS/IPS: Snort/Suricata rules for spoofing
  • Firewall Logs: Suspicious source IPs

Defense Against IP Spoofing

Ingress Filtering: Drop packets with source IPs outside expected range
Egress Filtering (BCP 38): ISPs block packets with spoofed source IPs from leaving network
Encryption (IPsec): Authenticate packet sources cryptographically
Reverse Path Filtering (RPF): Verify packet source IP has valid return route
Monitor Anomalies: Alert on unusual source IPs or traffic patterns

Example Commands

hping3 (send SYN with spoofed IP):
hping3 -S -a 192.168.1.250 10.0.0.5 -p 80
Scapy (craft custom spoofed packet):
send(IP(src="1.2.3.4", dst="10.0.0.5")/TCP(dport=80))
Enable RPF on Linux:
sysctl -w net.ipv4.conf.all.rp_filter=1

IP Spoofing & Trust Bypass

Forge Source IPs to Bypass Firewall Rules

NETWORK TOPOLOGY
Attacker
192.168.1.66
Trusted Admin
10.0.0.5
Target Firewall
10.0.0.100
FIREWALL RULES
ALLOW FROM 10.0.0.5
DENY ALL

Server Firewall Logs

No traffic detected...
hping3 - packet generator
Kali Linux Rolling (kernel 6.5.0-kali3-amd64)
hping3 packet generator ready.
Concept: Blind Spoofing

When you spoof a source IP, the server replies to the Real Owner of that IP, not you.

You cannot see the response (SYN-ACK).
But you successfully bypassed the firewall!
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.