IP Spoofing: What You Need to Know About It

In February 2020, Amazon Web Services (AWS) was the target of one of the largest DDoS attacks ever recorded, with a peak traffic volume of 2.3 Tbps. An unidentified AWS customer was targeted via compromised CLDAP (Connection-less Lightweight Directory Access Protocol) servers. Fortunately, the attack was mitigated by AWS’s DDoS protection service.

Cyberattacks like the aforementioned usually originate from IP spoofing. Here we will talk about what IP spoofing is, what kinds of cyberattacks can be caused by it, and how to protect your organization against it.

What is IP spoofing?

Information traveling across the internet is divided into smaller portions called packets. To make sure that these packets reach the correct destination, a set of requirements, or protocols, is established to ensure proper routing. It is known as Internet Protocol (IP). Transmission Control Protocol (TCP) works along with IP to ensure that a secure connection is maintained and also to acknowledge by a source that a packet has been received.

Each packet has an IP header, which consists of an IP address. IP addresses are unique identifying factors for networks – just like physical addresses are for houses. When communication takes place between a sender and receiver, IP packets are distributed between them. In IP spoofing, an attacker can intercept this communication by creating different IP packets and modifying the sender’s IP address to look like theirs.

This is advantageous for cybercriminals as they can perform malicious acts without exposing their identity. Most of the time, networks and computers do not realize that they have been spoofed, so users won’t be notified. Furthermore, since the spoofed IP address looks like it represents a trusted source, it can bypass firewalls and security checks.

Types of IP spoofing attacks

IP spoofing is used as a gateway by cybercriminals to commit other cybercrimes, such as DDoS attacks, Man-in-the-Middle attacks, stealing data, infecting systems with malware, etc.

In Man-in-the-Middle attacks, IP spoofing is used to intercept communication between two computers, modify packets to extract the desired information from it, and pass the altered packets on without the sender or recipient’s knowledge. With this method, cybercriminals can stealthily collect information, which they can then use or sell on the dark web.

In a DDoS attack, cybercriminals use spoofed IP addresses to disrupt the normal flow of traffic by sending large packets of data, overwhelming the target, and ultimately shutting it down. It is difficult to track down those responsible for these attacks as they deploy geographically dispersed botnets – a large network of compromised computers. Each of these botnets is made up of several thousands of computers that are programmed to spoof several IP addresses.

DDoS attacks fall into three categories:

• Application layer attacks: They target web applications by sending a large number of requests with the goal of crushing web servers. 
• Protocol attacks: These take advantage of the vulnerabilities present in server resources as well as intermediate communication equipment like firewalls, load balancers, etc.
• Volumetric attacks: They overwhelm network bandwidth by sending high loads of traffic.

Ping of Death, UDP Flood, HTTP Flood, SYN Flood, NTP and DNS Amplification attacks Slowloris, and Zero Day DDoS are the most common types of DDoS.

Additionally, cybercriminals can take advantage of systems that are based on trust relationships within a network of computers. Computers within such a network don’t require IP address authentication like with outsiders. An attacker can use this blind spot to their advantage by spoofing the IP address of someone within this trusted network, therefore bypassing the required authentication. The attacker can then perform malicious acts like data theft, infecting the network with malware, exploiting vulnerabilities, etc.   

How to protect your organization from IP Spoofing

Cybercriminals prefer using IP spoofing as a cyberattack due to its relative simplicity as well as the anonymity that comes with it. This makes organizations highly susceptible to it. Here are some steps that your organization can implement to defend against such attacks.

1. Educate your employees about IP spoofing and how to detect an attack. It is also beneficial to inform them to be wary of suspicious emails that may ask them to click on links or change their login information.
2. Constantly monitor network servers for any suspicious activity as well as for high levels of network traffic.
3. Enable multiple authentication and verification methods of IP addresses, even among trusted network computers. Public Key Infrastructure (PKI) is a good method for this purpose.
4. Install strong cybersecurity solutions like network attack blockers, firewalls, antivirus software, spoofing detection software, etc., that use secure encryption protocols to protect computing resources from various cyberattacks.
5. Enable packet filtering systems like ingress filtering which can be used to verify whether or not inbound packets are coming from trusted sources by examining the packets’ source headers. Similarly, egress filtering can be used to control and track outbound traffic.
6. VPNs are a great tool to ensure safe web browsing, especially in public hotspots which are notorious for being unsecure.
7. Switch from IPv4 to IPv6, the newest Internet Protocol, as it offers better protection from IP spoofing attacks due to a higher level of encryption and authentication steps.

IP spoofing is unpreventable. However, with good cybersecurity practices and solutions, your organization can keep cybercriminals from infiltrating your systems and ensure maximum efficiency and growth.