T 5.48 IP spoofing

IP spoofing is a method of attack under which incorrect IP addresses are used to disguise one's true identity to the IP system being attacked.

With many protocols of the TCP/IP family, authentication of the communicating IT systems is effected exclusively via the IP address, but this is easy to falsify. If an attacker also exploits the fact that the sequence numbers used by computers for synchronisation purposes when establishing a TCP/IP connection are easy to guess, it is possible to send packets using any sender address, so that any appropriately configured services such as rlogin can be used. In this case, however, an attacker may have to accept that he/she will not receive any response packet from the computer that is being misused.

Other services which are threatened by IP spoofing are rsh, rexec, X-Windows, RPC-based services such as NPS and TCP-Wrapper which is otherwise a very worthwhile service for setting up access control for TCP/IP networked systems. Unfortunately, the addresses used in Layer 2 of the OSI model such as Ethernet or hardware addresses are also easy to falsify and therefore provide no reliable basis for authentication.

In LANs in which the Address Resolution Protocol (ARP) is used, many more effective spoofing attacks are possible. ARP is used to find the 48-bit hardware or Ethernet address belonging to a 32-bit IP address. If a corresponding entry is not found in an internal table in the computer, an ARP broadcast packet is transmitted with the unknown IP address. The computer with this IP address then transmits an ARP response packet back with its hardware address. As the ARP response packets are not secure against manipulation, it is usually sufficient to gain control over one of the computers in the LAN in order to compromise the entire network.