CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

Internet protocol (IP) spoofing

The spoofing of IP packets allows an intruder on the Internet to effectively impersonate a local system's IP address.

In general, IP spoofing and related attacks are possible because programs (maybe requiring superuser access) can open raw sockets, create, and send malformed IP packets.

An attacker uses source address spoofing for two reasons:

  • to gain access to resources that only accept requests from specific source addresses, or
  • to hide the source of an attack by directing the blame at others.

Note that some of these attacks employing these mechanisms are possible even when no reply/response packets can be routed back to the attacker.

If other local systems perform simple session authentication based on the IP address of a connection (e.g. an rlogin with .rhosts or /etc/hosts.equiv files under Unix), they will believe incoming connections from the intruder actually originate from a local 'trusted host' and may not request a password.

Other services, such as the Network File System (NFS), Server Message Block (SMB), and TCP wrappers all include the source address (or system name, in the case of NFS) as part of the access control checks.

It is possible for forged packets to penetrate firewalls based on packet-filtering routers if the router is not configured to block incoming packets with source addresses in the local domain.

CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p7, 15th May 2024.