What is IP spoofing and how can you protect yourself?

What is IP spoofing?

IP spoofing is when a hacker changes a packet’s original IP address to a fake one, most often making it look like the traffic is coming from a legitimate source. Hackers can also make it work the other way round and mask the receiver’s IP instead. What makes IP spoofing possible on the internet?

Your traffic gets divided into packets to send and receive information over the internet. They are all sent individually and are assembled at their destination – the receiver’s device or a website's servers, for example. Every packet of data you send has an IP header that contains information such as the source's and receiver’s IP addresses. In a normal connection this data packet is transferred over the TCP/IP protocol.

However, this protocol has a loophole. It needs to complete a three-way TCP handshake to transfer information between two parties. Here’s how it works:

1. The source sends a SYN message to the receiver. This establishes a connection and helps the two devices synchronize their sequence numbers;
2. The receiver then sends an ACK message – an acknowledgement that the SYN was received.
3. Source sends a SYN-ACK message back to the receiver and confirms the secure connection.

How does IP spoofing work?

In the most basic IP spoofing attack, the hacker intercepts the TCP handshake before step 3, that is before the source manages to send its SYN-ACK message. Instead, the hacker sends a fake confirmation including their device address (MAC address) and a spoofed IP address of the original sender. Now the receiver thinks that the connection was established with the original sender, but they’re actually communicating with a spoofed IP.

For a briefer IP spoofing explanation check our video below.

IP spoofing dangers

Creative hackers have come up with countless different ways to use spoofing maliciously. It can be used to attack individual users, servers, and even applications. Here are three of the most common malicious uses of IP spoofing:

#1 Bypass firewalls and IP authorization

IP address spoofing is most often used to bypass basic security measures such as firewalls that rely on blacklisting. This means that even if the attacker’s original IP is on the blacklist and should be blocked, it will get through as they’ll be hiding behind a spoofed IP.

This also applies to systems that have whitelists and only allow connection from “trusted” IPs. A bad actor can spoof a trusted IP and get into your computer network. Once they are in they can freely explore what’s inside. This is why companies shouldn’t rely on IP authorization only and use other authentication methods as well.

#2 Denial of service attacks

In a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, a server or a website is brought down by an overwhelming number of fraudulent requests. These requests are often made by devices infected with botnet worms whose owners don’t even know they’re part of a hacker’s private army.

However, IP spoofing can also be used to redirect fraudulent communications. The hacker can send out millions of requests for files and spoofs the IP addresses so all of those servers send their responses to the victim’s device.

#3 Man-in-the-middle attacks

These attacks are most common in unsecure Wi-Fi locations like cafes and airports. If you’re browsing an insecure HTTP address, a hacker can use IP spoofing to pretend they’re both you and the website or online service you’re speaking to, thereby fooling both parties and gaining access to your communications.

In a man-in-the-middle attack, none of the data you share is safe because a hacker is sitting there and “sniffing” all the information you exchange. Even seemingly innocent details can help them in future attacks or lead them breaking into your accounts. One of the best defenses against these types of attacks is a VPN.

Is IP spoofing illegal?

IP spoofing isn’t illegal if you don’t do anything illegal with it. For example, you may be using a VPN service or a proxy to change your IP in order to browse the internet safely and securely. Website administrators can also use programs to create thousands of fake online visitors to perform stress tests on their websites and servers.

However, IP spoofing is considered illegal if someone pretends to be someone else by using their IP and commits cyber crimes such as identity theft.

How to prevent IP spoofing

Detecting IP spoofing is next to impossible. And even if detected, it can be too late. However, there are a few methods to protect yourself from IP spoofing:

• Monitoring networks for atypical activity;
• Using stronger verification methods;
• Placing a portion of your computing resources behind a firewall;
• Migrating websites from IPv4 to IPv6;
• Implementing ingress and egress filtering;
• Using Deep Packet Inspection (DPI).

It’s almost impossible for an everyday user to spot IP spoofing, but to minimize the risks, you should:

1. Only visit secure HTTPS websites. These websites run using the TLS/SSL protocol, meaning their connection is encrypted and secure.
2. Use an antivirus software. Antivirus software will help you if someone does manage to spoof your traffic. A powerful antivirus program will scan incoming data packets to see if they contain known malicious code. This isn’t a complete defense, but it’s good to have in any case!
3. Use a VPN. By encrypting your traffic, NordVPN makes it very difficult for hackers to view your traffic or spoof either your or your destination’s IP addresses. In addition, NordVPN’s CyberSec feature can help protect you from malicious or hacked sites that could expose you to spoofing attacks.

Improve your cybersecurity with NordVPN. Try now with a 30-day money-back guarantee!