Trending :Website
Update is in progress


The "INTERNET PROTOCOL (IP)" is the principal communication protocol in the Internet Protocol suite for relaying datagrams acroos network Boundries.This protocol also defines addressing methods (i.e. IP Addresses) that are used to label the datageam with source and destination information.

Internet Protocol address (IP address) is a numerical label (i.e. IPv4 & IPv6 addresses) assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions:

  • Host or Network Interface Identification &
  • Location Addressing.
  • "Your IP address is your passport to the Internet. But it also gives away your location and is used to profile your individual online activity."


    In IP Spoofing, a hacker uses tools to modify the source address in the packet header to make the receiving computer system think the packet is from a trusted source, such as another computer on a legitimate network, and accept it.Because it occurs at the Network Level, there are no external signs of tempering.

    The ability to spoof the addresses of packets is a core vulnerability exploited by many DDoS attacks.

    Whats is IP Spoofing Sending and receiving IP packets is a primary way in which networked computers and other devices communicate, and constitutes the basis of the modern internet.
    All IP packets contain a header which precedes the body of the packet and contains important routing information, including the source address.
    In a normal packet, the source IP address is the address of the sender of the packet. If the packet has been spoofed, the source address will be forged.
    IP address spoofing is most frequently used in denial-of-service attacks, where the objective is to flood the target with an overwhelming volume of traffic, and the attacker does not care about receiving responses to the attack packets.

    Packets with spoofed IP addresses are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack.


  • Blind Spoofing:
    In this type of attack, the attacker transmits multiple packets to his intended target to receive a series of numbers which are generally used to assemble packets in the order in which they intended to read the packets. ie, in the order of packet 1 to be read first, then packet 2 and then packet 3. In this attack, the hacker is not aware of how the transmissions takes place on this network so he needs to coax the machine into responding to his own requests so that he can analyze the sequence numbers. Now the attacker can inject data into the stream of packets without having authenticated himself when the connection was first established.
  • Non-Blind Spoofing:
    In this type of attack, the cracker resides on the same subnet as his intended target so that he is aware of the sequence of the packets. Thus the attack is called the non-blind spoofing.
  • Distributed Denial of Service (DDoS) Attack:
    When a DDoS attack is launched, the IP spoofing is used not to identify the exact machines from where the requests are coming. This makes the DDoS attack more powerful because, it will be difficult to identify the senders and block them.
  • Man In The Middle (MITM) Attacks
    When two machines are communicating with each other, the attacker intercepts the packets sent by the systems and alters the packets with the sending and receiving machines unaware their communication has been tampered.

    Working of IP Spoofing Attacks A user accesses the Internet from his/her local computer which has the IP address “”. When an IP spoofing attack occurs, this address is hidden and the user sends the packets indicating the spoofed IP address “” which is an authorized IP address. These IP addresses are used to identify each computer in the network. In Internet communication, the data is transferred in the form of packets. ie, the client sends web requests in the form of data packets to the server and the webserver sends back the responses in the form of data packets. When a client sends a packet to the server, the packet will have the IP address of the computer it is coming from. When an IP spoofing attack occurs, this source details that IP address which specifies the sender of the packet is not actual, but a bogus IP address which is permitted to access the website. This will make the server handle the request packet as it is coming from the permitted user. Thus the server grants access to the attacker and it can cause various security threats. This is how the IP spoofing works.


    For application layer connections to be established, the host and visitor are required to engage in a process of mutual verification, known as a TCP three-way handshake.
    The process consists of the following exchange of synchronization (SYN) and acknowledgement (ACK) packets :
  • Visitor sends a SYN packet to a host.
  • Host replies with a SYN-ACK
  • Visitor acknowledges receipt of the SYN-ACK by replying with an ACK packet.

  • Source IP spoofing makes the third step of this process impossible, as it prohibits the visitor from ever receiving the SYN-ACK reply, which is sent to the spoofed IP address.
    Since all application layer attacks rely on TCP connections and the closure of the 3-way handshake loop, only network layer DDoS attacks can use spoofed addresses.


  • Checking systems for atypical action
  • Conveying Packet filtering to identify irregularities (like active packets with source IP addresses that do not coordinate those on the organization’s network)

  • Packet Filtering:
  • While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from infiltrating a network.
    Ingress filtering is a form of packet filtering usually implemented on a network edge device which examines incoming IP packets and looks at their source headers.
    If the source headers on those packets don’t match their origin or they otherwise look fishy, the packets are rejected.
    Some networks will also implement egress filtering, which looks at IP packets exiting the network, ensuring that those packets have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP spoofing.
  • Deep packet inspection (DPI)
  • DPI approach uses granular analysis of all packet headers rather than just source IP address. With DPI, mitigation solutions are able to cross- examine the content of different packet headers to uncover other metrics to identify and filter out malicious traffic.
  • Robust Verification Strategies
  • One should be utilizing thid strategies among all organized computers within system.
  • Follow “Castle And Canal” Defense
  • The idea behind the “castle and canal” defense is, those outside the organization are potential threats. And the ones inside are trusted.
  • Enable Multi-Step authentication
  • One should consider utilizing simple confirmation as a defense to spoofing techniques, such as those with multi-step authentication.
  • Confirming All IP Addresses
  • Each and every incoming and outgoing IPs within system must be Confirmed and powerful assault blocker should be employed.

    Resources & References:


    About Author :

    Mittal Kapdiya

    Mittal Kapadiya has well skill and experiences in Android & Web Application development. she has excellent catch on Python and various OS (Linux, Ubuntu & Windows ). She's so keen in Ethical Hacking and System Security Aspects and have good knowledge in it. Currently she's pursuing Masters in CYBER Security and is an active blogger at CYBER4ALL.