How does an IP address get spoofed?

I’m sorry if this is a dumb question. But, is it possible to mask an ip address with another?
if so how?

4 Likes

It’s not a dumb question bro.

When your computer sends packets, it’s your computer’s responsibility to fill out the “from IP address” field in each one. Your computer can absolutely lie, and fill out an IP address that doesn’t belong to it.

However, there are a few obstacles to spoofing IP addresses in practice. First, your ISP may recognize that “hey, this IP doesn’t belong to you!” and refuse to forward the packets on your behalf. Not every ISP does this, because it’s an extra step, and everything still works if you don’t double check every address.

Second, if you want to receive a response from whoever you’re talking to, then you need to give them your real IP. This is the same sending a piece of mail: writing the wrong return address on the envelope is easy, but any replies will go to the address you wrote. Since most Internet traffic consists of back-and-forth TCP connections, spoofing an address isn’t useful for much besides denial of service attacks.

2 Likes

It’s easy to spoof an IP but it is harder to get a reply when you spoof

Is it really? Easy for you or anyone?

I think what is meant here is that the recipient of your spoofed packet will send a response to the IP you used instead of your actual machine, i.e. you don’t get the reply

…but sending the packet with the wrong IP is possible?

The operating systems don’t lock that down?

Your own computer will not stop you from constructing a packet with a different source IP

To successfully complete a spoof attack, you have to either exploit the routing (like up source routing) to get packets sent to you, or use arp poisoning to get them sent to you.

This is the tricky part, as ip source route is not a common thing to see in the wild, and arp poisoning requires you to be on the same layer 2 network as the victim (which may or may not be difficult) to do an arp poison. 30 years ago it was easy, since hubs just forwarded packets down every port, but switches keep arp tables mapped to ports to know where to send traffic.

If you have layer 2 access, you can do an arp poison pretty easily, there are tools to do it.

Is source routing difficult?

You depend on routers having it enabled, which is typically something nobody has used in decades

Say I have an IP of X, but I want some activity to be reported as IP Y.

Not a communication back and forth, but a one-way.

Is that possible without layer 2 access or special hardware?

it’s trivial to spoof UDP packets. hence BCP 38.

Ah, that makes sense.

Is that an option anyone has or something only employable by sophisticated attackers?

BCP 38 is a defense for spoofed UDP packets. basically it checks to see if there is a route back to the IP address in the source address the way it came. it has its own set of issues though especially with multi-homing which companies use all of the time. i’m not really up to date on how well it’s deployed, but in simple cases it’s a pretty trivial check

VPN. That will mask your public IP.

What if I have an IP A.B.C.D that I choose that I want to be displayed as my IP?

Vpn you don’t chose. I’ll sit back and listen.