Every computer in a network is identified with an internet protocol (IP) address, which it uses to communicate with other devices on the same network. IP addresses come in different forms, the more common form, known as IPv4, gives each computer a 32bit identifier (e.g. 192.168.34.12).
On some networks, security of digital assets and applications is maintained by specifying which IP addresses can access which resources. An IP spoofing attack happens when a malicious actor masks their identity by presenting themselves with the IP address of a legitimate device to gain access to resources that would otherwise be beyond their reach.
For instance, access to a server might be limited to a specific set or range of IP addresses. A hacker manipulates its network packets so that the sender’s address reads as that of a legitimate computer. By doing this, the attacker tricks the server into thinking the packets are coming from an authorized device.
Hackers use IP spoofing in a number of different ways, including staging DDoS attacks, in which attackers drain the resources of a server by flooding it with bogus network traffic. IP spoofing can also be used in man-in-the-middle attacks. In this case, the attacker stands in between two communicating parties, spoofing each of their addresses to the other. This way, each of the victims sends their network packets to the attacker instead of directly sending it to its real destination.
The biggest defense against MitM attacks conducted through IP spoofing is to use encrypted communications. When the information being two parties is encrypted with a key that only they hold, it will make sure that even if a malicious party manages to intercept the traffic, they won’t be able to read or manipulate its contents. Authenticating user identities also prevents hackers from gaining unauthorized access to network resources by simply spoofing their IP address.
Routers may detect spoofed packets when the packets pass through them only , and if the target and attacker are both on the same sub-net then this technique does not work. The Host receives a suspicious packet can also use certain techniques to determine whether or not the IP address is spoofed.
Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public internet use. The areas of unallocated address space are called the bogon space.
Bogons also include reserved private address and link-local address ranges, such as those in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16, which are reserved for private networks, sometimes also known as Martian packets.
Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration. Bogons can be filtered by using router access control lists (ACLs), or by BGP blackholing.