IP Spoofing: What It Is and How to Defend Against It

IP spoofing means sending packets with a forged source IP address — one that doesn't belong to you. It sounds simple because it is. And it enables some of the largest-scale attacks on the internet, including amplification DDoS attacks that can generate hundreds of gigabits per second of traffic.

How Spoofing Works in Practice

IP packets contain a source address field that your operating system normally sets to your real IP. Nothing in the IP protocol itself prevents you from putting any address in that field — the protocol is built on trust. An attacker can craft raw packets with arbitrary source addresses and send them from any network that doesn't filter outbound traffic.

Because TCP requires a three-way handshake and responses go to the spoofed source address, spoofing doesn't work for attacks that need a two-way connection. But for one-way protocols like UDP, it works perfectly. The attacker sends a UDP request with a spoofed source IP — the server's response goes to the victim, not the attacker.

Amplification Attacks

Amplification attacks combine spoofing with protocols that return large responses to small requests. DNS is a perfect example: a 40-byte DNS query for a large TXT record can generate a 4,000-byte response — a 100x amplification factor. The attacker sends requests to open DNS resolvers with the victim's IP as the source. The resolvers flood the victim with responses the victim never asked for.

Here's the thing — the attacker needs minimal bandwidth to generate enormous attack traffic at the victim. With a 1Gbps outbound connection and good amplification factors, generating 100Gbps of attack traffic is straightforward. NTP, memcached, and SSDP have even higher amplification factors than DNS.

The BCP38 Problem

BCP38 is a Best Current Practice document from 2000 that defines network ingress filtering — the practice of dropping packets that have source IP addresses impossible for that network. An ISP that routes the 203.0.0.0/8 block should drop outbound packets from its customers with source IPs outside that block. If every ISP implemented BCP38, IP spoofing would be impossible. Not every ISP does. Many developing-world networks don't filter at all.