IP Spoofing: What It Is and How to Defend Against It
IP spoofing means sending packets with a forged source IP address — one that doesn't belong to you. It sounds simple because it is. And it enables some of the largest-scale attacks on the internet, including amplification DDoS attacks that can generate hundreds of gigabits per second of traffic.
How Spoofing Works in Practice
IP packets contain a source address field that your operating system normally sets to your real IP. Nothing in the IP protocol itself prevents you from putting any address in that field — the protocol is built on trust. An attacker can craft raw packets with arbitrary source addresses and send them from any network that doesn't filter outbound traffic.
Because TCP requires a three-way handshake and responses go to the spoofed source address, spoofing doesn't work for attacks that need a two-way connection. But for one-way protocols like UDP, it works perfectly. The attacker sends a UDP request with a spoofed source IP — the server's response goes to the victim, not the attacker.
Amplification Attacks
Amplification attacks combine spoofing with protocols that return large responses to small requests. DNS is a perfect example: a 40-byte DNS query for a large TXT record can generate a 4,000-byte response — a 100x amplification factor. The attacker sends requests to open DNS resolvers with the victim's IP as the source. The resolvers flood the victim with responses the victim never asked for.
That's the math that makes reflection attacks so dangerous — the attacker needs minimal bandwidth to generate enormous attack traffic at the victim. With a 1Gbps outbound connection and good amplification factors, generating 100Gbps of attack traffic is straightforward. NTP, memcached, and SSDP have even higher amplification factors than DNS.
The BCP38 Problem
BCP38 is a Best Current Practice document from 2000 that defines network ingress filtering — the practice of dropping packets that have source IP addresses impossible for that network. An ISP that routes the 203.0.0.0/8 block should drop outbound packets from its customers with source IPs outside that block. If every ISP implemented BCP38, IP spoofing would be impossible. Not every ISP does. Many developing-world networks don't filter at all.
Why Spoofing Still Works in 2026
The internet has known how to fix IP spoofing since BCP38 was published in 2000. That's 25+ years. The fix is not technically complex. It requires each network to filter packets leaving its network that have source IPs outside its allocated ranges. So why does spoofing still work? Because fixing it requires every network to act, and the benefits of fixing it accrue to other networks — not to the one doing the work. It's a classic coordination problem, not a technical one.
MANRS — Mutually Agreed Norms for Routing Security — is an initiative trying to address this through peer pressure and transparency. Networks that implement BCP38-style filtering, RPKI, and other routing hygiene practices join MANRS and are publicly listed. It creates reputational incentives. Slowly, it's working. But 'slowly' means major reflection amplification attacks are still happening at hundreds of gigabits per second while the policy conversation continues.
Check Your IP for Security Issues
See whether your IP address shows up in threat intelligence or blacklist databases.
Run Security CheckAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day is a vulnerability that nobody knows about yet — except the people exploiting it. The timeline from discovery to patch is where real damage happens.
SSL Certificates Explained Without the Jargon
SSL certificates enable HTTPS and underpin trust on the web. The certificate system is more complex — and more fragile — than the padlock icon suggests.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
