There are numerous threat names you may hear thrown around when discussions on cyber security take place, but for many internet users, they’re of minimal interest. Phishing, ransomware and other hacks have become so commonplace that it’s easy to be ambivalent towards them, with many of us finding our inboxes and spam filters filled with potentially malicious junk mail on a daily basis. But IP spoofing isn’t a name on everyone’s tongue, despite the number of spoof IP attacks increasing 257% in the last year in the online gaming industry alone.
IP spoofing is the name given to what might otherwise be called IP forgery or IP fraud. It’s a process whereby an attacker uses a fake IP address to hide their identity and carry out things like Distributed Denial of Service (DDoS) attacks and identity thefts. While it isn’t illegal to browse the web under an alternate IP – as many people do when trying to retain their privacy online – using an IP spoof to masquerade as someone else or to carry out a criminal activity is clearly against the law, wherever you are in the world.
Motivations for IP spoofing
Though you could call using an alternate IP to watch international streaming services ‘IP spoofing’, ordinarily when you hear the term it’s in relation to cybercrime rather than ordinary activities. Criminals can use spoofed IPs to carry out monetary theft, or to take down entire computer networks. In the case of the latter, attacks are often designed to distract from an additional incident – such as data theft.
How IP spoofing works
There are two kinds of IP spoofing that are the basis for all the different forms of attack: blind spoofing and non-blind spoofing. When data is sent over a network or the internet, it moves in ‘packets’. These packets of data arrive with headers that contain information like source IP, destination IP and a value that indicates which order the packets should be read in.
Non-blind spoofing simply means that the person carrying out the attack knows which order the data packets are due to be read in, and can simply modify the sender IP in the packet header. This is usually the case if the hacker has gained access to the network being affected, and allows them to receive responses to whatever it is that they’re doing.
For example, if someone was hacking a connection between you and your online bank, they would need to carry out a non-blind spoof so that they were able to see the responses between each party. By acting from within your network connection, they could intercept data packets in the correct order and read and amend information travelling in both directions. The third party is simply hijacking an established connection.
In a blind spoof an attacker still transmits data packets, but before they can receive any responses they must first establish which order the data is being read in. Only once they’ve made data transfer attempts and logged the order that packets are processed in, can they start to make transfers using fraudulent and malicious data.
These kinds of attack are less common because many operating systems have gotten wise to them and started to use random sequence number generation, but they do still occur. In something like a Denial of Service attack, it isn’t important to a criminal that they are able to receive anything in response to their data transfers – the goal is simply to overwhelm a network by sending as many packets as possible in a short space of time. In this instance, spoofing IPs makes tracking and stopping the attack impossible.
Distributed Denial of Service (DDos) attacks
You may not know them as an IP spoofing attack, but DDoS attacks are probably the best-known problem in this category. Though they aren’t usually designed to actually steal monetary funds, they tend to be aimed at businesses and can have massive financial impacts.
DDoS attacks have crashed servers everywhere from independent websites to the Bank of America, and because of IP spoofing, they’re incredibly difficult to stop.
A Distributed Denial of Service attack floods the victim’s system with traffic requests, using thousands of spoof IPs to overwhelm the target system to such an extent that it stops working. Ordinarily, you would block malicious IP addresses attacking your network – but when the IPs in question are so numerous, and can’t be tracked or traced back to their actual origin, stopping a DDoS attack is seriously challenging.
Man-In-The-Middle (MITM) attacks
MITM attacks are the top pick for hackers looking to commit mobile banking fraud. Some are as simple as a hacker intercepting an email and editing it before sending it on its way, hidden behind the IP of the original sender. Others are more complex, like STP route poisoning and port stealing.
In conveyancing fraud, for example, a hacker typically intercepts emails sent between would-be house buyers and their agents – amending payment details for the transfer of funds, before allowing the email to continue on its original path. When money changes hands online, MITM attacks are the difference between your payment arriving safely or being stolen without a trace.
How to avoid IP spoofing
If you’re worried that someone might spoof your IP and use it to intercept emails and payment details, there are steps you can take to stay protected.
They aren’t yet as mainstream as antivirus and password managers, but Virtual Private Network (VPN) services are invaluable in preventing third parties from finding out your IP address or accessing your transferred data. VPNs hide your real IP and allow you to browse the internet anonymously, but if a third party did try to intercept your connection using your new, replacement address, they’d be thwarted by a layer of end-to-end encryption.
High-level encryption, like that offered by a VPN, turns your data from legible text into indecipherable numerical keys. Any third party trying to read your data will be stumped, and they’ll have no chance to edit what’s being sent and inject it with their own information.
If you’re using a VPN for the first time and want to be sure that your IP is hidden, use a tool like HMA!’s IP address checker to see whether your IP changes after the VPN connection is activated.