Tracing spoofed IP packets

The article explains about the concept of IP spoofing. According to the article, spoofing is a sophisticated technique in which the attacker gains the access to the machine or network by forging the packets from the trusted machine. It is one of the most common forms of online camouflage. The reason for IP spoofing attacks according to the article are done for illegitimate purposes where the attackers want to hide their own identity and send malicious message to the destination as if the message is from a trusted machine. The main reason behind the possibility of IP spoofing is one of the weaknesses of TCP/IP protocol itself. Internet Protocol (IP) is the network protocol operation at the layer 3 (network layer) which is used to route the information across the Internet. The IP datagram packet contains IP header and data part where the IP header contains enough information about the source address and the destination address. One can easily manipulate the source and destination address of the IP header with normal socket programming knowledge. Furthermore IP is connectionless protocol so it does not validate whether the source address in the packet of the node is actually the source address of the node is generated by the trusted source itself or the spoofed address. Once the address is spoofed then the target machine will think that the data is coming from the trusted source.
The author of the article provides different methods of spoofing. Scanning is a process where the attackers connects to the host and gather information about the open ports, operating system or even the running applications in the host. Then the attackers try to exploit the vulnerability associated with the system. Predicting the sequence number for TCP connection is also a way to attack systems. Sequence number and acknowledgement numbers are used to provide the proper validation in TCP, as it is connection-oriented protocol. These sequence number and acknowledgement numbers are generated pesudo-randomly and with IP spoofing attacker may determine the algorithm for generating such sequence numbers and may intercept the sessions created by the TCP hosts. Denial of service attack results in half open connections where the receiver will wait for the final ACK from the attacker’s machine. Further the attacker will continuously send the packets so that there wont have space to store the state thus victim machine will have to deny the connection services from legitimate sources. Besides these attacks there are many different ways like hijacking an authorized sessions and flooding. Even spoofing can find the stat of firewall (i.e, stateful or stateless).

The author feels the detection of IP spoofing and the tracing back to the originating source will help to defend against IP spoofing.

Detection of IP spoofing
In order to detect spoofed IP, switches with the IP source safe guard features can help to match the MAC address of the host against the dynamic IP assigned by DHCP or the static IP assigned by the administrators. If the matching is unlikely then the packets are dropped. But it has also its own limitation. This method does not work if the host is in same subnet.


Generally IP traceback feature is used to determine the spoofing source in which hop-by-hop traceback and logging of suspicious packets in the router are the two ways. In former method, when spoofing occurs then the ISP has to be informed so that they can traceback through the routers and ultimately reach to the attacker. In later method router has information of all its interfaces and when it sees the IP address that is not of its interface then it can log the packet as suspicious and help to detect the source.

Since IP spoofing is the shortcoming of the TCP/IP protocol itself so to remove it completely is difficult however the threat can be reduced to large extend with the process explained in the detection of IP spoofing, which is the concept of the article.