What Is IP Address Spoofing In DDOS Table of Contents What Is Spoofing What Is IP Address Spoofing IP Address Spoofing In DDoS Attacks Anti-Spoofing In DDoS Protection What Is Spoofing Spoofing refers to altering an address to impersonate someone else. The spoofing may be used to launch DDoS attacks in Internet Protocol (IP), Address Resolution Protocol (ARP) and in the Domain Name System (DNS). What Is IP Address Spoofing The Internet Protocol (IP) protocol header includes the source IP address of the sender of the data packet. The source IP address may be altered to disguise an attacker’s origin IP. IP Address Spoofing In DDoS Attacks In an IP address spoofing DDoS attack, the attacker modifies the source IP address of the data packet to disguise an attacker’s origin IP. A botnet is a collection of infected or compromised bots that are geographically distributed. These botnets may be remotely instructed to launch DDoS attacks. The IP address modification is used to mask the identity and location of the compromised and malware infected bots. The IP address spoofing may also be used to launch a reflected DDoS attack. In a reflected DDoS attack, the attacker sends altered source IP to DNS resolvers, NTP servers and intermediary servers to generate fake requests. The objective of the reflected attack is to amplify the output responses from a few requests using techniques such as DNS amplification, Smurf attack or NTP amplification. IP address spoofing may also be used to attack application server resources. This is done by spoofing the IP address in the ACK response in the three-way TCP protocol handshake - SYN, SYN-ACK, ACK. By spoofing the ACK response, the receiver server never receives a completed TCP handshake and may be left holding allocated resources. Anti-Spoofing In DDoS Protection There are many solutions to prevent DDoS attacks using IP spoofing. Intrusion detection system (IDS), dedicated DDoS protection measures along with Web API and Application Protection (WAAP) will provide the widest coverage against DDoS attacks both against the network as well as against applications. These protection measures may be deployed as an appliance in your data center, as a cloud-based scrubbing service, or as a hybrid solution combining a hardware device and a cloud service. IDS systems can perform packet filtering for both incoming (ingress) and outgoing (egress) packets into and from a secure network. This is done by separating the network into a secure and unsecure zone. This can prevent attacks from within the secure network to outside address as well as prevent outside attacker spoofing the address of machine within a secure zone. If the attack is coming from a small number of attack sources, another approach is to implement IP-based access control lists (ACL) to block all traffic originating from the attack sources. If the target of the attack is an application- or a web-based service, you could limit the volume of traffic or the number of concurrent application connections by implementing rate-limiting. Note that this approach is prone to high degrees of false positives because it cannot distinguish between malicious and legitimate user traffic. Many application DDoS attacks using IP address spoofing may target application server resources by targeting TCP handshake. For such attacks, many load balancers have countermeasures built in for protection from such attacks. Newer approaches block attacks without impacting legitimate traffic by using machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior profile and then automatically block malicious attacks. This increases protection accuracy while minimizing false positives. Related articles DNS Flood Attack (DNS Flooding) ICMP Flood Attack What Is A TCP SYN Flood Attack? Amplification Attack Radwar’s solutions Application Protection as a Service DDoS Protection Additional Resources