Sunday, June 19, 2011

IP Spoofing - The Untracable HACK!

The term IP spoofing is a combination of two different words IP + Spoofing .

IP refers to the connectionless protocol which is responsible for the process of routing up the data packets over the network . Since it is a connectionless protocol hence there is no acknowledgement received to the sender of the message that the it has been received without any flaw at the receiver end. The term spoofing means that the attacker sends the message to a computer indicating that it has came from a trusted source . Hence IP spoofing is the concept of spoofing the identity of a trusted source(victim) and to gain access at the same privilege at which the victim is.

Brief History of IP spoofing

In the April 1989 article entitled: “Security Problems in the TCP/IP Protocol Suite” ,

author S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a

real risk to computer networks. Bellovin describes how Robert Morris, creator of the now

infamous Internet Worm, figured out how TCP created sequence numbers and forged a

TCP packet sequence. This TCP packet included the destination address of his “victim”

and using an IP spoofing attack Morris was able to obtain root access to his targeted

system without a User ID or password.

A common misconception is that "IP spoofing" can be used to hide your IP address while

surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not

true. Forging the source IP address causes the responses to be misdirected, meaning you

cannot create a normal network connection. However, IP spoofing is an integral part of

many network attacks that do not need to see responses (blind spoofing).

Detailed Overview of the attack

The heart of network connectivity over the internet is based on the TCP/IP protocol which collectively describes how a connection is established and how the data will be transmitted over the network . Here I will briefly tell the aspects of IP and TCP that are exploited in order to perform the attck.

Here are the models of TCP and IP headers.

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.

As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.

Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijackig or host impersonating.

IP spoofing in brief consists of several interim steps;

• Selecting a target host ( or victim).

• The trust relationships are reviewed to identify a host that has a “trust” relationship

with the target host.

• The trusted host is then disabled and the target’s TCP sequence numbers are sampled.

• The trusted host is then impersonated, the sequence numbers forged (after being

calculated) .

• A connection attempt is made to a service that only requires address-based

authentication (no user id or password).

• If a successful connection is made, the attacker executes a simple command to leave a


Some Common IP spoofing Attacks

Blind spoofing

It is the most sophisticated attack in which the sequence and acknowledgement number are to be determined randomly . The attacker tries to send random packets to the victim in order to examine the pattern of sequence numbers . Modern operating systems use random sequence number generation techniques which makes it very difficult to analyze the sequence and acknowledgement numbers by sending packets.

Non- Blind spoofing

This type of spoofing attack can be performed when both the victim and the attacker are on the same subnet . Then there is a plus point for the attacker as the acknowledgement and sequence number can be sniffed , and hence the hard work of calculating and analyzing them manually is removed.

Man In the Middle Attack

This attack is well understood with its name itself . In this type of attack two trusted sources are involved in a communication when the attacker spoofs the identity of one of the trusted sources . The attacker then controls the flow of communication between the two trusted sources and can even fool the recipient to give confidential information. The attacker can also manipulate the data transfer that is taking place between the two trusted sources.

Countermeasures to IP spoofing

The countermeasures to spoofing will totally depend upon the type of attack and the network setup. Still some of the basic features that can be implemented to prevent IP spoofing attack are by providing encrypted authentication , packet filtering at the router and implementing application based authentication .

IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.


  1. Friend plz post some method to perform the above hack. thanks..

  2. noob c/p from books.

    ever heard of rev sock 5 pr ?