International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

Proposed Methods of IP Spoofing Detection &

Prevention
Sharmin Rashid1, Subhra Prosun Paul2
1, 2
World University of Bangladesh, Dhanmondi, Dhaka, Bangladesh

Abstract: In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets
with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another
computing system. On January 22, 1995, in an article entitled, ―New form of attack on computers linked to Internet is uncovered, John
Markoff of the New York Times reported on the TCP/IP protocol suite's security weakness known as IP spoofing. The IP spoofing
security weakness was published by S. M. Bellovin (1989). However, not much attention has been paid to the security weaknesses of the
TCP/IP protocol by the general public. This is changing as more people and companies are connecting to the Internet to conduct
business. This paper is on ― “Proposed methods of IP Spoofing Detection & Prevention”. This paper contains an overview of IP
address and IP Spoofing and its background. It also shortly discusses various types of IP Spoofing, how they attack on communication
system. This paper also describes some methods to detection and prevention methods of IP spoofing and also describes impacts on
communication system by IP Spoofing. We think that our proposed methods will be very helpful to detect and stop IP spoofing and give
a secured communication system.

Keywords: IP address, IP Spoofing, TCP/IP, Compression, Cryptography

1. Introduction with the purpose of concealing the identity of the sender or

impersonating another computing system.
The basic protocol for sending data over the Internet network
and many other computer networks is the Internet Protocol In a spoofing attack, the intruder sends messages to a
("IP"). The header of each IP packet contains, among other computer indicating that the message has come from a
things, the numerical source and destination address of the trusted system. To be successful, the intruder must first
packet. The source address is normally the address that the determine the IP address of a trusted system, and then modify
packet was sent from. By forging the header so it contains a the packet headers to that it appears that the packets are
different address, an attacker can make it appear that the coming from the trusted system. In essence, the attacker is
packet was sent by a different machine. The machine that fooling (spoofing) the distant computer into believing that
receives spoofed packets will send response back to the they are a legitimate member of the network. The goal of the
forged source address, which means that this technique is attack is to establish a connection that will allow the attacker
mainly used when the attacker does not care about the to gain root access to the host, allowing the creation of a
response or the attacker has some way of guessing the backdoor entry path into the target system.
response.

Criminals have long employed the tactic of masking their

true identity, from disguises to aliases to caller-id blocking. It
should come as no surprise then, that criminals who conduct
their nefarious activities on networks and computers should
employ such techniques. IP spoofing is one of the most
common forms of on-line camouflage. In IP spoofing, an
attacker gains unauthorized access to a computer or a
network by making it appear that a malicious message has
come from a trusted machine by spoofing the IP address of
Figure 1: Valid source IP address
that machine.
Figure 1: Valid source IP address, illustrates a typical
In certain cases, it might be possible for the attacker to see or
interaction between a workstation with a valid source IP
redirect the response to his own machine. The most usual
address requesting web pages and the web server executing
case is when the attacker is spoofing an address on the same
the requests. When the workstation requests a page from the
LAN or WAN. Hence the attackers have an unauthorized
web server the request contains both the workstation’s IP
access over computers. In this paper, we will examine the
address (i.e. source IP address 192.168.0.5) and the address
concepts of IP spoofing: why it is possible, how it works,
of the web server executing the request (i.e. destination IP
how it can detect for and how to defend against it.
address 10.0.0.23). The web server returns the web page
using the source IP address specified in the request as the
2. IP Spoofing destination IP address, 192.168.0.5 and its own IP address as
the source IP address, 10.0.0.23.
In computer networking, the term IP address spoofing or IP
spoofing refers to the creation of Internet Protocol (IP)
packets with a forged source IP address, called spoofing,
Volume 2 Issue 8, August 2013
438
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

with the attack machine. Using the spoofing, the attacker

interferes with a connection that sends packets along the
subnet.

4.2 Blind Spoofing

This attack may take place from outside where sequence and
acknowledgement numbers are unreachable. Attackers
usually send several packets to the target machine in order to
sample sequence numbers, which is doable in older days.
Figure 2: Spoofed source IP address
Usually the attacker does not have access to the reply, abuse
Figure 2: Spoofed source IP address, illustrates the trust relationship between hosts. For example: Host C sends
interaction between a workstation requesting web pages an IP datagram with the address of some other host (Host A)
using a spoofed source IP address and the web server as the source address to Host B. Attacked host (B) replies to
executing the requests. If a spoofed source IP address (i.e. the legitimate host (A) shows in Figure 4.
172.16.0.6) is used by the workstation, the web server
executing the web page request will attempt to execute the
request by sending information to the IP address of what it
believes to be the originating system (i.e. the workstation at
172.16.0.6). The system at the spoofed IP address will
receive unsolicited connection attempts from the web server
that it will simply discard.
Figure 4: Blind Spoofing
3. Why IP Spoofing is Easy
4.3 Hijacking an Authorized Session
 Problem with the Routers. IP routing is hop by hop. Every
IP packet is routed separately. The route of an IP packet is An attacker who can generate correct sequence numbers can
decided by all the routers the packet goes through. send a reset message to one party in a session informing that
 Routers look at Destination addresses only. party that the session has ended. After taking one of the
 Authentication based on Source addresses only. parties’ offline, the attacker can use the IP address of that
 To change source address field in IP header field is easy party to connect to the party still online and perform a
[1] malicious act on it. The attacker can thus use a trusted
communication link to exploit any system vulnerability.
Keep in mind that the party that is still online will send the
replies back to the legitimate host, which can send a reset to
it indicating the invalid session, but by that time the attacker
might have already performed the intended actions. Such
actions can range from sniffing a packet to presenting a shell
from the online host to the attacker's machine.

4.4 Man in the Middle Attack

Both types of spoofing are forms of a common security

violation known as a man in the middle (MITM) attack. In
Figure 3: IP routing Mechanism
these attacks, a malicious party intercepts a legitimate
communication between two friendly parties. The malicious
4. Spoofing Attacks host then controls the flow of communication and can
eliminate or alter the information sent by one of the original
There are a few variations on the types of attacks that participants without the knowledge of either the original
successfully employ IP spoofing. Although some are sender or the recipient. In this way, an attacker can fool a
relatively dated, others are very pertinent to current security victim into disclosing confidential information by “spoofing”
concerns. the identity of the original sender, who is presumably trusted
by the recipient.
4.1 Non-Blind Spoofing
4.5 Denial of Service Attack
This type of attack takes place when the attacker is on the
same subnet as the victim. The sequence and The connection setup phase in a TCP system consists of a
acknowledgement numbers can be calculated, eliminating the three-way handshake. This handshake is done by using
potential difficulty of calculating them accurately. The special bit combinations in the "flags" fields. If host A wants
biggest threat of spoofing in this instance would be session to establish a TCP connection with host B, it sends a packet
hijacking. This is accomplished by corrupting the with a SYN flag set. Host B replies with a packet that has
DataStream of an established connection, then re-establishing SYN and ACK flags set in the TCP header. Host A sends
it based on correct sequence and acknowledgement numbers back a packet with an ACK flag set, finishing the initial
Volume 2 Issue 8, August 2013
439
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

handshake. Then hosts A and B can communicate with each Attacker sends a forged RIP packet router 2 (Figure 7) and
other, as shown in Figure 5. says it has the shortest path to the network that router1
connects. Then all the packets to that network will be routed
to attacker (Figure 8). The attacker can sniff the traffic.

Figure 5: A Normal TCP Connection Request from A to B

The three-way handshake must be completed in order to

establish a connection. Connections that have been initiated
but not finished are called half-open connections. A finite-
size data structure is used to store the state of the half-open
connections. An attacking host can send an initial SYN Figure 8: Link state after RIP attack
packet with a spoofed IP address, and then the victim sends
the SYN-ACK packet and waits for a final ACK to complete 5. Spoofed Packet Detection
the handshake. If the spoofed address does not belong to a
host, then this connection stays in the half-open state Packets sent using the IP protocol [2] include the IP address
indefinitely, thus occupying the data structure. If there are of the sending host. The recipient directs replies to the sender
enough half-open connections to fill the state data structure, using this source address. However, the correctness of this
then the host cannot accept further requests, thus denying address is not verified by the protocol. The IP protocol
service to the legitimate connections (Figure 6). specifies no method for validating the authenticity of the
packet’s source. This implies that an attacker could forge the
source address to be any he desires. This is a well-known
problem and has been well described [3][4][5]. Detection
methods can be classified as those requiring router support,
active host-based methods, passive host based methods, and
administrative methods. Administrative methods are the most
commonly used methods today. When an attack is observed,
Figure 6: Half-Open TCP Connection security personnel at the attacked site contact the security
personnel at the supposed attack site and ask for
IP spoofing is almost always used in what is currently one of corroboration. This is extremely inefficient and generally
the most difficult attacks to defend against – denial of service fruitless. An automated method of determining whether
attacks, or DoS. Since crackers are concerned only with packets are likely to have been spoofed is clearly needed.
consuming bandwidth and resources, they need not worry This section describes a number of such methods.
about properly completing handshakes and transactions.
Rather, they wish to flood the victim with as many packets as 5.1 Routing Methods
possible in a short amount of time. In order to prolong the
effectiveness of the attack, they spoof source IP addresses to Because routers (or IP level switches) can know which IP
make tracing and stopping the DoS as difficult as possible. addresses originate with which network interface, it is
When multiple compromised hosts are participating in the possible for them to identify packets that should not have
attack, all sending spoofed traffic; it is very challenging to been received by a particular interface. For example, a border
quickly block traffic. router or gateway will know whether addresses are internal to
the network or external. If the router receives IP packets with
4.6 Attacks Concerning the Routing Protocols external IP addresses on an internal interface, or it receives
IP packets with an internal IP address on an external
A host can send spoofed RIP packets in order to “inject” interface, the packet source is most likely spoofed. In the
routes into a host. This is easy to implement, it only requires wake of recent denial-of-service attacks involving spoofed
IP/UDP spoofing. On a LAN with RIPv2 passwords have to attack packets, ISPs and other network operators have been
be used for updating routes, but plaintext passwords are used. urged to filter packets using the above-described method.
The plaintext passwords can be sniffed. Filtering inbound packets, known as ingress filtering,
protects the organization from outside attacks. Similarly,
filtering outbound packets prevents internal computers from
being involved in spoofing attacks. Such filtering is known as
egress filtering. It is interesting to note that if all routers were
configured to use ingress and/or egress filtering, attacks
would be limited to those staged within an organization or
require an attacker to subvert a router.

Internal routers with a strong notion of inside/outside can

Figure 7: Link state before RIP attack
also detect spoofed packets. However, certain network
topologies may contain redundant routes making this

Volume 2 Issue 8, August 2013

440
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

distinction unclear. In these cases, host based methods can be machine, there will be no corresponding entry for
used at the router. A number of IP addresses are reserved by initiating that remote access.
the IANA for special purposes. These are listed in table 1.
The addresses in the first group are private addresses and There are some configuration and services that are vulnerable
should not be routed beyond a local network. Seeing these on to IP spoofing:
an outside interface may indicate spoofed packets.
Depending on the particular site, seeing these on an internal  RPC (Remote Procedure Call services)
address would also be suspicious. The other addresses in  Any service that uses IP address authentication
table 1 are special purpose, local only addresses and should  The X Window System
never be seen on an outer interface.  The R services suite (rlogin, rsh, etc.)

Some Softwares that are caused for IP Spoofing:

 Mac Spoofing
 Macaroni Screen Saver Bundle
 SpoofMAC
 sTerm
 MAC Change

6. IP Spoofing Prevention Methods

Table 1: Special IP addresses
6.1 Compression
Many firewalls look for the packets described in this section.
Typically they are dropped when received. Because firewalls Basically compression classified into two types-
have been a popular security product, research into routing
methods has been active. Most all research has been in this 6.1.1 Lossy Compression
area. Routers can also take a more active role in detecting
spoofed packets. A number of advanced router projects have In Computer terminology, lossy compression is a data
dealt with this and spoofed packet trace back [6]. We have encryption method which eliminates some of the data, in
proposed a number of proactive methods that can be used to order to achieve its goal, with the result that decompressing
detect and prevent spoofed packets. the data yields content that is different from the original,
though similar enough to be useful in some way. Lossy
One limitation of routing methods is that they are effective compression is most commonly used to compress multimedia
only when packets pass through them. An attacker on the data, audio, video, image, etc. lossless compression is
same subnet as the target could still spoof packets. When the required for text and data files, such as bank records, text
attacker is on the same Ethernet subnet as the target, both the articles, etc. In many cases it is advantageous to make a
source IP address and the Ethernet MAC would be spoofed. master lossless file which can then be used to produce
If the spoofed source address was an external address, the compressed files for different purposes.
MAC would be that of the router. This implies that other
techniques are required. We can compress many formats of digital data through that
we can minimize the size of a computer file needed to store
5.2. Non-routing methods it. According to the networks the effective utilization of
bandwidth needed to stream it, with no loss of the full
Computers receiving a packet can determine if the packet is information contained in the original file. A picture is
spoofed by a number of active and passive ways. We use the converted to a digital file by considering it to be an array of
term active to mean the host must perform some network dots, and specifying the color and brightness of each dot. If
action to verify that the packet was sent from the claimed the picture contains an area of the same color, it can be
source. Passive methods require no such action; however an compressed without loss by saying 200 red dots instead of
active method may be used to validate cases where the red dot, red dot, etc red dot.
passive method indicates the packet was spoofed. There are
some other methods for detecting spoofed packets: The original contains a certain amount of information; there
is a lower limit to the size of file that can carry all the
1. If we monitor packets using network-monitoring software information. For example, most people know that WinRar
such as netlog, look for a packet on our external interface produce the compressed ZIP file is smaller than the original
that has both its source and destination IP addresses in file; but repeatedly compressing the file will not reduce the
your local domain. If we find one, you are currently under size to nothing, and will in fact usually increase the size.
attack. Lossy compression formats suffer from generation loss:
2. Another way to detect IP spoofing is to compare the repeatedly compressing and decompressing the file will
process accounting logs between systems on our internal cause it to progressively lose quality. This is in contrast with
network. If the IP spoofing attack has succeeded on one lossless data compression. Information-theoretical
of our systems, we may get a log entry on the victim foundations for lossy data compression are provided by rate
machine showing a remote access; on the apparent source distortion theory. Much like the use of probability in optimal
coding theory, rate distortion theory heavily draws on

Volume 2 Issue 8, August 2013

441
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

Bayesian estimation and decision theory in order to model In this chapter, cryptography uses to enhance the security in
perceptual distortion and even aesthetic judgment. IP compression technique.

6.1.2 Lossless Compression The main objective of IP compression is to avoid the

overhead, which provides the bandwidth utilization. The IP
Lossless data compression is a kind of data compression header compression work initiated ten years ago but still
algorithms that allows the exact original data to be fetched there is some drawback and problem persists. For handling
from the compressed ZIP data. The term lossless is in the packet transformation in effective manner we are moving
contrast to lossy data compression, which only allows an to IPv6 but the header size will increase in IPv6. To increase
approximation of the original data to be re fetched, in the bandwidth utilizations, avoid the network traffic,
exchange for better compression rates. Lossless data congestion, collision, we go for compression technique.
compression is used in many applications. For example, it is Basically compression used for minimize the size of file into
used in the popular ZIP file format and in the kernel OS half. For example if the original file size is 100mb after
UNIX tool gzip. It is also often used as a component within compression it will reduced into 50mb. While decompress
lossy data compression technologies. your file we have to get original information without loose
anything. Basic idea behind in this is remove the unwanted
Lossless compression algorithms and their implementations data’s or information’s.
are routinely tested in head-to-head existing methods. There
are a number of better-known compression existing methods. In our work we incorporate the compression technique into
Some existing methods cover only the compression ratio, so TCP/IP packets. While data transfer two end systems will
winners in this benchmark may be unsuitable for everyday make the communication between these two end points the
use due to the slow speed of the top performers. Another session will allocated for temporarily. Both systems has an
drawback of some existing methods is that their data files are unique IP address for identifying the system in network,
known, so some program writers may optimize their using this IP address only communication will established.
programs for best performance on a particular data set. The After establishing the end to end point connection the
winners on these existing methods often come from the class corresponding application will take charge to transactions.
of context-mixing compression software. Application will identified using the port number. While
continues data transfer some information will repeatedly send
6.2 Cryptography to the receiving end namely IP address of sender and
receiver, port address of sender and receiver. To avoid this
Cryptography has been used as a way to send secret kind of information we go for compression technique. Most
messages between warring nations, between users, between of the data compression algorithms have been developed and
organizations etc; as such, it became an important issue in programmed in the traditional way. None of the previous
national security and laws. With the increasing need for algorithms has been evolved. The use of Evolutionary
secure transactions for data traversing computer networks for Computation has not been thoroughly investigated thus far.
medical, financial, and other critical applications, Researchers in the compression field tend to develop
cryptography is now becoming a necessity for algorithms that work with specific types of data, taking the
nongovernmental, nonmilitary applications. All over the advantage of any available knowledge about the data. It is
globe, the laws and regulations concerning cryptography are difficult to find a universal compression algorithm that
undergoing a vast change. Legal restrictions on the import performs well on any data type
and export of cryptographic products are being debated and
modified. 6.3 Algorithm

Cryptography has some major issues:  Split the packet header with data
 Applied the GRS compression algorithm
 Key length: The combination of the algorithm and the key  Apply the cryptography technique
length are factors of cryptographic strength. The  Transmit the data
algorithm is usually well known. The longer key is the  Decryption
stronger the cryptographic strength of a given algorithm.  Decompression
Some countries have export laws that limit the key length  Original information.
of a given cryptographic algorithm.
 Key recovery: In recent years, export laws have been First take the original packet then split the packet header with
modified if the cryptographic algorithm includes the the data. Whenever the data transmission happen that time
capability of incorporating key recovery methods. These 4tuple information are common for through out the data
modified laws enable governments to wire-tap for transfer. If we compress these things we can minimize the
encrypted electronic data if they deem it necessary to do many space due to that we can utilize bandwidth in optimized
so. manner.
 Cryptography use: A distinction is sometimes made about
whether cryptography is used for authentication and The next step is applying the GRS algorithm which is the
integrity purposes or for confidentiality purposes. When novel algorithm what we designed for our implementation.
used for confidentiality, the export laws are typically The concept behind in this is group of IP address considered
much more stringent. as a single no which is taken as host identification no
likewise we have to interchange into 4tuple’s. For example
192.168.30.2 this is a one host IP address. This will
Volume 2 Issue 8, August 2013
442
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

converted into like this. 2. We have to remember one thing network can use this key to access information. Without
after establishing the connection only the stream of packet this, access is denied.
will change into like this.
6.4 Software to Stop IP Spoofing
The next step is applying the cryptography technique. There
are variety of techniques and complex methods available but We can use some software’s to stop IP Spoofing:
in this scenario we couldn’t use the complex technique
because we going to apply in packet header. If we use  StopCut
complex technique, for encryption and decryption will take  Find Mac Address pro
too much time. We have to use simple functions; in our  SecurityGateway for Exchange / SMTP
implementation we used transformation function as method.  PacketCreator
It just modify the one value into another form using add or  Responder Pro
multiply that value into original no. for example the previous
2 will converted onto 6 adding 4 with 2 . The final thing is
we have to send the key value for decryption. Key value will
7. Conclusion
add into encrypted value for easy identification similar to the
This paper describes the use of IP spoofing as a method of
format of IP address 6.4 is the final value that will send to the
attacking a network in order to gain unauthorized access and
destination machine likewise all 4tuple’s. Again the
some detection and prevention methods of IP spoofing. The
decryption will happen in reverse manner.
goal of the attack is to establish a connection that will allow
the attacker to gain root access to the host, allowing the
We have also proposed some prevention methods to stop IP
creation of a backdoor entry path into the target system. We
spoofing. They are:
think that our proposed methods will be very helpful to detect
and stop IP spoofing and give a secured communication
1. The best method of preventing the IP spoofing problem is
system.
to install a filtering router (Figure 9) that restricts the
input to our external interface (known as an input filter)
by not allowing a packet through if it has a source address 8. Acknowledgement
from our internal network. In addition, we should filter
outgoing packets that have a source address different Special thanks to Md. Samsuzzaman, Assistant Professor,
from our internal network in order to prevent a source IP Department of Computer & Communication Engineering,
spoofing attack originating from our site. Faculty of Computer science & Engineering, Patuakhali
Science & Engineering for his helpful comments on IP
Spoofing We also thank the anonymous reviewers for their
helpful and constructive comments.

References

[1] Leila Fatmasari Rahman, Rui Zhou. IP Address

Spoofing, (December 16, 1997). CERT Advisory CA-
1997-28. IP Denial-of-Service Attacks. CERT/CC.
[2] Daemon9. IP Spoofing Demystified. Phrack Magazine
Review, Vol 7, No. 48, June 1996, pp. 48-14.
Figure 9: Filtering Router [3] Computer Incident Advisory Committee (CIAC) (1995).
Advisory Notice F-08 Internet Spoofing and Hijacked
2. Avoid using the source address authentication. Session Attacks.
Implement cryptographic authentication system-wide. [4] Donkers, A. (1998, July). Are You really Who You Say
3. Configuring our network to reject packets from the Net You Are? System Administrator, Vol 7, No. 7, 69-71.
that claim to originate from a local address. [5] D. Schnackenberg, K. Djahandari., and D. Sterne.
4. If we allow outside connections from trusted hosts, enable Infrastructure for Intrusion Detection and Response.
encryption sessions. Proc. of the DARPA Information Survivability
5. Implement egress and ingress filtering. This will monitor Conference and Exposition (DISCEX '00), 2000.
all incoming and outgoing information and will block any [6] S. Staniford-Chen and L. T. Heberlein. Holding
unauthorized traffic. Intruders Accountable on the Internet. Proc. of the 1995
6. Use encryption when sending any private information IEEE, Symposium on Security and Privacy, , May 1995
over the Internet. This will change any information you Oakland, CA, pages 39-49.
share into a code that hacker's will not be able to
understand. Author Profile
7. Use an ACL, or access control list, to block any
unauthorized or private IP addresses. Subhra Prosun Paul received the B.Sc.Engg. in
8. Configure your router to reject unauthorized users that are Computer Science & Engineering from West Bengal
claiming to be in your local network, when they are University of Technology, Kolkata and M.S.in CSE
actually coming from outside your network. from East West University, Dhaka in 2008 and 2011,
9. Add an authenticated password-based key exchange to respectively. He has researched on Linux, Networking, RDBMS and
prevent IP spoofing. Two more users on the same so on. He is now workind as Lecturer in department of Computer

Volume 2 Issue 8, August 2013

443
www.ijsr.net
 International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064

Science & Engineering at World University of Bangladesh, Dhaka,

Bangladesh.

Sharmin Rashid received the B.Sc. Engg. in

Computer Science & Engineering a from Patuakhali
Science & Technology University and M.S. degrees in
Information Technology from Dhaka University in
2011 and 2013, respectively. She has researched on
Networking, Semantic Web technology and so on. She is now
working as Lecturer in department of Computer Science &
Engineering at World University of Bangladesh, Dhaka,
Bangladesh.

Volume 2 Issue 8, August 2013

444
www.ijsr.net