IP Source Address Spoofing

From BCP38
Jump to: navigation, search

Each IP packet -- the fundamental unit of data transmission over The Internet -- has a number of pieces of metadata attached to it, generally called 'headers'.

The most important of these headers are the source and destination addresses.

IP Source Address Spoofing is the practice of sending those packets out with a forged, incorrect source address. This generally means that the receiver will not be able to reply to you, but for the purposes of an attacker, this is a feature, rather than a bug.

It is possible to send out IP packets with a source address which is not that of the interface you're sending them through in one other case: when a host or network is multihomed -- when it has more than one network connection. Sometimes in this case, packets will be sent out the "wrong" network connection, but the destination site will still be able to reply because the address really does point to the sending host; it merely doesn't do so on the network over which the packet was sent.

Because this is possible, you cannot always assume that a packet being received with an address you didn't expect is a fraudulent, attacking packet, and exceptions must be able to be made by people implementing BCP38.

Personal tools