ip-spoofing-and-ddos-attacks-a-dummies-guide-to-this-funny-businessImagine you were trying to disguise where something is coming from. A letter, a parcel, a tuna sandwich lobbed across a cafeteria. On the whole, do you think your intentions in trying to disguise where something is coming -from would be honorable? No, you think, that’s not how I operate. Yeah, well, you and IP spoofers.

Sure, there are some not incredibly bad reasons to disguise the source of internet traffic, like getting around geolocation blocks, but on the whole? The reasons tend to range from not good to atrocious, and many of them involve distributed denial of service attacks, or DDoS attacks.

What exactly is IP spoofing and how is it accomplished?

An IP spoofing definition according to DDoS mitigation provider Imperva Incapsula is the process of disguising the source of internet traffic by impersonating another client, device or user on the internet. IP spoofing takes advantage of internet protocol, which is the set of rules that governs how data is sent over the internet. Networks communicate through the exchange of network data packets, and in order to make sure each packet gets to where it’s going, it contains headers that contain the necessary information for routing and transmission continuity.

One of these headers contains the source IP address, which identifies the IP address of the sender of the packet. Think of it like the return address on an envelope. If you were trying to disguise the sender of a letter, you would falsify the return address on the envelope. Similarly, when disguising where a packet is coming from, the source IP address header gets falsified, usually with a random string of numbers unless a particular device or user is being impersonated.

Before we get into IP spoofing and DDoS attacks, let’s clear up what a DDoS attack actually is

A distributed denial of service attack is a type of cyber attack designed to render a target website unavailable to those who want to use it. Because it is a distributed denial of service attack, a network of compromised computers and internet-connected devices collectively known as a botnet are used to overwhelm the target’s network infrastructure or bandwidth, either slowing the website enough that it is completely unusable, or taking it right offline.

An unmitigated DDoS attack can have major consequences for the target website, including furious users, a diminished reputation, lost traffic and revenue, software and hardware damage, and theft of sensitive data like intellectual property, user information and financial information if the attack is used as a smokescreen for an intrusion.

So how is IP spoofing used in DDoS attacks?

In a number of ways, unfortunately. IP spoofing is commonly used to hide the location of a botnet. Not only does this help the botnet avoid being discovered and taken down by those with the power to do so, but it also renders security firms and other interested parties unable to inform the owners of the devices being used in the botnet that they have been compromised, as devices in a botnet are typically hijacked with the owners being none the wiser.

By disguising the botnet’s location, IP spoofing also allows the botnet in question to bypass security that may be in place for blacklisting the IP addresses of known offenders. It also disrupts the security research process, keeping security firms and other authorities from accurately identifying botnets and creating more effective blacklists.

IP spoofing is also frequently used in reflected DDoS attacks, which is when the target has its source IP address spoofed so that it is seemingly sending out requests to a large number of computers and internet-connected devices which then reply to the target, flooding it with responses. Common types of reflected distributed denial of service attacks include network layer attacks like DNS amplification, NTP amplification and smurf attack.

What can be done to protect against DDoS attacks using IP spoofing?

Since DDoS mitigation services can’t rely on their blacklists to protect against botnets with spoofed IPs, they need to be able to look beyond the source IP address header. Instead, mitigation solutions must use deep packet inspection, a granular analysis of all of a packet’s headers. By examining all headers the mitigation solution can develop a profile of the malicious packets and filter this malicious traffic accordingly.

However, deep packet inspection is easier said than done. It’s a resource intensive process, which means that when it’s up against a sizable attack attempt, the cure may become as bad as the disease since deep packet inspection can degrade a network’s performance to the point that it’s almost completely unresponsive, which is what the attack was trying to accomplish anyway.

The takeaway here is that distributed denial of service mitigation solutions need robust, purpose-built mitigation hardware or scrubbing servers that can handle incredible influxes of malicious traffic without its network being affected. If the solution you’re considering can’t detail how it handles the deep packet inspection process in the face of unwieldy reflected DDoS attacks, you need to keep looking.

From Russia with love

If you’re an average person just trying to figure out how to get HBO Go outside of the United States, IP spoofing probably isn’t a very big threat to you. But if you’re a website owner, IP spoofing is something you unequivocally need to be concerned about. We know that often our own intentions wouldn’t be honorable if we were disguising where that tuna sandwich is coming from, so imagine what cybercriminals have planned.