Spoofing IP Over Network / Internet

[Rehorav]

How could you spoof your IP over the internet? I have never really understood the action of this.

[Jean-Guy2000]

You can only do this for UDP protocol, TCP protocol is almost impossible to do because of 3 way handshake and because it's a stateful protocol.

TCP must do <SYN> , <ACK><SYN> , <ACK>

This 3 way handshake allows a syncronization number to be set up between the server and client. Each packet is numbered with this and a fixed calculation will create the next order number and allow the server to re-construct packets that out out of time. Only after this handshaking can a connection be considered open. If you fake the source IP address when sending <SYN> packet then the server will not respond to your client with the syncronization number that you will require to <ACK><SYN> the packet. It is possible to "guess" the sync number using mathmatical attacks against the servers TCP RNG but this hard core hacking This system also protects against data injection attacks, although if you are able to sniff the traffic between a server and client you are at a much greater position to perform this "attack" on the traffic due to access to SYN numbers.


This makes it very difficult to spoof TCP source IP.

UDP protocol on the other hand is "stateless" and doesn't require any handshaking prior to recieving data from host. This type of protocol is faster but unreliable and easily spoofed.

[MikeAThon]

Jean-Guy, are you certain that it's not possible to spoof IP with TCP?

I'm uncertain because I have never tried it, but I still think that it's possible to spoof IP using TCP. Both TCP and UDP rely on the IP header to identify the IP address of both the source and destination. As such, it should be possible to spoof the IP address of TCP as well as UDP.

I agree that spoofing the IP source address in a TCP connection will not result in a connection, for the reason that the server will not send its SYN-ACK response to the correct source address. As a result, there will not be a successful three-way handshake, and a completed TCP session will not be constructed. This is the basis for a SYN-flood attack (I think).

In addition, before TCP stacks were smartened up concerning their generation of sequence numbers (ten years ago, it was easy to predict the way in which TCP stacks generated sequence numbers), it was possible to hijack connections and do other evil things (like man in the middle attacks), as explained in many many places, such as http://www.trustinginthefuture.com/faq/howto3.html

Anyway, an interesting question.

Mike