have long employed the tactic of masking their true identity, from disguises to
aliases to caller-id blocking. It should come as no surprise then, that criminals
who conduct their nefarious activities on networks and computers should employ
such techniques. IP spoofing is one of the most common forms of on-line camouflage.
In IP spoofing, an attacker gains unauthorized access to a computer or a network
by making it appear that a malicious message has come from a trusted machine by
"spoofing" the IP address of that machine. In the subsequent pages of
this report, we will examine the concepts of IP spoofing: why it is possible,
how it works, what it is used for and how to defend against it.
History of IP Spoofing
The concept of IP spoofing was initially discussed in academic circles in the
1980's. In the April 1989 article entitled: "Security Problems in the TCP/IP
Protocol Suite", author S. M Bellovin of AT & T Bell labs was among the
first to identify IP spoofing as a real risk to computer networks. Bellovin describes
how Robert Morris, creator of the now infamous Internet Worm, figured out how
TCP created sequence numbers and forged a TCP packet sequence. This TCP packet
included the destination address of his "victim" and using an IP spoofing
attack Morris was able to obtain root access to his targeted system without a
User ID or password. Another infamous attack, Kevin Mitnick's Christmas Day crack
of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction
techniques. While the popularity of such cracks has decreased due to the demise
of the services they exploited, spoofing can still be used and needs to be addressed
by all security administrators. A common misconception is that "IP spoofing"
can be used to hide your IP address while surfing the Internet, chatting on-line,
sending e-mail, and so forth. This is generally not true. Forging the source IP
address causes the responses to be misdirected, meaning you cannot create a normal
network connection. However, IP spoofing is an integral part of many network attacks
that do not need to see responses (blind spoofing).