What is IP Address Spoofing
IP Address spoofing is where the TCP/IP packet headers are modified so that the source IP address is changed to a different IP address. Changing the source address makes the request appear to come from a different IP address. If the destination server uses the source IP address to authorize or accept incoming connections, then IP address spoofing could fool the destination machine into accepting the connection.
IP address spoofing is mostly used in attacks that cause a DOS (Denial Of Service). Since the source address has been changed, the response packets are usually sent back to the wrong location. This means that this type of attack is usually a one-way attack. Unless the routing tables are modified, the response will be sent back to the location of the IP address specified in the request, not the person sending the forged requests.
Any service that uses the source IP address of the request for authorization will be vulnerable to an IP address spoofing attack. Many services allow any address on the LAN (Local Area Network) access as a trusted client, so a request from an external machine that uses IP address spoofing to pretend that the request is from a machine on the LAN would automatically be trusted.
Local area networks can be protected by a gateway that uses packet filtering. A network gateway that implements packet filtering could filter all incoming requests from outside of the trusted LAN that contain LAN addresses as the source address. This would prevent outside requests from claiming to be on the trusted network.
Once a TCP/IP connection is established, sequence numbers are used to track the requests and the responses. This ensures that all packets are received and processed in the correct order. If a sequence number is missing, that packet can be sent again. To forge packets to take control of an existing connection requires using the correct sequence numbers as expected by the receiver.
A SYN request (Synchronize) is the TCP/IP request to initiate a TCP/IP connection. A SYN request contains a random starting sequence number and are therefore the easiest to spoof. These attacks are usually flood attacks and are called SYN flood attacks. The attack would send lots and lots of these requests with the intention of overloading the destination server.
SYN attacks can be prevented by limiting the number of SYN requests that are accepted within a certain time frame. Firewall software like iptables have features that allow a maximum number of SYN requests per second. Any SYN requests above this limit are blocked or discarded. Before implementing a rule such as this, you need to make sure that you allow enough SYN requests to handle the peak genuine traffic that your server could expect. Otherwise you could be discarding requests from genuine network traffic.