Attackers use IP spoofing to manipulate data packets and paralyze entire companies. Every second company in Germany has already been affected by industrial espionage, sabotage or data theft.
The number of cyberattacks and data scandals continues to rise. This applies to both companies and the private environment. The use of end devices in the home office exacerbates the problem. Using spoofing techniques, hackers can stop normal operations through various means. What methods do attackers use and how can confidential data be effectively protected?
What is IP spoofing?
IP spoofing is a manipulative technique in which the cybercriminal’s IP address is disguised. The English term stands for “concealment” and “manipulation techniques” of one’s identity.
This exploits the weakness of the TCP/IP protocol. The attacker uses the address of a trusted system to disguise his own. The hacker intercepts the data traffic as a “man in the middle” between two or more computers. It uses the sequence numbers to send the packets to the destination address.
The problem: The source and destination address is only authenticated at the beginning of the communication. The hacker uses this gap and “hooks” into the connection. At the same time, the filtering system/firewall blocks only foreign data and does not interfere with this manipulation.
In most cases, the attacker must be on the same subnet for this (non-blind spoofing).
Surf safely now
Our DN8 PrivacyCube
Spoof IP address: This is why spoofing works
The main cause of DoS and DDoS attacks is the unprotected headers of the source and destination addresses. There is no security level that detects tampering in the header. The fact is that the hacker cannot access the data because the destination address remains the same.
An attacker hides behind the data packet. DoS and DDoS attacks involve sending large data packets with many spoofed IP addresses to systems on the network.
The data packets are sent back to the source address – the hacked IP – as a response. A paralysis of the servers in the network occurs. The hacker remains undetected.
How attackers outsmart the three-way handshake
The term“three-way handshake” or “handshake” refers to the multi-stage procedure (TCP/IP) by which two instances are mutually authenticated. A connection is established between the client and server. Only after authentication the data will be transferred. This method is insufficient and allows IP spoofing.
Attackers use these three methods to outsmart the TCP/IP process:
The attacker is on the same subnet. It can grab the sequence and ACK numbers from the packets without calculating them.
The attacker is located outside the subnet. This form is much more elaborate. The hacker finds out the sequence numbers to communicate with the target computer. The current operating systems generate random numbers that are much harder to guess. Attackers who know the algorithm will find the next sequence numbers. Fortunately, blind spoofing is a rare occurrence.
The typical DoS attack is SYN flooding (TCP). The attacker floods (DoS attack) the victim with many SYN packets. They cannot be confirmed. Relevant information is no longer processed due to the overload. The “normal” operation collapses.
In principle, every firewall checks incoming data packets. As soon as an internal IP is in the public network, it is an attack.
Countermeasures: How to protect yourself from IP spoofing
- Use IPv6: With IPv6, IP spoofing attacks should be a thing of the past. It provides optional authentication and encryption capabilities in the header of the packets. We have reported on the improved security of IPv6.
- Comprehensive packet filtering on router or security gateway. Information that has source addresses within the network is analyzed and discarded. At the same time, you filter outgoing packets.
- Log-in methods all log-ins take place over encrypted connections. It is another security aspect that prevents IP spoofing attacks. It is best to avoid host-based authentication methods.
- Older operating system & network devices run with outdated security standards that can be replaced.
- Newer firewalls have anti-spoofing protection for TCP built in. Sequence numbers are randomly generated, making predictions for the next numbers difficult.
For companies: Go for a hacker who is even better than the attacks themselves and then it’s best to hire him!