Main Page | See live article | Alphabetical index

Internet protocol spoofing

In computer networking, the term Internet protocol spoofing (IP spoofing) is the creation of IP packets with a forged (spoofed) source IP address.

The header of every IP packet contains its source address. This should be the address that the packet was sent from. By forging the header, so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. This can be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses.

This type of attack is most effective where trust relationships exist between machines. It is common on some corporate networks to have internal systems trust each other, so that a user can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.

Packet filtering is one defence against IP spoofing attacks. The gateway to a network should perform ingress filtering: blocking of packets from outsite the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally outgoing packets should also be filtered, dropping packets from inside the network with a source address that is not inside (egress filtering); this prevents IP spoofing by any machine on your own network against external machines.

Some higher-level protocols provide their own defence against IP spoofing. For example, Transmission Control Protocol uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. The poor implementation of TCP sequence numbers in many older operating systems and network devices, however, means that spoofing is often still possible.

The kind of spoofing discussed here has limited impact on breaking into systems as any reply packets that the destination may send will be sent to the spoofed source address.

Conversely, it's used in many different attacks such as smurf attacks and SYN floods.


Protocol spoofing is also used as a data compression technique, and was used as early as 1985 when the Hayes Smartmodem incorporated spoofing of portions of the UUCP protocol to improve throughput. In this context, protocol headers and trailers are trimmed down or removed entirely, and then reconstructed at the far end.


The term spoofing is also sometimes used to refer to header forgery, the insertion of false or misleading information in email or netnews headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of spammers and sporgers, who wish to conceal the origin of their messages to avoid being tracked down. Less fraudulently, some netnews users place obviously false email addresses in their headers to avoid spam or other unwanted responses.