IP spoofing: What is it and how does it work?


IP spoofing allows cybercriminals to infect your computer with malware, steal your sensitive data, and crash your server, often without detection.

Cybercriminals count on stealth to commit crimes. One tactic they use is Internet Protocol address spoofing, better known as IP spoofing.

IP spoofing allows cybercriminals to maliciously act against internet users, often without detection. That includes infecting your computer with malware, stealing your sensitive data, and crashing your server. An attacker can do this by using the IP address of another computer to masquerade as a trusted source to gain access to your computer, device, or network.

When cybercriminals use spoofed IP source addresses to pretend that they’re trusted sources, it can be dangerous for many different reasons, including:

  • IP spoofing can leave unsuspecting people vulnerable to having their personal data stolen and used for malicious purposes like identity theft and other online fraud.
  • IP-spoofing attacks can flood and shut down corporate servers and websites.

It’s smart to understand IP spoofing, if only to avoid it. In this article, here’s what you’ll learn:

How does IP spoofing work?

What are the mechanics behind IP address spoofing? First, keep in mind that every device capable of connecting to the internet has an internet protocol (IP) address giving it a unique identity. The data travelling on the internet is made up of IP packets, and each packet contains an IP header. That IP header shares routing information about the packet like its source and destination IP addresses.

IP spoofing enables an attacker to replace a packet header’s source IP address with a fake, or spoofed IP address. The attacker does this by intercepting an IP packet and modifying it, before sending it on to its destination. What this means is the IP address looks like it’s from a trusted source – the original IP address – while masking its true source: an unknown third-party.

In the eyes of an attacker, the beauty of spoofing an IP address is that it enables them to impersonate another computer system and look like it’s from a trusted source. This enables an attacker to hide their real identity and most likely circumvent your firewall. By spoofing an IP address, a hacker can trick you into thinking you’re interacting with a trusted website or person – like a close friend, when in reality you’re interacting with a cybercriminal.

As you can see, IP spoofing facilitates anonymity by concealing source identities. This can be advantageous for cybercriminals for these three reasons in particular.

  1. Spoofed IP addresses enable attackers to hide their identities from law enforcement and others.
  2. The computers and networks targeted aren’t always aware that they’ve been compromised, so they don’t send out alerts.
  3. Because spoofed IP addresses look like they’re from trusted sources, they’re able to bypass firewalls and other security checks that might otherwise blacklist them as a malicious source.

What are the types of IP spoofing attacks?

IP spoofing attacks can take several forms. It depends on the vulnerabilities of victims and the goals of attackers. Here are a few common malicious uses.

  • Masking botnet devices. IP spoofing can be used to gain access to computers by masking botnets, which are a group of connected computers that perform repetitive tasks to keep websites functioning. IP spoof attacks mask these botnets and use their interconnection for malicious purposes. That includes flooding targeted websites, servers, and networks with data and crashing them, along with sending spam and various forms of malware.
  • DDoS attacks. IP spoofing is commonly used to launch a distributed denial-of-service (DDoS) attack. A DDoS attack is a brute force attempt to slow down or crash a server. Hackers are able to use spoofed IP addresses to overwhelm their targets with packets of data. This enables attackers to slow down or crash a website or computer network with a flood if internet traffic, while masking their identity.
  • Man-in-the-middle attacks. IP spoofing also is commonly used in man-in-the-middle attacks, which work by interrupting communications between two computers. In this case, IP spoofing changes the packets and then sends them to the recipient computer without the original sender or receiver knowing they’ve been altered. Attackers become the so-called “men in the middle,” intercepting sensitive communications that they can use to commit crimes like identity theft and other fraud.

What is a real example of IP spoofing?

Cybercriminals use IP spoofing for different purposes. One goal is to infect computers and networks with malware by fooling them into thinking the traffic is from a trusted source.

A hacker can also use IP spoofing to intercept and monitor communications between you and another person. That means they could potentially find out your passwords and other personal information to use for malicious purposes like identity theft and other online frauds.

Spoof attacks also can flood and crash a victims’ servers by sending out millions of requests with the spoofed address.

Here’s a real-world example of an IP spoof attacks that shows how the scheme unfolds. Here’s what happened to a code hosting platform known as GitHub in 2018.

GitHub was hit by a large DDoS attack that was executed by spoofing GitHub’s IP address and sending data to several servers. Those servers then increased data returned to GitHub by a factor of 50. This increased traffic overwhelmed and ultimately shut down GitHub’s website for 10 minutes.

How to protect against IP spoofing

Here are steps you can take to help protect your devices, data, network, and connections from IP spoofing.

  • Use secure encryption protocols to secure traffic to and from your server. Part of this is making sure “HTTPS” and the padlock symbol are always in the URL bar of websites you visit.
  • Be wary of phishing emails from attackers asking you to update your password or any other login credentials or payment card data, along with taking actions like making donations. Phishing emails have been a tool for cybercriminals during the coronavirus pandemic. Some of these spoofing emails promise the latest COVID-19 information, while others ask for donations. While some of the emails may look like they’re from reputable organizations, they have been sent by scammers. Instead of clicking on the link provided in those phishing emails, manually type the website address into your browser to check if it’s legitimate.
  • Take steps that will help make browsing the web safer. That includes not surfing the web on unsecure, public Wi-Fi. If you must visit public hotspots, use a virtual private network, or VPN, that encrypts your internet connection to protect the private data you send and receive.
  • Security software solutions that include a VPN can help. Antivirus software will scan incoming traffic to help ensure malware isn’t trying to get in. It’s important to keep your software up to date. Updating your software ensures it has the latest encryption, authentication, and security patches.
  • Set up a firewall to help protect your network by filtering traffic with spoofed IP addresses, verifying that traffic, and blocking access by unauthorized outsiders. This will help authenticate IP addresses.
  • Secure your home Wi-Fi network. This involves updating the default usernames and passwords on your home router and all connected devices with strong, unique passwords that are a combination of 12 uppercase and lowercase letters, at least one symbol and at least one number. Another approach is using long passphrases that you can remember but would be hard for others to guess.
  • Monitor your network for suspicious activity.
  • Use packet filtering systems like ingress filtering, which is a computer networking technique that helps to ensure the incoming packets are from trusted sources, not hackers. This is done by looking at packets’ source headers. In a similar way, egress filtering can be used to monitor and restrict outbound traffic, or packets that don’t have legitimate source headers and fail to meet security policies.

Types of spoofing

Spoofing attacks can take place at different layers, as seen in these types of spoofing.

  • IP address spoofing – happens at the network level.
  • Address Resolution Protocol (ARP) spoofing – occurs at the data link layer.
  • Domain Name System (DNS) spoofing – diverts internet traffic away from legitimate servers to fake servers. Attackers are able to masquerade as other devices with DNS spoofing.
  • Email spoofing – can be seen recently in spoofers’ promises of the latest COVID-19 information or requests for donations. While IP spoofing has been a threat to cybersecurity, the coronavirus pandemic has created new opportunities for carrying it out in the form of spoofing emails. If you’ve clicked on a link in one of these emails and not received the information you expected, you likely have been spoofed.

Legitimate uses for IP spoofing

IP spoofing also may be used by companies in non-malicious ways. For example, companies may use IP spoofing when performing website tests to make sure they work when they go live.

In this case, thousands of virtual users might be created to test a website. This non-malicious use helps gauge a website’s effectiveness and ability to manage numerous logins without being overwhelmed.

FAQs about IP spoofing

Is IP spoofing illegal?

IP spoofing is not illegal if used for non-malicious purposes like the corporate website tests. IP spoofing is illegal if used to access or steal the sensitive data of another person or company with the intent to commit crimes like identity theft and other frauds.

How easy is IP spoofing?

IP spoofing may not be difficult if victims fall for an attacker’s phishing emails, for example.

Can IP spoofing be traced?

IP spoofing occurs at the network level, so there aren’t external signs of interference. Consider an example of a DoS attack where networks of compromised computers, or botnets, are used to send spoofed packets. Because IP spoof attacks are automated by botnets that may contain thousands of participating computers, they can be challenging to trace.

Can IP spoofing be stopped?

Much IP spoofing could be stopped with prevention tactics. That includes implementing secure encryption protocols, firewalls, and packet filtering. It’s a good idea to always use caution when online and beware of unsecure Wi-Fi and websites, phishing emails, and other malicious scams.

Norton logo
  • Norton
Norton empowers people and families around the world to feel safer in their digital lives

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.